This example presents a typical use case for user mapping:
matching a certificate and a user. Selectors are usually used for this purpose, but if you
have a database that contains information about users and certificates, you can use an
external application defined in the mapper
element to query the database.
Based on the query result, users can be allowed/denied access to the server.
In
this example the user is allowed to log in only if the regular expression provided in the
certificate
element matches, that is if CN
in the
certificate's subject name consists of three words separated by periods (.) and a set of
digits in the end (for example "Smith.John.James.1234
").
<authentication-methods login-grace-time="600"> <authentication action="allow"> <auth-publickey /> <authentication name="authentication3" action="allow"> <selector> <certificate field="subject-name" regexp="C=FI, O=SSH, CN=\\w\+\\.\\w\+\\.\\w\+?\\.?\\w\+?\\.\\d\+" /> </selector> <mapper command="/path/to/python /path/to/script1.py"/> </authentication> </authentication> </authentication-methods>