Client Certificates with TLS

I’ve been looking into setting up OpenSearch to use client X509 certificates for authentication with authorization being mapped from LDAP.

Upon configuring OpenSearch as described, I came across an issue with mapping X509 common names to LDAP. The problem is that the common name on an X509 certificate is a fully qualified domain name, whereas in LDAP the fully qualified domain name is represented hierarchically.

For example, the X509 subject would be CN=FQDN.TLD, whereas in LDAP the DN would be CN=FQDN, DC=TLD

In OpenSearch this becomes problematic because it looks for users with a filter such as (cn=FQDN.TLD) where FQDN.TLD is the X509 CN.

Is there any way for OpenSearch to be configured to convert an X509 formatted CN into an LDAP formatted DN for search purposes? Similarly, an option to search LDAP only using the lowest level of the X509 CN would also work for this purpose? If these options aren’t currently present, is this something that would be considered in the future?


What is your LDAP solution?

I’m using 389-DS, although I think the same would apply with any other LDAP system unless they provide the ability to search using TLS style subjects.