PingDirectory

Certificate mapping

The PingDirectory server uses a component called a certificate mapper to identify the user entry that corresponds to a given certificate, such as in the course of processing a bind using the EXTERNAL or UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.

The types of certificate mappers that it offers by default include:

Subject Equals DN

This certificate mapper expects the subject DN of the certificate to match the distinguished name (DN) of the corresponding user entry.

Subject Attribute to User Attribute

This certificate mapper extracts the values of a specified set of attributes from the certificate subject and search for an entry containing those values in a corresponding set of attributes. The default instance of this certificate mapper tries to map the CN attribute from the certificate’s subject to the cn attribute in the user’s entry, or the E attribute in the certificate’s subject to the mail attribute in the user’s entry.

Subject DN to User Attribute

This certificate mapper expects the user’s entry to contain a specified attribute whose value matches the subject DN of the presented certificate.

Fingerprint

This certificate mapper expects the user’s entry to contain a specified attribute whose value matches the SHA-256, SHA-1, or MD5 fingerprint of the presented certificate.

You can also use the UnboundID Server SDK to create custom certificate mapper implementations.