The attribute mapper is designed to extract a specific attribute from a certificate DN and search for the attribute in the LDAP data store to determine the LDAP record of the user to whom the certificate belongs. Any attribute and attribute value combined with the chosen search filter must return only one record on the LDAP server. If the query returns more than one value, the authentication request is denied. The attribute mapper returns the DN of the record returned by the LDAP query to the LDAP authentication delegate. The attribute mapper is implemented by the com.sybase.ep.security.authdelegate.ldap.AttributeMapper class.
To use the Attribute mapper, you must define the following properties:
ldap.AttributeMapper.certificateAttributes – a comma-delimited list of attribute names that can be searched for in the supplied certificate. The attributes are extracted from the certificate DN. For example, given the following certificate DN:
CN=John Doe,EMAIL=jdoe@org.com,O=ORGANIZATION
These attributes can be extracted: CN, EMAIL, O. An extracted attribute value can be searched for within the LDAP server; both CN and EMAIL might be enough to uniquely identify the user.
ldap.AttributeMapper.directoryAttributes – a comma-delimited list of the LDAP attributes that correspond to the ldap.AttributeMapper.certificateAttributes. Given the above sample, where the EMAIL attribute is extracted, the directory attribute would likely be “mail.” The complete working sample properties for the above certificate is:
ldap.AttributeMapper.certificateAttributes=EMAIL, CN ldap.AttributeMapper.directoryAttributes=mail, cn
When the user presents the above certificate to Enterprise Portal, it searches for a user in the LDAP server whose “mail” attribute is “jdoe@org.com.” If no user is found with this attribute, then it tries to match based upon the CN attribute.
