Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 403

• Adds the necessary schema for PINs to the LDAP directory.
• Adds a PIN manager user who has read-write permissions to the PINs that are set up.
• Sets up ACIs to allow for PIN removal once the PIN has been used, giving read-write permissions
for PINs to the PIN manager, and preventing users from creating or changing PINs.
• Creates PINs in each user entry.
NOTE
This tool is documented in the Certificate System Command-Line Tools Guide.
To set up PIN-based authentication:
1. Use the PIN tool to add schema needed for PINs, add PINs to the user entries, and then distribute
the PINs to users.
a. Open the /usr/lib/rhpki/native-tools directory.
b. Open the setpin.conf file in a text editor.
c. Follow the instructions outlined in the file and make the appropriate changes.
Usually, the parameters which need updated are the Directory Server's host name, Directory
Manager's bind password, and PIN manager's password.
d. Run the setpin command with its optfile option pointing to the setpin.conf file.
setpin optfile=/usr/lib/rhpki/native-tools/setpin.conf
The tool modifies the schema with a new attribute (by default, pin) and a new object class
(by default, pinPerson), creates a pinmanager user, and sets the ACI to allow only the
pinmanager user to modify the pin attribute.
e. To generate PINs for specific user entries or to provide user-defined PINs, add these PINs
using an input file. For information on constructing an input file, see the PIN generator chapter
in the Certificate System Command-Line Tools Guide.
f. Run the setpin command to create hashed PINs in the directory.
Run the tool first without the write option to generate a list of PINs without actually changing
the directory.
For example:
setpin host=yourhost port=9446 length=11 input=infile output=outfile write
"binddn=cn=pinmanager,o=example.com" bindpw="password" basedn=o=example.com
"filter=(uid=u*)"
Setting up PIN-based Enrollment
381