Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-962

Subject Attr To User Attr Cert Mapper has wrong default configuration



    • Bug
    • Status: Done
    • Minor
    • Resolution: Fixed
    • 2.6.0
    • 2.6.0
    • None


      The Subject Attribute To User Attribute Certificate Mapper is configured with the following default mappings:

      • cn:cn
      • e:mail

      I wasn't able to successfully map a certificate with the e:mail mapping and I doubt that it works because there is no attribute type e defined in the server's schema.

      This being said, I think that e refers to the emailAddress AttributeType from the PKCS#9 schema (IIRC it is displayed as E in many applications on Windows environments).

      There are 3 possible ways to fix this issue:

      1. remove e:mail from the default mappings (as it is more common to use the SubjectAltName for mail addresses)
      2. include the PKCS#9 emailAddress attribute type in the server's default schema and correct the default configuration for the certificate mapper (emailAddress:mail). I prefer this solution.
      3. it is no issue because I missed something

      Solution 1 and 2 also require an update to the documentation to reflect the changes.

      Additionally, it would make sense that the isConfigurationAcceptable method also checks if certAttrName is valid (a valid OID or an attribute type which is defined in the server's schema). At the moment, only the validity of the userAttrName is being checked.


          Issue Links



              matthew Matthew Swift
              manuelgaupp manuelgaupp
              Matthew Swift Matthew Swift
              0 Vote for this issue
              2 Start watching this issue