The setpin has the following syntax:
setpin host=host_name [port=port_number] binddn=user_id [bindpw=bind_password] filter="LDAP_search_filter" [basedn=LDAP_base_DN] [length=PIN_length | minlength=minimum_PIN_length | maxlength=maximum_PIN_length] [gen=character_type] [case=upperonly] [objectclass=objectclass_to_add] [attribute=attribute_name_for_pins] [hash=algorithm] [saltattribute=LDAP_attribute_to_use_for_salt_creation] [input=file_name] [output=file_name] [write] [clobber] [testpingen=count] [debug] [optfile=file_name] [setup [pinmanager=pinmanager_user] [pinmanagerpwd=pinmanager_password] [schemachange=schema_change]]
| Option | Description |
|---|---|
| host | Required. Specifies the LDAP directory to which to connect. |
| port | Specifies the LDAP directory port to which to bind. The default port number is the default LDAP port, 389. |
| binddn | Required. Specifies the user as whom the PIN Generator binds to the LDAP directory. This user account must have read/write access to the directory. |
| bindpw | Gives the password for the user ID set in the binddn option. If the bind password is not given at the command line, the tool prompts for it. |
| filter | Required. Sets the search filter for those DNs in the directory for which the tool should generate PINs. |
| basedn | Specifies the base DN under which to search for DNs. If this argument is not specified, the filter searches from the root. |
| length | Specifies the exact number a PIN must contain; the default is 6. Do not use with minlength or maxlength. |
| minlength | Sets the minimum length of the generated PINs. If used with maxlength, this sets the lower end of the range of the PIN length. Do not use with length. |
| maxlength | Sets the maximum length of the generated PINs. If used with minlength, this sets the upper end of the range of the PIN length. Do not use with length. |
| gen | Specifies the character type for PINs. The characters in the password can be constructed out of alphabetic characters (RNG-alpha), alphanumeric characters (RNG-alphanum), or any printable ASCII characters (printableascii). |
| case | Restricts the character cases to uppercase only; otherwise, the case is mixed. Restricting alphabetic characters to uppercase reduces the overall combinations for the password space significantly. Use case with gen. |
| objectclass | Specifies the object class, if any, the tool should add to the authentication directory. By default, this is pinPerson. |
| attribute | Specifies the authentication directory attribute to which PINs should be published. The default is to use pin, the new attribute added to the authentication directory schema. |
| hash | Specifies the message digest algorithm with which to hash the PINs before storing them in the authentication directory. If SHA-1 or MD5 is used, set an output file for storing PINs in plain text. A user needs the PINs in plain text for delivering them to end entities. The default is sha1, which produces a 160-bit message digest. md5 produces a 128-bit message digest. none does not hash the PINs. |
| saltattribute | Specifies the LDAP attribute to use for salt creation. If an attribute is set, the tool integrates the value of the attribute with each PIN and hashes the resulting string with the hash routine. The default is to use the entry DN. For details, refer to Section 7.2.3, “How PINs Are Stored in the Directory”. |
| input | Specifies the file that contains the list of DNs to process. If this is used, the tool compares the filtered DNs to the ones in the input file and generates PINs for only those DNs . |
| output | Specifies the absolute path to the file to write the PINs as setpin generates them. If a file is not set, then the output is written to the standard output. Regardless of whether an output file is set, all error messages are directed to the standard error. |
| write | Sets whether the tool should write PINs to the directory. If specified, the PINs are written to the directory as they are generated. Otherwise, the tool does not make any changes to the directory. Do not write PINs to the directory if the PINs are to be checked. The PINs can be viewed in the output file to make sure that they are being assigned to the correct users and that they conform to the length and character restrictions. For more information, see Section 7.2.2, “Output File”. |
| clobber | Overwrites pre-existing PINs, if any, associated with a DN. If this option is not used, any existing PINs are left in the directory. |
| testpingen | Tests the PIN-generation mode. count sets the total number of PINs to generate for testing. |
| debug | Writes debugging information to the standard error. If debug=attrs is specified, the tool writes more detailed information about each entry in the directory. |
| optfile | Sets the tool to read options, one per line, from a file. This allows all arguments to be put in a file, instead of typing them at the command line. One configuration file, setpin.conf, is located in the /usr/lib/rhpki/native-tools directory. |
| setup | Switches to setup mode, which allows the tool to add to the directory schema. |
| pinmanager | Specifies the PIN manager user that has permission to remove the PIN for the basedn specified. Used with the setup option. |
| pinmanagerpwd | Gives the password for the PIN manager user. Used with the setup option. |
| schemachange | Allows schema modifications to the directory schema attribute set in the attribute option (the default is pin) and object class set in the objectclass option (the default is pinPerson). Used with setup. |
Table 7.1.