Chapter 8. Configuration File Reference

Most Directory Server feature you configure are in the cn=config entry in the directory. However, for certain features, Directory Server reads settings from configuration files. This chapter describe these files and their settings.

8.1. certmap.conf

If you set up certificate-based authentication, the /etc/dirsrv/slapd-instance_name/certmap.conf file manages how Directory Server dynamically maps a certificate to a user entry.

The /etc/dirsrv/slapd-instance_name/certmap.conf file uses the following format:

certmap alias_name            certificate_issuer_DN
alias_name:parameter_name     value

You can specify individual settings for different certificate issuer Distinguished Names (DN). For issuer DNs that do not have a separate configuration, the settings from the default entry will be used. The following is the required minimum configuration for the default entry:

certmap default     default

Additionally, you can set all available parameters for the default entry. Directory Server will use them if they are not specified in individual configurations for issuer DNs.

Example 8.1. Configuration for the default Entry and a Specific Issuer DN

The following configuration sets individual settings for certificates having the o=Example Inc.,c=US issuer DN set. Other certificates will use the settings from the default entry.

certmap default         default
default:DNComps         dc
default:FilterComps     mail, cn
default:VerifyCert      on

certmap example         o=Example Inc.,c=US

You can set the following parameters:


The DNComps parameter determines how Directory Server generates the base DN used to search for a user in the directory:

  • If attributes in the subject field of the certificate match the base DN, set the DNComps parameter to these attributes. Separate multiple attribute with commas. However, the order of the attributes in the DNComps parameter must match the order in the subject of the certificate.

    For example, if your certificate’s subject is,cn=user_name,o=Example Inc.,c=US, and you want Directory Server to use cn=user_name,o=Example Inc.,c=US as base DN when searching for the user, set the DNComps parameter to cn, o, c.


    The values of attributes set in the DNComps parameter must be unique in the database.

  • Set the parameter to an empty value if the base DN cannot be generated from the subject field of the certificate. In this situation, Directory Server searches the for user in the entire directory using a filter generated from the setting in the FilterComps parameter.

    For example, if the certificate’s subject is,cn=user_name,o=Example Inc.,c=US, but Directory Server stores its data in the dc=example,dc=com entry, Directory Server cannot generate a valid base DN from the subject of the certificate, because the required components are not part of the subject. In this case, set DNComps to an empty string to search for the user in the entire directory.

  • Comment out or do not set this parameter, if either the subject field of the certificate matches exactly the DN of the user in Directory Server or if you want to use the setting from the CmapLdapAttr parameter.

    Alternatively, set the nsslapd-certmap-basedn parameter in the cn=config entry to use a hard-coded base DN.


This parameter sets which attributes from the subject field of the certificate Directory Server uses to generate the search filter to locate the user:

  • Set this parameter to a comma-separated list of attributes used in the certificate’s subject. Directory Server will use these attributes in an AND operation in the filter.


    Certificate Subjects use the e attribute for the email address, which does not exist in the default Directory Server schema. For this reason, Directory Server automatically maps this attribute to the mail attribute. This means, if you use the mail attribute in the FilterComps parameter, Directory Server reads the value of the e attribute from the subject of the certificate.

    For example, if the subject of a certificate is,cn=user_name,dc=example,dc=com,o=Example Inc.,c=US and you want to dynamically generate the (&(mail=username@domain)(cn=user_name)) filter, set the FilterComps parameter to mail,cn.

  • If the parameter is commented out or set to an empty value, the (objectclass=*) filter will be used.

Directory Server always verifies if the certificate has been issued by a trusted Certificate Authority (CA). However, if you additionally set the verifycert parameter to on, Directory Server additionally verifies that the certificate matches the Distinguished Encoding Rules (DER)-formatted certificate stored in the userCertificate binary attribute of the user.

If you do not set this parameter, verifycert is disabled.

If your user entries contain an attribute that stores the subject DN of the user certificate, set the CmapLdapAttr to this attribute name. Directory Server will use this attribute and the subject DN to locate the user. In this case the no filter is generated based on the attributes in the FilterComps parameter.
Sets the path name to a shared library or Dynamic Link Library (DLL) file. Use this setting only if you create your own properties using the certificate API. This parameter is deprecated and will be removed in a future release.
Sets the name of the init function, if you use a custom library. Use this setting only if you create your own properties using the certificate API. This parameter is deprecated and will be removed in a future release.

When Directory Server searches the matching user, the search must return exactly one entry. If the search returns multiple entries, Directory Server logs a multiple matches error and authentication fails.

For further details, see the corresponding section in the Directory Server Administration Guide.