Ldapsubjattrmap; Ldapdncompsmap - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Appendix C. Publishing Module Reference
certificate's subject name, certificate extension, and attribute variable assertion (AVA) constants. For
more information on AVAs, see the directory documentation.
By default, the Certificate Manager uses mapper rules that are based on the simple mapper. During
installation, the Certificate Manager automatically creates an instance of the simple mapper module,
named LdapUserCertMap. The default mapper maps various types of end-entity certificates to their
corresponding directory entries.
The simple mapper requires one parameter, dnPattern. The value of dnPattern can be a list of
AVAs separated by commas. An AVA can be a variable, such as uid=$subj.UID, or a constant, such
as o=Example Corporation.
• Example 1: uid=CertMgr, o=Example Corporation
• Example 2: cn=$subj.cn,ou=$subj.ou,o=$subj.o,c=US
• Example 3: uid=$req.HTTP_PARAMS.uid, e=
$ext.SubjectAlternativeName.RFC822Name,ou=$subj.ou
In the examples, $req takes the attribute from the certificate request, $subj takes the attribute from
the certificate subject name, and $ext takes the attribute from the certificate extension.
C.2.4. LdapSubjAttrMap
The LdapSubjAttrMap plug-in module configures a Certificate Manager to map a certificate to an
LDAP directory entry using a configurable LDAP attribute. To use this mapper, the directory entries
must include the specified LDAP attribute.
This mapper requires the exact pattern of the subject DN because the Certificate Manager searches
the directory for the attribute with a value that exactly matches the entire subject DN. For example,
if the specified LDAP attribute is certSubjectDN and the certificate subject name is uid=jdoe,
o=Example Corporation, c=US, the Certificate Manager searches the directory for entries that
have the attribute certSubjectDN=uid=jdoe, o=Example Corporation, c=US.
If no matching entries are found, the server returns an error and writes it to the log.
Table C.9, "LdapSubjAttrMap Parameters"
Parameter
certSubjNameAttr
searchBase
Table C.9. LdapSubjAttrMap Parameters
C.2.5. LdapDNCompsMap
The LdapDNCompsMap plug-in module implements the DN components mapper. This mapper maps
a certificate to an LDAP directory entry by constructing the entry's DN from components, such as cn,
ou, o, and c, specified in the certificate subject name, and then uses it as the search DN to locate the
entry in the directory. The mapper locates the following entries:
• The CA's entry in the directory for publishing the CA certificate and the CRL.
488
describes these parameters.
Description
Specifies the name of the LDAP attribute that contains a certificate subject name as its va
this can be configured to any LDAP attribute.
Specifies the base DN for starting the attribute search. The permissible value is a valid DN
o=example.com, c=US.