Certificate mapping is used to determine which LDAP record a user’s certificate belongs to, and is used only when authenticating with certificates into an LDAP-enabled Enterprise Security installation. Enterprise Security ships two certificate mappers:
Default – returns the certificate DN as the LDAP DN. This is useful if your certificate DNs match your LDAP DNs.
AttributeMapper – allows various transformations to be done to search for a user’s LDAP entry based on the certificate DN.
This section describes a published API that you can use to map certificate credentials to an LDAP record at runtime.
A certificate mapper must be a Java class that extends com.sybase.ep.security.authdelegate.ldap.CertificateMapper,
and it must have a public constructor that takes one java.util.Properties parameter,
which represents all of the properties stored in the security.properties file.
When you develop new certificate mappers, you should create your
own prefix (com.clientName.propertyName)
tree within this file, which is passed into your mapper. You can
override the following functions to implement new mapping functionality.
Method 1:
public String getMappedDN(netscape.ldap.LDAPConnection conn, java.security.cert.X509Certificate certificate throws com.sybase.ep.security.exceptions.AuthenticationFailedException;
Method 2:
public String getMappedDN(netscape.ldap.LDAPConnection conn, String DN) throws com.sybase.ep.security.exceptions.AuthenticationFailedException;
Both methods require an active connection to the LDAP server as the first parameter. The certificate mapper should release this connection after the method returns.
Method 1 requires an X.509 certificate instance as its second parameter. Using this class, the client can modify the certificate and independently verify the certificate’s validity. This method is called in most circumstances.
Method 2 requires a DN that was extracted from the certificate at an earlier point in the authentication process. This method is called only if the full certificate instance is not available.
Both methods return the LDAP DN of the user who presented the certificate credentials. If an appropriate record cannot be found, an AuthenticationFailedException is thrown, and the user is denied access.
To configure a certificate mapper, specify a value for the ldap.certificateMapper property. The value you specify must be the Java class name of the certificate mapper you want to use. If you do not specify a value, the default mapper implementation value is used. The class you specify must be installed in a location identified by the EAServer BOOTCLASSPATH, typically $JAGUAR/java/classes on UNIX and Linux, or %JAGUAR%\java\classes on Windows.
