Hi all, Having read all the manuals and snippets I can find, I have come up with the following certmap.conf file: certmap default default default:verifycert on default:CmapLdapAttr nsCertSubjectDN What I want the above to do is this: - Look up the subject of the client certificate as the DN in the nsCertSubjectDN attribute. - Also do an exact match of the certificate in the userCertificate attribute (verifycert on). - Do the search across all contexts. Does the certmap above do this? What is not working for me is the lookup: [18/Nov/2020:00:10:33.787682853 +0200] conn=1269 TLS1.3 128-bit AES-GCM; client serialNumber=365[snip]a14,CN=host.example.com; issuer CN=X,O=Y,C=UK [18/Nov/2020:00:10:33.888476161 +0200] conn=1269 TLS1.3 failed to map client certificate to LDAP DN (No such object) Looking at the source code, the above message is logged if we have a certificate, but we didn’t manage to map a DN: https://github.com/389ds/389-ds-base/blob/f9638bbd8739659057249ac43b914d18716996b5/ldap/servers/slapd/auth.c#L501 Something missing from the documentation is the DN format expected by the nsCertSubjectDN attribute. Is the format CN=X,serialNumber=Y as reported by openssl x509, or is it serialNumber=Y,CN=X as reported by the log message above? Regards, Graham — _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
