Chapter 8. Configuration File Reference
Most Directory Server feature you configure are in the
cn=config entry in the directory. However, for certain features, Directory Server reads settings from configuration files. This chapter describe these files and their settings.
If you set up certificate-based authentication, the
/etc/dirsrv/slapd-instance_name/certmap.conf file manages how Directory Server dynamically maps a certificate to a user entry.
/etc/dirsrv/slapd-instance_name/certmap.conf file uses the following format:
certmap alias_name certificate_issuer_DN alias_name:parameter_name value
You can specify individual settings for different certificate issuer Distinguished Names (DN). For issuer DNs that do not have a separate configuration, the settings from the
default entry will be used. The following is the required minimum configuration for the
certmap default default
Additionally, you can set all available parameters for the
default entry. Directory Server will use them if they are not specified in individual configurations for issuer DNs.
Example 8.1. Configuration for the
default Entry and a Specific Issuer DN
The following configuration sets individual settings for certificates having the
o=Example Inc.,c=US issuer DN set. Other certificates will use the settings from the
certmap default default default:DNComps dc default:FilterComps mail, cn default:VerifyCert on certmap example o=Example Inc.,c=US example:DNComps
You can set the following parameters:
DNCompsparameter determines how Directory Server generates the base DN used to search for a user in the directory:
If attributes in the
subjectfield of the certificate match the base DN, set the
DNCompsparameter to these attributes. Separate multiple attribute with commas. However, the order of the attributes in the
DNCompsparameter must match the order in the subject of the certificate.
For example, if your certificate’s subject is
firstname.lastname@example.org,cn=user_name,o=Example Inc.,c=US, and you want Directory Server to use
cn=user_name,o=Example Inc.,c=USas base DN when searching for the user, set the
cn, o, c.Important
The values of attributes set in the
DNCompsparameter must be unique in the database.
Set the parameter to an empty value if the base DN cannot be generated from the
subjectfield of the certificate. In this situation, Directory Server searches the for user in the entire directory using a filter generated from the setting in the
For example, if the certificate’s subject is
email@example.com,cn=user_name,o=Example Inc.,c=US, but Directory Server stores its data in the
dc=example,dc=comentry, Directory Server cannot generate a valid base DN from the subject of the certificate, because the required components are not part of the subject. In this case, set
DNCompsto an empty string to search for the user in the entire directory.
Comment out or do not set this parameter, if either the
subjectfield of the certificate matches exactly the DN of the user in Directory Server or if you want to use the setting from the
Alternatively, set the
nsslapd-certmap-basednparameter in the
cn=configentry to use a hard-coded base DN.
This parameter sets which attributes from the
subjectfield of the certificate Directory Server uses to generate the search filter to locate the user:
Set this parameter to a comma-separated list of attributes used in the certificate’s subject. Directory Server will use these attributes in an
ANDoperation in the filter.Note
Certificate Subjects use the
eattribute for the email address, which does not exist in the default Directory Server schema. For this reason, Directory Server automatically maps this attribute to the
FilterCompsparameter, Directory Server reads the value of the
eattribute from the subject of the certificate.
For example, if the subject of a certificate is
firstname.lastname@example.org,cn=user_name,dc=example,dc=com,o=Example Inc.,c=USand you want to dynamically generate the
(&(mail=username@domain)(cn=user_name))filter, set the
If the parameter is commented out or set to an empty value, the
(objectclass=*)filter will be used.
Directory Server always verifies if the certificate has been issued by a trusted Certificate Authority (CA). However, if you additionally set the
on, Directory Server additionally verifies that the certificate matches the Distinguished Encoding Rules (DER)-formatted certificate stored in the
userCertificatebinary attribute of the user.
If you do not set this parameter,
If your user entries contain an attribute that stores the subject DN of the user certificate, set the
CmapLdapAttrto this attribute name. Directory Server will use this attribute and the subject DN to locate the user. In this case the no filter is generated based on the attributes in the
- Sets the path name to a shared library or Dynamic Link Library (DLL) file. Use this setting only if you create your own properties using the certificate API. This parameter is deprecated and will be removed in a future release.
Sets the name of the
initfunction, if you use a custom library. Use this setting only if you create your own properties using the certificate API. This parameter is deprecated and will be removed in a future release.
When Directory Server searches the matching user, the search must return exactly one entry. If the search returns multiple entries, Directory Server logs a
multiple matches error and authentication fails.
For further details, see the corresponding section in the Directory Server Administration Guide.