DNComps
and FilterComps
preferences specified in the certmap.conf
file.
certmap.conf
file, the server searches under the base DN for entries with that attribute value. userCertificate;binary
attribute for that entry.
A default set of API functions defines how these three steps work. To change the way this works by doing the following:
certmap.conf
file to load your library and use your functions instead of the default API functions.
ldapu_cert_to_ldap_entry()
. This function calls three other API functions, which correspond to the steps listed in "Changing the Way to Find the Subject's Entry".
certmap.conf
file as input and generates a base DN and a search filter as output. (Specifically, the default function uses the DNComps
and FilterComps
entries to determine which distinguished name components can be used in the base DN and filter.)The base DN and the search filter output are passed to the certificate search function (see the next item in this list).
For a type definition of the certificate mapping function and additional details, see "CertMapFn_t (Mapping Function)".
The results of the search are passed to the certificate verification function (see the next item in the list).
For a type definition of the certificate search function and additional details, see "CertSearchFn_t (Search Function)".
For a type definition of the certificate verification function and additional details, see "CertVerifyFn_t (Verification Function)".
ldapu_get_cert_mapfn()
, ldapu_get_cert_searchfn()
, and ldapu_get_cert_verifyfn()
to get and invoke the default functions.static int my_cert_search_fn( void *cert, LDAP *ld, void *certmap_info,
const char *basedn, const char *dn, const char *filter,
const char **attrs, LDAPMessage **res)
{
int count, rv;
CertSearchFn_t searchfn;
...
/* Get the default certificate search function. */
searchfn = ldapu_get_cert_searchfn(NULL);
/* Call the default certificate search function. */
rv = (*searchfn)(cert, ld, certmap_info, basedn, dn, filter,
certmap_attrs, res);
/* Count the number of matching entries found. */
if (rv == LDAPU_SUCCESS) {
count = ldap_count_entries(ld, res);
}
...
return rv;
}
...The following diagram summarizes how the certificate mapping, search, and verification functions should interact with each other.
When you write your functions, make sure that your functions comply with the corresponding type definitions. Also, make sure to do the following:
certmap.h
header file:#include "certmap.h"
ldap.h
and lber.h
header files (from the Directory SDK) are in your include path. #ifdef WIN32
CertmapDLLInitFnTbl
#endif
This statement declares the table of functions used to find the corresponding directory entry for a certificate.
certmap.conf
file that you want this function loaded.
ldapu_cert_to_ldap_entry()
to use your functions instead of the default API functions, define an initialization function that calls the following functions:
ldapu_set_cert_mapfn()
to specify your certificate map function.
ldapu_set_cert_searchfn()
to specify your certificate search function
ldapu_set_cert_verifyfn()
to specify your certificate verification function. typedef int (*CertMapInitFn_t)(void *certmap_info,For details of this type definition, see "CertMapInitFn_t (Init Function)".
const char *issuerName, const char *issuerDN,
const char *libname);
int plugin_init_fn (void *certmap_info, const char *issuerName,
const char *issuerDN, const char *libname)
{
fprintf(stderr, "plugin_init_fn called.\n");
ldapu_set_cert_mapfn(issuerDN, (CertMapFn_t)plugin_mapping_fn);
ldapu_set_cert_verifyfn(issuerDN, (CertVerifyFn_t)plugin_verify_fn);
return LDAPU_SUCCESS;
}On Windows NT, you need to call the
CertmapDLLInit()
function once to initialize the table of functions used to find the LDAP entry for a certificate. NSAPI_PUBLIC int plugin_init_fn (void *certmap_info,
const char *issuerName, const char *issuerDN, const char *libname)
{
static int initialized = 0;
int rv;
/* Make sure CertmapDLLInit is initialized only once */
if (!initialized) {
#ifdef WIN32
CertmapDLLInit(rv, libname);
if (rv != LDAPU_SUCCESS) {
/* Log an error here, if you want to. */
return rv;
}
#endif
initialized = 1;
}
...
In the certmap.conf
file, you need to add the following statements:
<name>:library <path_to_shared_library>
<name>:InitFn <name_of_init_function>For example:
certmap default1 o=Netscape Communications, c=US
default1:library /usr/netscape/suitespot/userdb/plugin.so
default1:InitFn plugin_init_fn
default1:DNComps ou, o, c
default1:FilterComps l
default1:verifycertIn addition to using the
library
property to specify the library to load, each server that supports client authentication loads any shared libraries that exist in the following directories:
<server_type>
identifies a type of server. The names of server types are the same names as the names of the directories in the <server_type>
directory (for example, https
for the Enterprise Server and news
for the Collabra Server).
<server_id>
is the ID of the server instance. Typically, this is the server type concatenated with the server name (for example, https-myhost
). If a library is placed in the <server_id>
directory, only that server instance will load the library.
certmap.conf
file specifies the correct path to your library and the correct name of your initialization function. certmap.conf
file. If this name does not exactly match the name of the certificate authority (CA) in the certificate, the functions associated with the default certmap.conf
setting will be called instead of the functions associated with the CA. For more information on setting up your server to use certificates, see the chapter "Understanding encryption and SSL" in the Managing Netscape Servers.