CLIENT-AUTH x509 attribute mapping to user name

[Michael Dockery]

Can anyone tell me what class/method i would need to override
 to make a client x509 cert subject/dn attribute
  to a valid tomcat username (in memory realm or otherwise)

I assume the authenticator method 
 or perhaps the login method...