==== What? =====
Setup of RHDS (red hat directory server) on rhel7, just for testing.

===== RHDS setup on rhel7 =====
<code>
# setup rhel7u2

echo '* - nofile 8192' >>/etc/security/limits.conf
echo 'session required /lib/security/$ISA/pam_limits.so' >> \
  /etc/pam.d/system-auth
subscription-manager register --autosubscribe
subscription-manager repos --list
subscription-manager repos --disable='*' \
  --enable=rhel-7-server-rpms \
  --enable=rhel-7-server-rhds-10-rpms 

yum install -y redhat-ds
/usr/sbin/setup-ds-admin.pl
systemctl enable dirsrv-admin
systemctl start dirsrv-admin
systemctl start dirsrv@$(hostname)
# TODO: enable dirsrv@$(hostname)

# requirements to start the idm-console:
yum -y install 'xorg-x11-font*' xauth
# log out and in again to get x-forwarding working

# to run the console
/usr/bin/redhat-idm-console -a http://localhost:9830

# for now using openldap client tools, test ldapsearch
ldapsearch -x -b dc=fluxcoil,dc=net '(cn=*)'
ldapsearch -x -b dc=fluxcoil,dc=net -D 'cn=Directory Manager' -W '(cn=*)'

# lets fill in some data
curl -o ldap_initial_datasets_rhds.ldif \
  https://fluxcoil.net/files/puppet_scripts/ldap_initial_datasets_rhds.ldif
ldapadd -x -D 'cn=Directory Manager' -W -f ldap_initial_datasets_rhds.ldif
</code>

===== setting up ssl/tls =====
<code>
cd /etc/dirsrv/slapd-*
tar -cf /tmp/db-backup.tar *
(umask 377; echo secret >/tmp/pwdfile)
chown nobody /tmp/pwdfile
certutil -N -d . -f /tmp/pwdfile
certutil -S -n "CA certificate" \
  -s "cn=My Org CA cert,dc=example,dc=com" -2 -x -t "CT,," \
  -m 1000 -v 120 -d . -k rsa -f /tmp/pwdfile
certutil -S -n "Server-Cert" -s "cn=rhel7u2a.fluxcoil.net" \
  -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . \
  -k rsa -f /tmp/pwdfile
certutil -d . -L -n "CA certificate" -a > cacert.asc
openssl x509 -in cacert.asc -noout -text
(umask 377; echo 'Internal (Software) Token:secret' >pin.txt)
chown nobody:nobody pin.txt 

# verify currently we only listen on :389
netstat -ntlp

# login with 'cn=Directory Manager' / $chosenpassword, 
# then activate encryption:
/usr/bin/redhat-idm-console -a http://localhost:9830
#   click "Directory Server", open
#   configuration, encryption, "enable SSL for this server"
#   "use this cyper family: RSA", save
#   then close the console

# restart instance
systemctl restart dirsrv@$(hostname)

# verify we now listen at :636 additionally
netstat -ntlp
</code>

===== using ssl/tls as client =====
<code>
# create the hashes, we will be using the
# cacert /etc/dirsrv/slapd-*/cacert.asc from RHDS
cp /etc/dirsrv/slapd-*/cacert.asc /etc/openldap/certs
cacertdir_rehash /etc/openldap/certs

# now configure the openldap client utilities to use the cacert
sed -ie 's,^TLS_CACERTDIR,#TLS_CACERTDIR,' /etc/openldap/ldap.conf
echo 'TLS_CACERT /etc/openldap/certs/cacert.asc' >>/etc/openldap/ldap.conf

# now verify tls works
ldapsearch -x -b dc=fluxcoil,dc=net -h rhel7u2a.fluxcoil.net -ZZZ '(cn=*)'
</code>

===== setting users passwords =====
<code>
# now with the secured connection, setting passwords works:
ldappasswd -x -h rhel7u2a.fluxcoil.net -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user0,ou=users,dc=fluxcoil,dc=net
ldappasswd -x -h rhel7u2a.fluxcoil.net -D 'cn=Directory Manager' \
  -W -s redhat -ZZ cn=user1,ou=users,dc=fluxcoil,dc=net

# verify bind with new password works
ldapsearch -x -b dc=fluxcoil,dc=net \
  -D 'cn=user0,ou=users,dc=fluxcoil,dc=net' -w redhat -ZZZ '(cn=*)'
</code>