Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 511

• End-entity entries in the directory for publishing end-entity certificates.
The mapper takes DN components to build the search DN. The mapper also takes an optional root
search DN. The server uses the DN components to form an LDAP entry to begin a subtree search
and the filter components to form a search filter for the subtree. If none of the DN components are
configured, the server uses the base DN for the subtree. If the base DN is null and none of the DN
components match, an error is returned. If none of the DN components and filter components match,
an error is returned. If the filter components are null, a base search is performed.
Both the DNComps and filterComps parameters accept valid DN components or attributes
separated by commas. The parameters do not accept multiple entries of an attribute; for example,
filterComps can be set to cn,ou but not to cn,ou2,ou1. To create a filter with multiple instances
of the same attribute, such as if directory entries contain multiple ou s, modify the source code for the
LdapDNCompsMap module.
The following components are commonly used in DNs:
• uid represents the user ID of a user in the directory.
• cn represents the common name of a user in the directory.
• ou represents an organizational unit in the directory.
• o represents an organization in the directory.
• l represents a locality (city).
• st represents a state.
• c represents a country.
For example, the following DN represents the user named Jane Doe who works for the Sales
department at Example Corporation, which is located in Mountain View, California, United States:
cn=Jane Doe, ou=Sales, o=Example Corporation, l=Mountain View, st=California, c=US
The Certificate Manager can use some or all of these components (cn, ou, o, l, st, and c) to build
a DN for searching the directory. When creating a mapper rule, these components can be specified
for the server to use to build a DN; that is, components to match attributes in the directory. This is set
through the dnComps parameter.
For example, the components cn, ou, o, and c are set as values for the dnComps parameter. To
locate Jane Doe's entry in the directory, the Certificate Manager constructs the following DN by
reading the DN attribute values from the certificate, and uses the DN as the base for searching the
directory:
cn=Jane Doe, ou=Sales, o=Example Corporation, c=US
• A subject name does not need to have all of the components specified in the dnComps parameter.
The server ignores any components that are not part of the subject name, such as l and st in this
example.
• Unspecified components are not used to build the DN. In the example, if the ou component is not
included, the server uses this DN as the base for searching the directory:
LdapDNCompsMap
489