SubjectDirectoryAttributesExt Plug-in Module238 Netscape Certificate Management System Plug-Ins Guide • March 2002The first two attributes, AUTH_TOKEN.mail andAUTH_TOKEN.mailalternateaddress, are standard LDAP attributes typically usedfor storing end users’ email addresses in an LDAP directory. These attributesenable you to include a user’s email address as an alternative name in thecertificate. Remember that you need to specify the LDAP attribute for users’ emailaddresses as a part of configuring the server to use a specific directory forauthentication—which means for the default rule to set end users’ email addressesin the subject alternative name extension, you must ensure the following:• The server is configured for directory-based, directory- and PIN-based, or NISserver based (using directory attributes for forming subject names) enrollment;that is, you have created and configured an authentication instance.• The ldapStringAttributes parameter in the authentication instance is set tomail or mailalternateaddress, or to both.The third attribute, HTTP_PARAMS.csrRequestorEmail, is the email component ofthe subject name in an enrollment request—it is an HTTP input value that getsadded to the request when a user uses the manual enrollment form; for details, see“Enrollment Forms” on page 53.If you enable the default policy rule, the server automatically checks the certificaterequest for attributes AUTH_TOKEN.mail, AUTH_TOKEN.mailalternateaddress,and HTTP_PARAMS.csrRequestorEmail. If the server finds any of the attributes, itsets the attribute value in the extension and then adds the extension to certificatesspecified by the predicate parameter. If none of the attributes are in a request, theserver does not add the subject alternative name extension to the certificate.SubjectDirectoryAttributesExt Plug-in ModuleThe SubjectDirectoryAttributesExt plug-in module implements the subjectdirectory attributes extension policy. This policy enables you to configureCertificate Management System to add the Subject Directory Attributes Extensiondefined in X.509 and PKIX standard RFC 2459 (seehttp://www.ietf.org/rfc/rfc2459.txt) to certificates. The extension is used tospecify any desired directory attribute values for the subject of the certificate.As per the PKIX standard, inclusion of this extension in certificates is not essential;the standard suggests that the extension may be used in local environments. Forgeneral guidelines on setting the subject directory attributes extension, see“subjectDirectoryAttributes” on page 356.