5.2. Setting up Users to Be Enrolled

When the Token Processing System is installed, one of its configuration settings is the LDAP directory which contains the users who are allowed to enroll a token. Only users who are stored within this authentication directory are allowed to enroll, format, or have a token. Before attempting to enroll a token or smart card, make sure that the person requesting the operation has an entry in the LDAP directory.

The TPS is configured to look at a specific base DN in the LDAP directory. This is configured in the TPS's CS.cfg:

 auth.instance.0.baseDN=dc=example,dc=com    
 auth.instance.0.hostport=server.example.com:389

For a user to be allowed to enroll a token, the user must be somewhere below the base DN.

If the user does not already have an entry, then the administrator must add the user to the specified LDAP directory in the specified base DN before any tokens can be enrolled for the user.

 /usr/bin/ldapmodify -a -D "cn=Directory Manager" -w secret -p 389 -h server.example.com    

 dn: uid=jsmith,ou=People, dc=example,dc=com    
 objectclass: person
 objectclass: inetorgperson
 objectclass: top
 uid: jsmith
 cn: John Smith
 email: jsmith@example.com
 userPassword: secret