Directory Services 7.4.3

Fingerprint Certificate Mapper

The Fingerprint Certificate Mapper maps client certificates to user entries by looking for the fingerprint in a specified attribute of user entries.

Parent

The Fingerprint Certificate Mapper object inherits from Certificate Mapper.

Fingerprint Certificate Mapper properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

enabled
fingerprint-algorithm
fingerprint-attribute
issuer-attribute
user-base-dn

java-class

Basic properties

Use the --advanced option to access advanced properties.

enabled

Synopsis

Indicates whether the Certificate Mapper is enabled.

Default value

None

Allowed values

true

false

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

fingerprint-algorithm

Synopsis

Specifies the name of the digest algorithm to compute the fingerprint of client certificates.

Default value

None

Allowed values

  • md5: Use the MD5 digest algorithm to compute certificate fingerprints.

  • sha1: Use the SHA-1 digest algorithm to compute certificate fingerprints.

  • sha256: Use the SHA-256 digest algorithm to compute certificate fingerprints.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

fingerprint-attribute

Synopsis

Specifies the attribute in which to look for the fingerprint.

Description

Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.

Default value

None

Allowed values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

issuer-attribute

Synopsis

Specifies the name or OID of the attribute whose value should exactly match the certificate issuer DN.

Description

Certificate issuer verification should be enabled whenever multiple CAs are trusted in order to prevent impersonation. In particular, it is possible for different CAs to issue certificates having the same subject DN.

Default value

The certificate issuer DN will not be verified.

Allowed values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

user-base-dn

Synopsis

Specifies the set of base DNs below which to search for users.

Description

The base DNs are used when performing searches to map the client certificates to a user entry.

Default value

The server performs the search in all public naming contexts.

Allowed values

A valid DN.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

java-class

Synopsis

Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.

Default value

org.opends.server.extensions.FingerprintCertificateMapper

Allowed values

A Java class that extends or implements:

  • org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin action required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-only

No