G Searching the Directory for User Certificates

Starting with 10g Release 2 (10.1.2), you can perform a command-line search of the binary attribute usercertificate.

Prior to 10g Release 2 (10.1.2.0.2), the only way to identify a user from the certificate was through the DN specified in the certificate. This is known as certificate matching. Starting with 10g Release 2 (10.1.2.0.2), Oracle Internet Directory supports certificate mapping, in addition to certificate matching. Certificate matching requires that a user certificate be provisioned in the directory. Certificate mapping does not require provisioning of a user certificate.

This chapter includes the following topics:

Certificate Mapping
Search Types

G.1 Certificate Mapping

Certificate mapping allows a customer to define rules for mapping the certificate to the user's DN. A certificate mapping rule is a set of rules for parsing the certificate and for querying the directory for the user's identity. Only custom extensions of certificates can be used in mapping rules.

The following examples show how to add, delete, and modify a certificate mapping rule.

Adding a Certificate Mapping Rule

Add a mapping rule using ldapmodify, as follows:

ldapmodify -h hostName -p  port_number -f certMapRuleAdd.ldif

The file certMapRuleAdd.ldif should look something like this:

dn: cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations
cn: maprule1
objectclass: orclidmapping
objectclass: orclcertidmapping
orclSearchScope: subtree
orclSearchFilter: (cn=$\(2.16.750.5.14.2.81.2.5.1\))
orclcertExtensionOID: 2.16.750.5.14.2.81.2.5
orclcertExtensionAttribute: 2.16.750.5.14.2.81.2.5.1

Deleting a Certificate Mapping Rule

Delete a mapping rule using ldapdelete, as follows:

ldapdelete hostName -p  port_number "cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations"

Modifying a Certificate Mapping Rule

Modify a mapping rule using ldapmodify, as follows:

ldapmodify -h hostName -p  port_number -f certMapRuleMod.ldif

The file certMapRuleMod.ldif should look something like this:

dn: cn=maprule1,cn=SASL-EXTERNAL,cn=Identity Mapping Configurations,cn=Server Configurations
changetype:modify
replace: <attrName>
<attrName>: <attrValue>

G.2 Search Types

You can use two kinds of ldapsearch filters:

A filter of the form "usercertificate=certificate_serial_number$certificate_issuer_DN". A combination of the certificate serial number and the certificate issuer's DN is used to locate the certificate. This combination is called the certificate match value.

A filter of the form"usercertificate;binary=base_64_encoded_value_of_certificate". Using this filter, one of six types of searches is possible, depending upon two things:

The value of the DSA configuration set attribute (DN: "cn=dsaconfig,cn=configsets,cn=oracle internet directory"), orclpkimatchingrule.
The presence or absence of the LDAP control 2.16.840.1.113894.1.8.23

The six types of searches possible with a filter of the form "usercertificate;binary=base_64_encoded_value_of_certificate" are:

Presence of LDAP control	Value of orclpkimatchingrule	Search Behavior
Absent	Not used	The hashed value of the client certificate is used to locate `usercertificate`.
Present	0	An exact-match search is performed. The subject DN of the client certificate is the search base. This DN is compared with the user DN in the directory. The search scope is `Base`. The filter is `"objectclass=*"`.
Present	1	The hashed value of the client certificate is used to locate `usercertificate`.
Present	2 (Default)	The hashed value of the client certificate is used to locate `usercertificate`. If this search yields nothing, An exact-match search is performed.
Present	3	The mapping rule is used.
Present	4	First, the mapping rule is used. If that search yields nothing, then the search proceeds as if the value were 2.

Use the ldapmodify tool to set orclpkimatchingrule to the desired value.

Notes:

The usercertificate attribute cannot be searched using a substring filter.
In an exact-match search, the search filter can contain only one attribute value assertion.
Only one-level and subtree searches are supported.
The catalog.sh tool does not support catalogs for user certificates—namely ct_orclcertificatehash and ct_orclcertificatematch
The introduction in 10g Release 2 (10.1.2) of certificate hash values requires that certificates be upgraded from earlier releases. See the "upgradecert.pl" command-line tool reference in Oracle Identity Management User Reference.