I am implementing PKI authentication for my application, and everything I’ve read online says that you extract the CN attribute from the certificate subject and use the CN to look up the user in the LDAP server, for example.
However, when I browse my company’s LDAP directory, every user’s CN attribute is just first and last name. This does not uniquely identify a user across an Organizational Unit or the company. Does this mean that the CN is not set up correctly here? Examples of CN values I’ve seen online are usually a concatenation of first, last names and email address. Is this usual format the CN attribute takes on?
The subject of a certificate is an X.500 Distinguished Name (DN) as per RFC 5280 (see section 4.1.2.6 on https://www.rfc-editor.org/rfc/rfc5280#page-23). Yes, the DN must be unique for each subject. Instead of a first name/last name concatenation, you could pick something unique like an E-mail address, employee ID or user account.
Also note that the DN may have multiple elements rather than a single CN (Common Name) entry but I think that’s beyond the scope of the question.