Setting Up Pin-Based Enrollment - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

Chapter 16. Authentication for Enrolling Certificates
• ldapByteAttributes. Specifies the list of LDAP byte (binary) attributes that should be
considered authentic for the end entity. If specified, the values corresponding to these
attributes will be copied from the authentication directory into the authentication token for
use by other modules, such as adding additional information to users' certificates.
Entering values for this parameter is optional.
• ldap.ldapconn.host. Specifies the fully-qualified DNS hostname of the authentication
directory.
• ldap.ldapconn.port. Specifies the TCP/IP port on which the authentication directory listens
to requests; if the ldap.ldapconn.secureConn. checkbox is selected, this should be the
SSL port number.
• ldap.ldapconn.secureConn. Specifies the type, SSL or non-SSL, of the port on which the
authentication directory listens to requests from the Certificate System. Select if this is an
SSL port.
• ldap.ldapconn.version. Specifies the LDAP protocol version, either 2 or 3. The default is
3, since all Directory Servers later than version 3.x are LDAPv3.
• ldap.basedn. Specifies the base DN for searching the authentication directory. The server
uses the value of the uid field from the HTTP input (what a user enters in the enrollment
form) and the base DN to construct an LDAP search filter.
• ldap.minConns. Specifies the minimum number of connections permitted to the
authentication directory. The permissible values are 1 to 3.
• ldap.maxConns. Specifies the maximum number of connections permitted to the
authentication directory. The permissible values are 3 to 10.
Click OK. The authentication instance is set up and enabled.
f.
2. Set the certificate profiles to use to enroll users by setting policies for specific certificates.
Customize the enrollment forms by configuring the inputs in the certificate profiles, and include
inputs for the information needed by the plug-in to authenticate the user. If the default inputs do
not contain all of the information that needs to be collected, submit a request created with a third-
party tool.
For information on configuring the profiles, see
Directory Attributes".

16.3.2. Setting up PIN-based Enrollment

PIN-based authentication involves setting up PINs for each user in the LDAP directory, distributing
those PINs to the users, and then having the users provide the PIN along with their user ID and
password when filling out a certificate request. Users are then authenticated both against an LDAP
directory using their user ID and password and against the PIN in their LDAP entry. When the user
successfully authenticates, the request is automatically processed, and a new certificate is issued.
The Certificate System provides a tool, setpin, that adds the necessary schema for PINs to the
Directory Server and generates the PINs for each user.
The PIN tool performs the following functions:
380
Section 13.3.3, "Populating Certificates with