Using Client Authentication200 Managing Servers with Netscape Console • December 2001For example, if you set DNComps to use the o and c RDN keywords, the server startsthe search from the o=org, c=country entry in the directory, where org andcountry are replaced with values from the DN in the certificate.• If there isn’t a DNComps entry in the mapping, the server uses either theCmapLdapAttr setting or the entire subject DN in the client certificate todetermine where to start searching.• If the DNComps entry is present but has no value, the server searches the entiredirectory tree for entries matching the filter specified by FilterComps.The following RDN keywords are supported for DNComps: cn, ou, o, c, l, st, e,and mail. You can list the keywords in lower case or upper case. You can use e ormail, but not both.FilterCompsFilterComps is a comma-separated list of RDN keywords used to create a filter bygathering information from the user’s DN in the client certificate. The server usesthe values for these keywords to form the search criteria for matching entries in theLDAP directory. If the server finds one or more entries in the directory that matchthe user’s information gathered from the certificate, the search is successful and theserver performs a verification (if verifycert is set to on).For example, if FilterComps is set to use the e and uid attribute keywords(FilterComps=e,uid), the server searches the directory for an entry whose valuesfor e and uid match the user’s information gathered from the client certificate.Email addresses and user IDs are good filters because they are usually uniqueentries in the directory.The filter needs to be specific enough to match one and only one entry in thedirectory. The following RDN keywords are supported for FilterComps: cn, ou, o,c, l, st, e, and mail. You can list the keywords in lower case or upper case. Youcan use e or mail, but not both.VerifyCertVerifyCert tells the server whether it should compare the client’s certificate withthe certificate found in the user’s directory entry. It takes one of two values: on oroff. Setting the value to on ensures that the server will not authenticate the clientunless the certificate presented exactly matches the certificate stored in thedirectory. Setting the value to off disables the verification process.