Sample Mapping Rules


What happens

{ guest }

Because no condition is included, all valid certificates are mapped to the user "guest". This can serve as a default rule. A rule like this should go at the end of the rule list to ensure that all other rules are processed first.

{ fred.jones } UPN.user Equals "fred"

If the UPN representation of SubjectAltName is present, and the user part is equal to “fred”, the set of allowed identities is fred.jones.

{ %UPN.user% } Equals ""

If a certificate has a UPN representation of SubjectAltName, and the host name part is "", the user name part of the UPN is returned as the set of allowed identities.

{ guest %UPN.user% }

If the UPN is set, the user part is included in the set of allowed identities (along with "guest"). Otherwise the set of allowed identities is "guest". Because there is no condition, this rule applies to any valid certificate.

{ fred root } Subject.CN Contains "Fred Jones"

If the CN of the certificate contains "Fred Jones", the set of allowed identities has two values: "fred" and "root".

{ %subst% } Subject.CN Regex [a-zA-Z\.]*([0-9]+)

Sets the allowed identity equal to the first numerical string within the common name portion of the Subject field. For example, if the CN is "joe.smith.12345", the allowed identity is set to "12345".

{ } Subject.CN Contains "elmer"

Sets the allowed identity to the fully-qualified domain name "" from a certificate that contains the short name "elmer".

{ bob } Cert Equals /temp/certs/bob_cert.crt

Compares the incoming certificate to the one locally stored. If they are equal, the allowed identity set is "bob".

{ %subst% } Cert Extern /bin/myapp

PKI Services Manager sends two values to the application "/bin/myapp". The first argument contains the contents of the certificate in PEM format (text). The second contains the path to a temporary file that contains a copy of the certificate in DER format (binary). The external application can be configured to use either of these formats. If the exit code of the called application equals 0, the allowed identity is set equal to the returned result.

{ %UPN.User% } UPN Extern /bin/ldap-app

In this case, an exit-code of 0 from the external application serves as confirmation that the UPN is an authorized user.

{ %Subject.CN% %DNS% }

Sets the allowed identity set to include the contents of either the Subject.CN field or the DNS part of SubjectAltName.

{ windomain\%UPN.User% }

Allows users from the specified Windows domain name to authenticate if their user name matches the UPN user name.

Related Topics

Troubleshooting Identity Mapping

pki_mapfile Map File Reference