cn=Directory Manager is correct. dogtag uses client auth so bind DN
sent in the typical case either way.
"Can also be correct" would be more accurate wouldn't it?
Default value for CentOS is the pkidbuser DN. I'd be surprised if the Fedora packages
were that different here.
The cert is not needed in the 389-ds cert database. It uses
to map the cert that dogtag provides to an LDAP entry.
With 'verifycert on' in certmap.conf by default the cert is certainly needed in
LDAP isn't it?