Is there support in certmap.conf for using DN's with dc= attributes
Hi Folks-
The Question:
Is there any support on certmap.conf (or the like) for dealing with suffixes that use the "dc=example,dc=com" format (in either 5.2 or 6.0)?
The Details/Background:
Like many places our suffixes are named ending with "dc" attributes (e.g. dc=example,dc=com). I've been setting up SSL Client Certificate based authentication. It's working via the CmapLdapAttr with a custom attribute/class added to the schema (I haven't finished with VerifyCert yet).
The docs say that DNComps and FilterComps support the following RDN keywords: cn, ou, o, c, l, st, e, and mail. Notably missing from both is "dc". This seems to leave no valid value for DNComps (forcing all the searches to be across ALL suffixes including cn=config and co). With those global searches FilterComps also seems to be fairly limited (especially if uid is not part of the Certificate's Subject DN which it arguably shouldn't be in many situations).
It seems all I'm left with is CmapLdapAttr (after creating the custom attribute & class) with every search across all suffixes. I don't think I can (or should) place indexes in the stuff in dse.ldif, hopefully they won't stop the other suffixes to be searched using their indexes and these should be small enough (and hopefully in memory) that they don't make a real difference.
Thanks,
-Scott-
