--- title: Subject Attribute To User Attribute Certificate Mapper description: The Subject Attribute To User Attribute Certificate Mapper maps client certificates to user entries by mapping the values of attributes contained in the certificate subject to attributes contained in user entries. component: pingds version: 8.1 page_id: pingds:configref:objects-subject-attribute-to-user-attribute-certificate-mapper canonical_url: https://docs.pingidentity.com/pingds/8.1/configref/objects-subject-attribute-to-user-attribute-certificate-mapper.html section_ids: parent: Parent subject_attribute_to_user_attribute_certificate_mapper_properties: Subject Attribute To User Attribute Certificate Mapper properties basic_properties: Basic properties enabled: enabled issuer-attribute: issuer-attribute subject-attribute-mapping: subject-attribute-mapping user-base-dn: user-base-dn advanced_properties: Advanced properties java-class: java-class --- # Subject Attribute To User Attribute Certificate Mapper The Subject Attribute To User Attribute Certificate Mapper maps client certificates to user entries by mapping the values of attributes contained in the certificate subject to attributes contained in user entries. ## Parent The Subject Attribute To User Attribute Certificate Mapper object inherits from [Certificate Mapper](objects-certificate-mapper.html). ## Subject Attribute To User Attribute Certificate Mapper properties You can use configuration expressions to set property values at startup time. For details, see [Property value substitution](expressions.html). | Basic Properties | Advanced Properties | | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | [enabled](#enabled) [issuer-attribute](#issuer-attribute) [subject-attribute-mapping](#subject-attribute-mapping) [user-base-dn](#user-base-dn) | [java-class](#java-class) | ### Basic properties Use the `--advanced` option to access advanced properties. ### enabled | | | | ----------------------- | ---------------------------------------------------- | | *Synopsis* | Indicates whether the Certificate Mapper is enabled. | | *Default value* | None | | *Allowed values* | truefalse | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### issuer-attribute | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | *Synopsis* | Specifies the name or OID of the attribute whose value should exactly match the certificate issuer DN. | | *Description* | Certificate issuer verification should be enabled whenever multiple CAs are trusted in order to prevent impersonation. In particular, it is possible for different CAs to issue certificates having the same subject DN. | | *Default value* | The certificate issuer DN will not be verified. | | *Allowed values* | The name of an attribute type defined in the LDAP schema. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### subject-attribute-mapping | | | | ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies a mapping between certificate attributes and user attributes. | | *Description* | Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries. | | *Default value* | None | | *Allowed values* | A string. | | *Multi-valued* | Yes | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### user-base-dn | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------ | | *Synopsis* | Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry. | | *Default value* | The server will perform the search in all public naming contexts. | | *Allowed values* | A valid DN. | | *Multi-valued* | Yes | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ## Advanced properties Use the `--advanced` option to access advanced properties. ### java-class | | | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation. | | *Default value* | org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper | | *Allowed values* | A Java class that extends or implements:- org.opends.server.api.CertificateMapper | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | The object must be disabled and re-enabled for changes to take effect. | | *Advanced* | Yes | | *Read-only* | No |