Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 110

The evaluation first does a DN lookup for subject name or directory name mapping. If this
fails, the rest of the mappings are looked up in a single LDAP query.
Available attributes: The available X.509 attributes. To use an attribute, select it and move it
to the Attributes field. When the attribute is moved to the Attributes list, you can modify the
mapping name in the Attribute Mappings section. The mapped name must match an attribute in
your LDAP user store.
Directory name: Searches for the directory address in the client certificate and tries to match it
to the DN of a user in the user store. If that fails, it searches the sasAllowableSubjectNames
attribute of all users for a value that matches. The sasAllowableSubjectNames attribute must
contain values that are comma-delimited, with a space after the comma, and in leaf to root
format. (For example, O=CURLY, OU=Organization CA or OU=Organization CA,
O=CURLY.)
Email: Searches for the email attribute in the client certificate and tries to match it with a value
in the LDAP mail attribute.
Serial number and issuer name: Lets you match a user's certificate by using the serial
number and issuer name. The issuer name and the serial number must be put into the same
LDAP attribute of the user, and the name of this attribute must be listed in the Attribute
Mappings section.
When using a Case Ignore String attribute, both the issuer name and the serial number must be
in the same attribute separated by a dollar sign ($) character. The issuer name must be in front
of the $ character, with the serial number following the $ character. Do not use any spaces in
front of or behind the $ character. For example: O=CURLY, OU=Organization
CA$21C0562C5C4
The issuer name can be from root to leaf or from leaf to root. The issuer name must be comma-
delimited with a space after the comma. (For example, O=CURLY, OU=Organization CA or
OU=Organization CA, O=CURLY.)
The serial number cannot begin with a zero (0) or with a hexadecimal notation (0x). If the serial
number is 0x0BAC05, the value of the serial number in the attribute must be BAC05. The
certificate number is displayed in Internet Explorer with a space after every fourth digit.
However, you should enter the certificate number without using spaces.
The LDAP attribute can be any Case Ignore List or Case Ignore String attribute of the user. If
you are configuring your own attribute, ensure that the attribute is added to the Person class.
When using a Case Ignore List attribute, both the issuer name and the serial number must be in
the same list. The issuer name needs to be the first item in the list, with the serial number being
the second and last item in the list.
The certificate number is displayed in Internet Explorer with a space after every fourth digit.
However, you should enter the certificate number without using spaces.
Subject name: Searches for the Subject name of the client certificate and tries to match it to
the DN of a user in the user store. If that fails, it searches the sasAllowableSubjectNames
attribute of all users for a value that matches the Subject name of the client certificate. The
sasAllowableSubjectNames attribute must contain values that are comma-delimited, with a
space after the comma. (For example, O=CURLY, OU=Organization CA or OU=Organization
CA, O=CURLY.)
12 Click Finish.
110 Novell Access Manager 3.1 SP1 Identity Server Guide