Netscape ENTREPRISE SERVER 6.0 - ADMINISTRATOR Administrator's Manual page 126

Setting Client Security Requirements
certmap default default
default:DNComps
default:FilterComps e, uid
certmap usps ou=United States Postal Service, o=usps, c=US
usps:DNComps ou,o,c
usps:FilterComps e
usps:verifycert on
When the server gets a certificate from anyone other than the US Postal Service, it
uses the default mapping, which starts at the top of the LDAP tree and searches for
an entry matching the client's email and userid. If the certificate is from the US
Postal Service, the server starts its search at the LDAP branch containing the
organizational unit and searches for matching email addresses. Also note that if the
certificate is from the USPS, the server verifies the certificate; other certificates are
not verified.
CAUTION
Example #3
The following example uses the
database for an attribute called
entire subject DN taken from the client certificate.
certmap myco ou=Example Corporation, o=example, c=US
example:CmapLdapAttr certSubjectDN
example:DNComps
example:FilterComps mail, uid
example:verifycert on
If the client certificate subject is:
uid=Walt Whitman, o=Example Corporation, c=US
the server first searches for entries that contain the following information:
certSubjectDN=uid=Walt Whitman, o=Example Corporation, c=US
126 Netscape Enterprise Server Administrator's Guide • November 2001
The issuer DN (that is, the CA's information) in the certificate must
be identical to the issuer DN listed in the first line of the mapping. In
the previous example, a certificate from an issuer DN that is
o=United States Postal Service,c=US
there isn't a space between the
CmapLdapAttr
certSubjectDN
o, c
won't match because
and the attributes.
o c
property to search the LDAP
whose value exactly matches the