By default, Access Manager uses the complete string of the X.509 certificate attribute to identify a user in the userstore. When the X.509 subject name contains a long DN or string, you can configure regular expression (regex) to extract the partial value. You can configure regex for the following attributes of the certificate:
If the subject of the certificate is fully qualified DN, Access Manager can use the CN value or ignore it while searching for a user. You can also configure regex for each attribute that is available with the X.509 certificate configuration.
You can configure regex while creating an X.509 class. See Attribute Mappings.
For example, the X.509 subject is EMAILADDRESS=martial@novell.com, CN=martial, OU=NTS, O=MF, L=Malahide, ST=Dublin
To retrieve the martial CN value, you can use regex (?<=CN=)([^,]+).
The expression CN=(.*?) matches the common name field. So, if the subject name in the certificate is "CN=martial, OU=...", this will give a username “martial". The matches are case-sensitive.
"EMAILADDRESS =(.*?)," will match "EMAILADDRESS=martial@novell.com,CN=... “ and will give username “martial@novell.com”.
OU=(.*?)(?:,|$) will match “EMAILADRESS=martial@novell.com,CN=..,OU=NTS...” and match value to “NTS”.
For more information about regex, see Regular Expression.info and for editing and testing a regex, you can try Online Regex Tester or Regexr.