freeipa/install/share/certmap.conf.template

#
# This file configures how a certificate is mapped to an LDAP entry.  See the
# documentation for more information on this file.
#
# The format of this file is as follows:
#	certmap <name> <issuerDN>
#	<name>:<prop1> [<val1>]
#	<name>:<prop2> [<val2>]
#
# Notes:
#
# 1.  Mapping can be defined per issuer of a certificate.  If mapping doesn't
#     exists for a particular 'issuerDN' then the server uses the default
#     mapping. 
#
# 2.  There must be an entry for <name>=default and issuerDN "default".
#     This mapping is the default mapping.
#
# 3.  '#' can be used to comment out a line.
#
# 4.  DNComps & FilterComps are used to form the base DN and filter resp. for 
#     performing an LDAP search while mapping the cert to a user entry.
#
# 5.  DNComps can be one of the following:
#	commented out - take the user's DN from the cert as is
#	empty         - search the entire LDAP tree (DN == suffix)
#	attr names    - a comma separated list of attributes to form DN
#
# 6.  FilterComps can be one of the following:
#	commented out - set the filter to "objectclass=*"
#	empty         - set the filter to "objectclass=*"
#	attr names    - a comma separated list of attributes to form the filter
#

certmap default         default
#default:DNComps
#default:FilterComps    e, uid
#default:verifycert     on
#default:CmapLdapAttr   certSubjectDN
#default:library        <path_to_shared_lib_or_dll>
#default:InitFn         <Init function's name>
default:DNComps
default:FilterComps     uid
certmap ipaca           $ISSUER_DN
ipaca:CmapLdapAttr      seeAlso
ipaca:verifycert        on
- Abstracted client class to work directly or over RPC - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication - Update tools to use kerberos - Add User class 2007-08-06 09:05:53 -05:00			`#`
			`# This file configures how a certificate is mapped to an LDAP entry. See the`
			`# documentation for more information on this file.`
			`#`
			`# The format of this file is as follows:`
			`# certmap <name> <issuerDN>`
			`# <name>:<prop1> [<val1>]`
			`# <name>:<prop2> [<val2>]`
			`#`
			`# Notes:`
			`#`
			`# 1. Mapping can be defined per issuer of a certificate. If mapping doesn't`
			`# exists for a particular 'issuerDN' then the server uses the default`
			`# mapping.`
			`#`
			`# 2. There must be an entry for <name>=default and issuerDN "default".`
			`# This mapping is the default mapping.`
			`#`
			`# 3. '#' can be used to comment out a line.`
			`#`
			`# 4. DNComps & FilterComps are used to form the base DN and filter resp. for`
			`# performing an LDAP search while mapping the cert to a user entry.`
			`#`
			`# 5. DNComps can be one of the following:`
			`# commented out - take the user's DN from the cert as is`
			`# empty - search the entire LDAP tree (DN == suffix)`
			`# attr names - a comma separated list of attributes to form DN`
			`#`
			`# 6. FilterComps can be one of the following:`
			`# commented out - set the filter to "objectclass=*"`
			`# empty - set the filter to "objectclass=*"`
			`# attr names - a comma separated list of attributes to form the filter`
			`#`

Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. 2012-09-19 22:35:42 -05:00			`certmap default default`
- Abstracted client class to work directly or over RPC - Add mod_auth_kerb and cyrus-sasl-gssapi to Requires - Remove references to admin server in ipa-server-setupssl - Generate a client certificate for the XML-RPC server to connect to LDAP with - Create a keytab for Apache - Create an ldif with a test user - Provide a certmap.conf for doing SSL client authentication - Update tools to use kerberos - Add User class 2007-08-06 09:05:53 -05:00			`#default:DNComps`
Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. 2012-09-19 22:35:42 -05:00			`#default:FilterComps e, uid`
			`#default:verifycert on`
			`#default:CmapLdapAttr certSubjectDN`
			`#default:library <path_to_shared_lib_or_dll>`
			`#default:InitFn <Init function's name>`
			`default:DNComps`
			`default:FilterComps uid`
dsinstance: extract function for writing certmap.conf For full customisability of the IPA CA subject DN, we will need the ability to update DS `certmap.conf' when upgrading a deployment from CA-less to CA-ful. Extract the existing behaviour, which is private to DsInstance, to the `write_certmap_conf' top-level function. Also update `certmap.conf.template' for substition of the whole CA subject DN (not just the subject base). Part of: https://fedorahosted.org/freeipa/ticket/2614 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 21:23:11 -06:00			`certmap ipaca $ISSUER_DN`
Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. 2012-09-19 22:35:42 -05:00			`ipaca:CmapLdapAttr seeAlso`
			`ipaca:verifycert on`