LDAP mapper AD altSecurityIdentities support.#85
Open
guitarmanusa wants to merge 2 commits intoOpenSC:masterfrom
Open
LDAP mapper AD altSecurityIdentities support.#85guitarmanusa wants to merge 2 commits intoOpenSC:masterfrom
guitarmanusa wants to merge 2 commits intoOpenSC:masterfrom
Conversation
added 2 commits
December 10, 2025 16:17
Adds a new mapping mode to the LDAP mapper to support Microsoft Active Directory's `altSecurityIdentities` attribute. This mode is enabled by setting the `use_alt_security_identities` option to `true` in the `ldap_mapper` configuration block. When enabled, the mapper will: 1. Extract the Issuer DN and Serial Number from the certificate. 2. Format them into the AD-specific string: `X509:<I>IssuerDN<SR>SerialNumber` 3. Use this string to find a matching user entry by searching the configured `attribute` (which should be set to `altSecurityIdentities`). This allows for certificate-based authentication in a typical AD environment where `userCertificate` binary comparison is not used.
…nstructs a filter using AD styled altSecurityIdentities="X509<I>IssuerDN<SR>Serial" to enable ldap_mapper to correctly match a validated certificate to an AD user entry. AD does not store the certificate in binary, making this query necessary in Windows first environments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In large, Windows first organizations, Active Directory does not store the full binary certificate. Rather it stores the IssuerDN and certificate serial number in the attribute altSecurityIdentities. This feature allows large organizations to use ldap mapper to map the certificate serial number and Issuer to the pre-existing AD user attributes without having to create massive map files or make any other additional changes.