Rules - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Table 16-10 LdapDNCompsMap Configuration Parameters (Continued)
Parameter
filterComps

Rules

You set up Rules to determine what exactly gets published where. Rules work
independently, not in tandem. A certificate or CRL that is being published is matched
against every rule. Any rule to which it matches is activated. In this way, the same
certificate can be published to a file, to an Online Certificate Status Manager, and to an
LDAP directory by matching a file-based rule, an OCSP rule, and matching a
directory-based rule.
You can set up rules for each object type: CA certificate, CRL, user certificate, and
cross-pair certificate, or you can even further divide the rules so that you have different
rules for different kinds of certificates, or different kinds of CRLs.
The rule first determines if the object meets the rule, and then where it is to be published.
Determining if the object meets the rule is done by matching the type and predicate set up in
the rule with the object itself. Determining where matching objects are published is
determined by the Publisher and Mapper that is associated with this rule.
Note: A Registration Manager can only publish certificates. It cannot publish CRLs.
Description
Specifies components the Certificate Manager should use to filter entries
from the search result. The server uses the filterComps values to
form an LDAP search filter for the subtree. The server constructs the
filter by gathering values for these attributes from the certificate subject
name; it uses the filter to search for and match entries in the LDAP
directory.
If the server finds one or more entries in the LDAP directory that match
the information gathered from the certificate, the search is successful and
the server optionally performs a verification. For example, if
filterComps is set to use the email and user ID attributes
(filterComps=e, uid), the server searches the directory for an entry
whose values for email and user ID match the information gathered from
the certificate.
Permissible values: Valid directory attributes (in the certificate DN)
separated by commas. The attribute names for the filters need to be
attribute names from the certificate, not from ones in the LDAP directory.
For example, most certificates have an E attribute for the user's email
address; LDAP calls that attribute mail.
Rules
Chapter 16 Publishing 621