Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual page 405

• ldap.ldapconn.host. Specifies the fully-qualified DNS host name of the authentication
directory.
• ldap.ldapconn.port. Specifies the TCP/IP port on which the authentication directory listens
to requests from the Certificate System.
• ldap.ldapconn.secureConn. Specifies the type, SSL or non-SSL, of the port on which the
authentication directory listens to requests. Select if this is an SSL port.
• ldap.ldapconn.version. Specifies the LDAP protocol version, either 2 or 3. By default, this
is 3, since all Directory Server versions later than 3.x are LDAPv3.
• ldap.ldapAuthentication.bindDN. Specifies the user entry as whom to bind when
removing PINs from the authentication directory. Specify this parameter only if the
removePin checkbox is selected. It is recommended that a separate user entry that has
permission to modify only the PIN attribute in the directory be created and used. For
example, do not use the Directory Manager's entry because it has privileges to modify the
entire directory content.
• password. Gives the password associated with the DN specified by the
ldap.ldapauthbindDN parameter. When saving changes, the server stores the
password in the single sign-on password cache and uses it for subsequent start ups. This
parameter needs set only if the removePin checkbox is selected.
• ldap.ldapAuthentication.clientCertNickname. Specifies the nickname of the certificate to
use for SSL client authentication to the authentication directory to remove PINs. Make sure
that the certificate is valid and has been signed by a CA that is trusted in the authentication
directory's certificate database and that the authentication directory's certmap.conf file
has been configured to map the certificate correctly to a DN in the directory. This is needed
for PIN removal only.
• ldap.ldapAuthentication.authtype. Specifies the authentication type, basic authentication
or SSL client authentication, required in order to remove PINs from the authentication
directory.
• BasicAuth specifies basic authentication. With this option, enter the correct values for
ldap.ldapAuthentication.bindDN and password parameters; the server uses the DN
from the ldap.ldapAuthentication.bindDN attribute to bind to the directory.
• SslClientAuth specifies SSL client authentication. With this option, set the value
of the ldap.ldapconn.secureConn parameter to true and the value of the
ldap.ldapAuthentication.clientCertNickname parameter to the nickname of the
certificate to use for SSL client authentication.
• ldap.basedn. Specifies the base DN for searching the authentication directory; the server
uses the value of the uid field from the HTTP input (what a user enters in the enrollment
form) and the base DN to construct an LDAP search filter.
• ldap.minConns. Specifies the minimum number of connections permitted to the
authentication directory. The permissible values are 1 to 3.
• ldap.maxConns. Specifies the maximum number of connections permitted to the
authentication directory. The permissible values are 3 to 10.
Setting up PIN-based Enrollment
383