Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 487

Be aware that if the same name is in an HTTP form input and authentication token
(authentication result) the authentication result can override the HTTP form input.
For example, if
email
authentication module will override the
request. A predicate using
the authentication instead of the HTTP input value.
The following are sample predicates:
HTTP_PARAMS.certType==client AND HTTP_PARAMS.ou==Engineering
HTTP_PARAMS.certType==server AND HTTP_PARAMS.o==Netscape OR
HTTP_PARAMS.certType==ca
Attributes for Predicates
Attributes for predicates can come from any of the following:
• Input form—that is, the HTML form that end entities use for submitting
certificate requests.
• Authentication token—what the authentication subsystem returns after
successfully authenticating an end entity.
• A service—for example, a Certificate Manager, Registration Manager, or Data
Recovery Manager service can add certain attributes to the end-entity request.
• Policy processor—what the policy subsystem returns after subjecting the
end-entity request to policy checking. For example, an extension-based policy
can set an appropriate extension in the certificate.
Table 11-2 lists default attributes that are supported by various request object
implementations.
Table 11-2 Attributes supported by request object implementations
Request type Variable name
Default attributes from an input form:
Enrollment
requestFormat
is in an HTTP input and an authentication module also puts
email
in the authentication result (that is, authtoken) the
email
Description
Specifies the certificate request format. Default values
include the following:
• keygen
• pkcs10
• clientAuth
value from the HTTP input in the
email
in an expression will be evaluated to the value of
Introduction to Policy
value from the
email
Chapter 11 Policies 487