3.4. Setting up Users to Be Enrolled
When the Token Processing System is installed, one of its configuration settings is the LDAP directory which contains the users who are allowed to enroll a token. Only users who are stored within this authentication directory are allowed to enroll, format, or have a token. Before attempting to enroll a token or smart card, make sure that the person requesting the operation has an entry in the LDAP directory.
The TPS is configured to look at a specific base DN in the LDAP directory. This is configured in the TPS's
CS.cfg
:
auth.instance.0.baseDN=dc=example,dc=com
auth.instance.0.hostport=server.example.com:389
For a user to be allowed to enroll a token, the user must be somewhere below the base DN.
If the user does not already have an entry, then the administrator must add the user to the specified LDAP directory in the specified base DN before any tokens can be enrolled for the user.
/usr/bin/ldapmodify -a -D "cn=Directory Manager" -w secret-p 389 -h server.example.com
dn: uid=jsmith,ou=People,dc=example,dc=com
objectclass: person objectclass: inetorgperson objectclass: top uid: jsmith cn: John Smith email: jsmith@example.com userPassword: secret