Show Contents / Index / Search

Sample Mapping Rules

Rule

What happens

{ guest }

Because no condition is included, all valid certificates are mapped to the user "guest". This can serve as a default rule. A rule like this should go at the end of the rule list to ensure that all other rules are processed first.

{ fred.jones } UPN.user Equals "fred"

If the UPN representation of SubjectAltName is present, and the user part is equal to “fred”, the set of allowed identities is fred.jones.

{ %UPN.user% } UPN.host Equals "acme.com"

If a certificate has a UPN representation of SubjectAltName, and the host name part is "acme.com", the user name part of the UPN is returned as the set of allowed identities.

{ guest %UPN.user% }

If the UPN is set, the user part is included in the set of allowed identities (along with "guest"). Otherwise the set of allowed identities is "guest". Because there is no condition, this rule applies to any valid certificate.

{ fred root } Subject.CN Contains "Fred Jones"

If the CN of the certificate contains "Fred Jones", the set of allowed identities has two values: "fred" and "root".

{ %subst% } Subject.CN Regex [a-zA-Z\.]*([0-9])

Sets the allowed identity equal to the first numerical string within the common name portion of the Subject field. For example, if the CN is "joe.smith.12345", the allowed identity is set to "12345".

{ elmer.foo.com } Subject.CN Contains "elmer"

Sets the allowed identity to the fully-qualified domain name "elmer.foo.com" from a certificate that contains the short name "elmer".

{ bob } Cert Equals /temp/certs/bob_cert.crt

Compares the incoming certificate to the one locally stored. If they are equal, the allowed identity set is "bob".

{ %subst% } Subject.CN Extern /bin/myapp

PKI Services Manager sends the Common Name portion of the Subject field to the application "/bin/myapp". If the exit code of the called application equals 0, the allowed identity is set equal to the returned result.

{ %UPN.User% } UPN Extern /bin/ldap-app

In this case, an exit-code of 0 from the external application serves as confirmation that the UPN is an authorized user.

{ %Subject.CN% %DNS% }

Sets the allowed identity set to include the contents of either the Subject.CN field or the DNS part of SubjectAltName.

{ windomain\%UPN.User% }

Allows users from the specified Windows domain name to authenticate if their user name matches the UPN user name.

Related Topics

Troubleshooting Identity Mapping

pki_mapfile Map File Reference