Troubleshooting Identity Mapping

Problem: Updates to identity mapping don't take effect

To ensure that your settings changes take effect, save your changes (File > Save) then reload your configuration (Server > Reload). To omit the need for reloading each time, enable Refresh rules from file before mapping operation. If you are running on a UNIX system, use pkid reload after you save a modified map file, or include DynamicFile = yes in the map file.

Problem: Users listed as allowed identities in some rules are denied access

This problem occurs when PKI Services Manager stops processing rules before it reaches a rule that would allow access. PKI Services Manager processes rules in order from top to bottom. It stops processing rules when a certificate meets the condition defined in a rule, or if the rule has no condition defined. This means that if you include any rule with no conditions, none of the rules that come after it will ever be processed.

For example, the following configuration includes three rules with no conditions defined. In this example, the server will always stop after the first rule. The user in the first rule (joe) will always be allowed access with any valid certificate, but the other users will never be allowed access with any certificate, even if the certificate is valid.

{ joe }

{ don }

{ fred }


To allow access to multiple users without setting any rule conditions, you need to define a single rule for all users. For example:

{ joe don fred }


{ %UPN.User% }


To support processing of multiple rules, you need to include conditions in these rules. Any rule with no conditions should be at the end of the list. For example:

{ joe } UPN.User Equals "joe"

{ don } UPN.User Equals "don"

{ fred } UPN.User Equals "fred"

{ guest }

Related Topics

pki_mapfile Map File Reference

Sample Mapping Rules

Sample Map File with RuleType Stanzas