Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual page 619

The Certificate Manager can use some or all of these components (
to build a DN for searching the directory. When creating a mapper rule, you can specify the
components the server should use to build a DN (that is, components to match attributes in
the directory). You do this by configuring the
Table 16-10 on page 620.
For example, assume you entered components
parameter. For locating Jane Doe's entry in the directory, the Certificate Manager
dnComps
constructs the following DN by reading the DN attribute values from the certificate, and
uses the DN as the base for searching the directory:
CN=Jane Doe, OU=Sales, O=Example Corporation, C=US
Note the following:
• A subject name does not need to have all of the components that you specify for the
parameter. The server ignores any components that are not part of the subject
dnComps
name (such as ,
L ST
• Unspecified components are not used to build the DN. In the example, if you did not
include the component, the server would use this DN as the base for searching the
OU
directory:
CN=Jane Doe, O=Example Corporation, C=US
In general, for the
dnComps
Certificate Manager can use to form the LDAP DN exactly. In certain situations, however,
the subject name in a certificate may match more than one entry in the directory. Then, the
Certificate Manager might not get a single, distinct matching entry from the DN. For
example, the subject name
CN=Jane Doe, OU=Sales, O=Example Corporation, C=US
might match two users with the name Jane Doe in the directory. If that occurred, the
Certificate Manager would need additional criteria to determine which entry corresponds to
the subject of the certificate.
To specify the components the Certificate Manager must use to distinguish between
different entries in the directory, use the
Table 16-10 on page 620. For example, if you entered
parameter, enter
dnComps
used to distinguish between entries with identical
Consider another example that shows how two directory entries with similar DNs can be
differentiated by the value of the
Assume that the two Jane Doe entries are distinguished by the value of the
One entry's value is
UID
the attribute corresponds to the
UID
names of certificates to include the
dnComps
CN
, and in this example).
E
parameter, you should enter those DN components that the
filterComps
for the
L filterComps
attribute:
UID
and the other entry's
janedoe1
component in a DN, you can set up the subject
UID
component.
UID
,
CN OU
parameter; for details, see
, , , , and as values for the
E OU O C
parameter; for details, see
, , , and as values for the
CN OU O C
parameter only if the
, , , and values.
CN OU O C
value is
UID janedoe2
Chapter 16
Mappers
, , , , and )
O L ST C
attribute can be
L
attribute.
UID
. Because
Publishing 619