==== What? =====
Setup of RHDS (red hat directory server) on rhel6, just for testing. 

===== RHDS setup on rhel6 =====
<code>
# setup rhel6u7

echo '* - nofile 8192' >>/etc/security/limits.conf
echo 'session required /lib/security/$ISA/pam_limits.so' >> \
  /etc/pam.d/system-auth
rhn_register
rhn-channel -a -c rhel-x86_64-server-6-rhdirserv-9

yum install -y java-1.6.0-openjdk
/usr/sbin/alternatives --config java
yum install -y redhat-ds

/usr/sbin/setup-ds-admin.pl
chkconfig dirsrv on
chkconfig dirsrv-admin on

# requirements to start the idm-console:
yum -y install 'xorg-x11-font*' xauth

# log out and in again to get x-forwarding working

# This was on rhel5, since rhel6 we do not ship these utils:
# echo 'export PATH=/usr/lib64/mozldap/:$PATH' >>/etc/profile

# for now using openldap client tools, test ldapsearch
ldapsearch -x -b dc=fluxcoil,dc=net '(cn=*)'
ldapsearch -x -b dc=fluxcoil,dc=net -D 'cn=Directory Manager' -W '(cn=*)'

# lets fill in some data
wget ldap_initial_datasets_rhds.ldif
ldapadd -x -D 'cn=Directory Manager' -W -f ldap_initial_datasets_rhds.ldif
</code>

===== setting up ssl/tls =====
<code>
cd /etc/dirsrv/slapd-*
tar -cf /tmp/db-backup.tar *
(umask 377; echo secret >/tmp/pwdfile)
chown nobody /tmp/pwdfile
certutil -N -d . -f /tmp/pwdfile
certutil -S -n "CA certificate" \
  -s "cn=My Org CA cert,dc=example,dc=com" -2 -x -t "CT,," \
  -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile
certutil -S -n "Server-Cert" -s "cn=rhel6u7a.fluxcoil.net" \
  -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . \
  -k rsa -f /tmp/pwdfile
certutil -d . -L -n "CA certificate" -a > cacert.asc
openssl x509 -in cacert.asc -noout -text
(umask 377; echo 'Internal (Software) Token:secret' >pin.txt)
chown nobody:nobody pin.txt 

# verify currently we only listen on :389
netstat -ntlp

# login with 'cn=Directory Manager' / $chosenpassword, 
# then activate encryption:
/usr/bin/redhat-idm-console -a http://localhost:9830
#   click "Directory Server", open
#   configuration, encryption, "enable SSL for this server"
#   "use this cyper family: RSA", save

# here activate ssl, then close the console
service dirsrv restart

# verify we now listen at :636 additionally
netstat -ntlp
</code>

===== using ssl/tls as client =====
<code>
# create the hashes, we will be using the
# cacert /etc/dirsrv/slapd-*/cacert.asc
cacertdir_rehash /etc/dirsrv/slapd-*/

# now configure the openldap client utilities to use the cacert
sed -ie 's,^TLS_CACERTDIR,#TLS_CACERTDIR,' /etc/openldap/ldap.conf
echo 'TLS_CACERTDIR /etc/dirsrv/slapd-rhel6u7a' >>/etc/openldap/ldap.conf

# now verify tls works
ldapsearch -x -b dc=fluxcoil,dc=net -h rhel6u7a.fluxcoil.net -ZZZ '(cn=*)'
</code>

===== setting users passwords =====
<code>
# now with the secured connection, setting passwords works:
ldappasswd -x -h rhel6u7a.fluxcoil.net -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user0,ou=users,dc=fluxcoil,dc=net
ldappasswd -x -h rhel6u7a.fluxcoil.net -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user1,ou=users,dc=fluxcoil,dc=net

# verify bind with new password works
ldapsearch -x -b dc=fluxcoil,dc=net \
  -D 'cn=user0,ou=users,dc=fluxcoil,dc=net' -w redhat -ZZZ '(cn=*)'
</code>