LDAP certificate map mode
Use the certificate map mode to specify whether to map X.509 certificates into an LDAP directory by EXACT_DN, CERTIFICATE_FILTER, CUSTOM, or NOT_SUPPORTED in Liberty.
Certificate map modes (certificateMapMode
)
You can choose among four certificate map modes. EXACT_DN is the default mode.
- EXACT_DN
- The EXACT_DN mapping mode requires that the Distinguished Name (DN) in the certificate exactly match the user entry in the LDAP server.
- CERTIFICATE_FILTER
- To use a specified certificate filter for the mapping, you can use the CERTIFICATE_FILTER mapping mode.
- CUSTOM
- To provide a custom certificate mapping implementation, you can use the
CUSTOM mode and supply an
X509CertificateMapper
implementation. - NOT_SUPPORTED
- The NOT_SUPPORTED mapping mode throws a
CertificateMapNotSupportedException
error if the registry receives an attempt to authenticate with a certificate. TheCertificateMapNotSupportedException
error is ignored if any other federated repositories can authenticate the certificate.
Certificate map mode configuration attributes
Example of a custom X509CertificateMapper
implementation
The following example shows an X509CertificateMapper
implementation for an LDAP
registry.
public class CustomLdapMapper implements X509CertificateMapper {
@Override
public String mapCertificate(X509Certificate[] certificates)
throws CertificateMapNotSupportedException,
CertificateMapFailedException {
if (certificates == null || certificates.length == 0) {
throw new CertificateMapFailedException("No certificates found.");
}
LdapName dn;
try {
dn = new LdapName(certificates[0].getSubjectX500Principal().getName());
} catch (InvalidNameException e) {
throw new CertificateMapFailedException(
"The certificate subject X.500 principal is not in " +
"the form of a distinguished name.", e);
}
/*
* This example returns an LDAP search filter using the value
* of the first RDN in the DN. When returning an LDAP search
* filter, surround the filter by parenthesis to indicate that
* it is a filter.
*
* Alternatively, return a distinguished name and exclude the
* parentheses.
*/
List<Rdn> rdns = dn.getRdns();
String value = rdns.get(rdns.size() - 1).getValue();
return "(someLdapAttribute=" + value + ")";
}
}
You can make the X509CertificateMapper
implementation available to Liberty as an OSGi service in one of two ways,
with either a BELLs feature or a user feature.