src/man/sss-certmap.5.xml

db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose<?xml version="1.0" encoding="UTF-8"?>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose<reference>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose<title>SSSD Manual pages</title>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose<refentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refmeta>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <refentrytitle>sss-certmap</refentrytitle>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <manvolnum>5</manvolnum>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refmeta>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refnamediv id='name'>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <refname>sss-certmap</refname>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <refpurpose>SSSD Certificate Matching and Mapping Rules</refpurpose>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refnamediv>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refsect1 id='description'>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <title>DESCRIPTION</title>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            The manual page describes the rules which can be used by SSSD and
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            other components to match X.509 certificates and map them to
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            accounts.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            Each rule has four components, a <quote>priority</quote>, a
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            <quote>matching rule</quote>, a <quote>mapping rule</quote> and a
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            <quote>domain list</quote>. All components are optional. A missing
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            <quote>priority</quote> will add the rule with the lowest priority.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            The default <quote>matching rule</quote> will match certificates with
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            the digitalSignature key usage and clientAuth extended key usage. If
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            the <quote>mapping rule</quote> is empty the certificates will be
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            searched in the userCertificate attribute as DER encoded binary. If
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            no domains are given only the local domain will be searched.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refsect1>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refsect1 id='components'>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <title>RULE COMPONENTS</title>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refsect2 id='priority'>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <title>PRIORITY</title>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan            The rules are processed by priority while the number '0' (zero)
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            indicates the highest priority. The higher the number the lower is
56839605d139573319b7df24774b56ea78ec742bamitkumar            the priority. A missing value indicates the lowest priority. The
56839605d139573319b7df24774b56ea78ec742bamitkumar            rules processing is stopped when a matched rule is found and no
56839605d139573319b7df24774b56ea78ec742bamitkumar            further rules are checked.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            Internally the priority is treated as unsigned 32bit integer, using
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            a priority value larger than 4294967295 will cause an error.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refsect2>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refsect2 id='match'>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <title>MATCHING RULE</title>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            The matching rule is used to select a certificate to which the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            mapping rule should be applied. It uses a system similar to the one
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            used by <quote>pkinit_cert_match</quote> option of MIT Kerberos. It
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            consists of a keyword enclosed by '&lt;' and '&gt;' which identified
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            a certain part of the certificate and a pattern which should be
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            found for the rule to match. Multiple keyword pattern pairs can be
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            either joined with '&amp;&amp;' (and) or '&#124;&#124;' (or).
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            The available options are:
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            <variablelist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SUBJECT&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        With this a part or the whole subject name of the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        certificate can be matched. For the matching POSIX
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Extended Regular Expression syntax is used, see regex(7)
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        for details.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        For the matching the subject name stored in the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        certificate in DER encoded ASN.1 is converted into a
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        string according to RFC 4514. This means the most
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        specific name component comes first. Please note that
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        not all possible attribute names are covered by RFC
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        4514. The names included are 'CN', 'L', 'ST', 'O',
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        names might be shown differently on different platform
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        and by different tools. To avoid confusion those
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        attribute names are best not used or covered by a
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        suitable regular-expression.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SUBJECT&gt;.*,DC=MY,DC=DOMAIN
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;ISSUER&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        With this a part or the whole issuer name of the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        certificate can be matched. All comments for
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        &lt;SUBJECT&gt; apply her as well.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;ISSUER&gt;^CN=My-CA,DC=MY,DC=DOMAIN$
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;KU&gt;key-usage</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This option can be used to specify which key usage
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        values the certificate should have. The following values
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        can be used in a comma separated list:
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        <itemizedlist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>digitalSignature</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>nonRepudiation</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>keyEncipherment</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>dataEncipherment</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>keyAgreement</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>keyCertSign</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>cRLSign</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>encipherOnly</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>decipherOnly</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        </itemizedlist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        A numerical value in the range of a 32bit unsigned
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        integer can be used as well to cover special use cases.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;KU&gt;digitalSignature,keyEncipherment
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;EKU&gt;extended-key-usage</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This option can be used to specify which extended key
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        usage the certificate should have. The following value
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        can be used in a comma separated list:
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        <itemizedlist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>serverAuth</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>clientAuth</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>codeSigning</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>emailProtection</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>timeStamping</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>OCSPSigning</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>KPClientAuth</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>pkinit</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                            <listitem><para>msScLogin</para></listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        </itemizedlist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Extended key usages which are not listed above can be
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        specified with their OID in dotted-decimal notation.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;EKU&gt;clientAuth,1.3.6.1.5.2.3.4
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        To be compatible with the usage of MIT Kerberos this
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        option will match the Kerberos principals in the PKINIT
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        or AD NT Principal SAN as &lt;SAN:Principal&gt; does.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN&gt;.*@MY\.REALM
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:Principal&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the Kerberos principals in the PKINIT or AD NT
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Principal SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:Principal&gt;.*@MY\.REALM
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:ntPrincipalName&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the Kerberos principals from the AD NT Principal
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:ntPrincipalName&gt;.*@MY.AD.REALM
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:pkinit&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the Kerberos principals from the PKINIT SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:ntPrincipalName&gt;.*@MY\.PKINIT\.REALM
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:dotted-decimal-oid&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Take the value of the otherName SAN component given by
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        the OID in dotted-decimal notation, interpret it as
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        string and try to match it against the regular
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        expression.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:1.2.3.4&gt;test
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:otherName&gt;base64-string</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Do a binary match with the base64 encoded blob against
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        all otherName SAN components. With this option it is
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        possible to match against custom otherName components
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        with special encodings which could not be treated as
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        strings.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:otherName&gt;MTIz
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:rfc822Name&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the value of the rfc822Name SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:rfc822Name&gt;.*@email\.domain
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:dNSName&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the value of the dNSName SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:dNSName&gt;.*\.my\.dns\.domain
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:x400Address&gt;base64-string</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Binary match the value of the x400Address SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:x400Address&gt;MTIz
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:directoryName&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the value of the directoryName SAN. The same
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        comments as given for &lt;ISSUER&gt; and &lt;SUBJECT&gt;
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        apply here as well.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:directoryName&gt;.*,DC=com
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:ediPartyName&gt;base64-string</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Binary match the value of the ediPartyName SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:ediPartyName&gt;MTIz
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:uniformResourceIdentifier&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the value of the uniformResourceIdentifier SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:uniformResourceIdentifier&gt;URN:.*
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:iPAddress&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the value of the iPAddress SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:iPAddress&gt;192\.168\..*
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>&lt;SAN:registeredID&gt;regular-expression</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Match the value of the registeredID SAN as
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        dotted-decimal string.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: &lt;SAN:registeredID&gt;1\.2\.3\..*
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            </variablelist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refsect2>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refsect2 id='map'>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <title>MAPPING RULE</title>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            The mapping rule is used to associate a certificate with one or more
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            accounts. A Smartcard with the certificate and the matching private
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            key can then be used to authenticate as one of those accounts.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            Currently SSSD basically only supports LDAP to lookup user
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            information (the exception is the proxy provider which is not of
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            relevance here). Because of this the mapping rule is based on LDAP
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            search filter syntax with templates to add certificate content to
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            the filter. It is expected that the filter will only contain the
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan            specific data needed for the mapping and that the caller will embed
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            it in another filter to do the actual search. Because of this the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            filter string should start and stop with '(' and ')' respectively.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            In general it is recommended to use attributes from the certificate
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            and add them to special attributes to the LDAP user object. E.g. the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            'altSecurityIdentities' attribute in AD or the 'ipaCertMapData'
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            attribute for IPA can be used.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            This should be preferred to read user specific data from the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            certificate like e.g. an email address and search for it in the LDAP
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            server. The reason is that the user specific data in LDAP might
77e5c3fc26085f18277a70ffbd6351a8130963e7Yuri Chornoivan            change for various reasons would break the mapping. On the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            other hand it would be hard to break the mapping on purpose for a
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            specific user.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            The templates to add certificate data to the search filter are based
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan            on Python-style formatting strings. They consist of a keyword in
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            curly braces with an optional sub-component specifier separated by a
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            '.' or an optional conversion/formatting option separated by a '!'.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            Allowed values are:
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            <variablelist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the full issuer DN converted to a
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        string according to RFC 4514. If X.500 ordering (most
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        specific RDN comes last) an option with the '_x500'
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        prefix should be used.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        The conversion options starting with 'ad_' will use
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        attribute names as used by AD, e.g. 'S' instead of 'ST'.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        The conversion options starting with 'nss_' will use
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        attribute names as used by NSS.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        The default conversion option is 'nss', i.e. attribute
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        names according to NSS and LDAP/RFC 4514 ordering.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (ipacertmapdata=X509:&lt;I&gt;{issuer_dn!ad}&lt;S&gt;{subject_dn!ad})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the full subject DN converted to
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        string according to RFC 4514. If X.500 ordering (most
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        specific RDN comes last) an option with the '_x500'
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        prefix should be used.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        The conversion options starting with 'ad_' will use
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        attribute names as used by AD, e.g. 'S' instead of 'ST'.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        The conversion options starting with 'nss_' will use
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        attribute names as used by NSS.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        The default conversion option is 'nss', i.e. attribute
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        names according to NSS and LDAP/RFC 4514 ordering.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (ipacertmapdata=X509:&lt;I&gt;{issuer_dn!nss_x500}&lt;S&gt;{subject_dn!nss_x500})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{cert[!(bin|base64)]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the whole DER encoded certificate
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        as a string to the search filter. Depending on the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        conversion option the binary certificate is either
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        converted to an escaped hex sequence '\xx' or base64.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        The escaped hex sequence is the default and can e.g. be
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        used with the LDAP attribute 'userCertificate;binary'.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (userCertificate;binary={cert!bin})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_principal[.short_name]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the Kerberos principal which is
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        taken either from the SAN used by pkinit or the one used
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        by AD. The 'short_name' component represents the first
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        part of the principal before the '@' sign.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_pkinit_principal[.short_name]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the Kerberos principal which is
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        given by the SAN used by pkinit. The 'short_name'
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        component represents the first part of the principal
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        before the '@' sign.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name}))
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_nt_principal[.short_name]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the Kerberos principal which is
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        given by the SAN used by AD. The 'short_name' component
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        represent the first part of the principal before the '@'
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        sign.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_rfc822_name[.short_name]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the string which is stored in the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        rfc822Name component of the SAN, typically an email
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        address. The 'short_name' component represents the first
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        part of the address before the '@' sign.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name}))
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_dns_name[.short_name]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the string which is stored in the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        dNSName component of the SAN, typically a fully-qualified host name.
ba2fb2c7b74a5247737da051b38e7889b7b44d5dYuri Chornoivan                        The 'short_name' component represents the first
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        part of the name before the first '.' sign.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_uri}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the string which is stored in the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        uniformResourceIdentifier component of the SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (uri={subject_uri})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_ip_address}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the string which is stored in the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        iPAddress component of the SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (ip={subject_ip_address})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_x400_address}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the value which is stored in the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        x400Address component of the SAN as escaped hex
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        sequence.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (attr:binary={subject_x400_address})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the DN string of the value which
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        is stored in the directoryName component of the SAN.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (orig_dn={subject_directory_name})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_ediparty_name}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the value which is stored in the
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        ediPartyName component of the SAN as escaped hex
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        sequence.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (attr:binary={subject_ediparty_name})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                <varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <term>{subject_registered_id}</term>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        This template will add the OID which is stored in the
346d6d8bf5fdb446921d754c07c8a7d913a048d5René Genz                        registeredID component of the SAN as a dotted-decimal
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        string.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                        Example: (oid={subject_registered_id})
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                    </listitem>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose                </varlistentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            </variablelist>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refsect2>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    <refsect2 id='domains'>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <title>DOMAIN LIST</title>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        <para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            If the domain list is not empty users mapped to a given certificate
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            are not only searched in the local domain but in the listed domains
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            as well as long as they are know by SSSD. Domains not know to SSSD
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose            will be ignored.
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose        </para>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refsect2>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose    </refsect1>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose</refentry>
db36dca3d45e6eefbb30042ee65876566f1a6014Sumit Bose</reference>