Configuring Authentication for End-User Enrollment504 Netscape Certificate Management System Installation and Setup Guide • May 2002Step B. Update the DirectoryBy default, the PIN Generator modifies the pin attribute in a directory’s user entry.Because this attribute is not part of the standard organizationalPerson, it’s likelythat the user entries in your directory do not contain the pin attribute. This means,before you run the PIN Generator, you’ll need to add the pin attribute to the userentries in your directory—that is, you’ll need to create a new object class (namedpinPerson) in your authentication directory’s schema.In general, you’ll need to update the slapd.user_at.conf file to include the pinattribute and the slapd.user_oc.conf file to include the object-class definition.The modified schema should look similar to this:attribute pin binobjectclass pinPersonsuperior organizationalPersonallowspinIn addition, if you want to make use of the PIN-removal feature—that is, remove auser’s PIN from the directory after Certificate Management System successfullyauthenticates that user and thus prevents the user from enrolling for anothercertificate—ACIs must be set up on the directory to prevent end users fromcreating new PINs for themselves. To do this, you’ll need to create an entry for aPIN manager user with read-write permission to the pin attribute.For your convenience, the PIN Generator tool comes with a configuration file,named setpin.conf, which enables you to automate the process of updating theauthentication directory with changes required for setting up PIN-basedauthentication. The configuration file is located in this directory:/bin/cert/toolsTo make the required schema changes and add an entry for the PIN manager user(using the configuration file):1. Go to this directory: /bin/cert/tools2. Open the setpin.conf file in a text editor.3. Follow the instructions outlined in the file and make the appropriate changes.Typically, you will need to update the Directory Server’s host name, DirectoryManager’s bind password, and PIN manager’s password.4. Run the setpin command with its optfile option pointing to thesetpin.conf file (setpin optfile=setpin.conf).