The PingDirectory Server uses a component called a certificate mapper to identify the user entry that corresponds to a given certificate, such as in the course of processing a bind using the EXTERNAL or UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism.
The types of certificate mappers that it offers by default include:
- Subject Equals DN
- This certificate mapper expects the subject DN of the certificate to match the distinguished name (DN) of the corresponding user entry.
- Subject Attribute to User Attribute
- This certificate mapper extracts the values of a specified set of attributes from the
certificate subject and search for an entry containing those values in a
corresponding set of attributes. The default instance of this certificate mapper
tries to map the CN attribute from the certificate’s subject to the
cnattribute in the user’s entry, or the
Eattribute in the certificate’s subject to the mail attribute in the user’s entry.
- Subject DN to User Attribute
- This certificate mapper expects the user’s entry to contain a specified attribute whose value matches the subject DN of the presented certificate.
- This certificate mapper expects the user’s entry to contain a specified attribute whose value matches the SHA-256, SHA-1, or MD5 fingerprint of the presented certificate.
You can also use the UnboundID Server SDK to create custom certificate mapper implementations.