I am using 3.7.3 with r12.52
(my Policy Server is Solaris, so the Linux logic applies...)
It appears that there is another issue happening that is throwing me off.
The Policy Server is disregarding the search base configured in the UserDirectory and instead using the IssuerDN as the search base. Is there any way to change this behavior?
Example:
The UserDirectory has "ou=department,o=company,c=us" configured as the search base.
My Certificate is issued from: ou=ca1,ou=certificate authorities, ou=department,o=company,c=us
The user information I need to map this certificate to is stored in: "ou=people,ou=department,o=company,c=us"
The LDAP Server logs indicate that SiteMinder is using IssuerDN as the base for the LDAP search.
[17/May/2016:13:42:37 -0400] - SERVER_OP - INFO - conn=19722500 op=4 SEARCH base="ou=ca1,ou=certification authorities,ou=department,o=company,c=us" scope=2 filter="(&(|(objectclass=organizationalPerson)(objectclass=inetOrgPerson)(objectclass=organization)(objectclass=organizationalUnit)(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(serialnumber=403043))" attrs="objectclass " s_msgid=14 s_conn=tedsdsm2 (write):579378
In the above example, I created a Custom Certificate Mapping Expression to pull the SerialNumber attribute out (part of the SubjectDN, not the cert serialnumber) and map that to an LDAP attribute that is also named serialnumber using {DN.SerialNumber}.
My subject DN syntax is "cn=First M. Last + SerialNumber=123456,ou=people,ou=department,o=company,c=us"