The certificate map mode is used to specify whether to map X.509 certificates into an LDAP directory by EXACT_DN or CERTIFICATE_FILTER in the Liberty profile.
The EXACT_DN means that the Distinguished Name (DN) in the certificate must exactly match the user entry in the LDAP server, including case and spaces. To use the specified certificate filter for the mapping, you can use the CERTIFICATE_FILTER.
LDAP attribute=${Client certificate attribute}
.An example of a simple certificate filter is: uid=${SubjectCN}.
<ldapRegistry id="LDAP" realm="SampleLdapIDSRealm"
host="myldap.ibm.com" port="389" ignoreCase="true"
baseDN="o=ibm,c=us"
certificateMapMode="CERTIFICATE_FILTER"
certificateFilter="uid=${SubjectCN}"
userFilter="(&(uid=%v)(objectclass=ePerson))"
groupFilter="(&(cn=%v)(|(objectclass=groupOfNames)
(objectclass=groupOfUniqueNames)(objectclass=groupOfURLs)))"
userIdMap="*:uid"
groupIdMap="*:cn"
groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember;
groupOfNames:member;groupOfUniqueNames:uniqueMember"
ldapType="IBM Tivoli Directory Server" searchTimeout="8m" />