Sun Directory Server Enterprise Edition 7.0 Administration Guide

Pass-Through Authentication

Pass-through authentication (PTA) is a mechanism by which bind requests are filtered by bind DN. One Directory Server (the delegator) receives the bind request and, based on the filter, can consult another Directory Server (the delegate) to authenticate bind requests. As part of this functionality, the PTA plug-in enables the delegator Directory Server to accept simple password-based bind operations for entries that are not necessarily stored in its local database.

PTA Plug-In and DSCC

The PTA plug-in is also used by DSCC for private communication with the server. When a server instance is registered in DSCC, the PTA plug-in is enabled and the DSCC URL is added as an argument.

$ dsconf get-plugin-prop -h host -p port "Pass Through Authentication"

argument          :  ldap://dscc_host:3998/cn=dscc
depends-on-named  :
depends-on-type   :
desc              :  pass through authentication plugin
enabled           :  on
feature           :  passthruauth
init-func         :  passthruauth_init
lib-path          :  install-path/lib/
type              :  preoperation
vendor            :  Sun Microsystems, Inc.
version           :  7.0 

Note –

If your server is registered in DSCC and you need to use PTA, you must preserve the following settings while modifying the PTA plug-in.

If the PTA plug-in is disabled or the DSCC URL is removed from the argument, the server instance will appear as inaccessible in DSCC. If this happens, DSCC will automatically give you the option of resetting the PTA plug-in.

You can also fix this problem by unregistering and registering the Directory Server instance into DSCC. To perform these operations, you can use either DSCC or the dsccreg remove-server and dsccreg add-server commands. For more information about the dsccreg command, see dsccreg(1M).

Configuring the PTA Plug-in

PTA plug-in configuration information is specified in the cn=Pass Through Authentication,cn=plugins,cn=config entry on the PTA server.

The PTA plug-in is a system plug-in, which is disabled by default. It can be enabled and setup using the dsconf command or using DSCC.

Setting up the PTA Plug-In

  1. Run the following dsconf commands:

    $ dsconf enable-plugin -h PTAhost -p port "Pass Through Authentication"
    $ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication" \
    argument:"ldap[s]://authenticatingHost[:port]/PTAsubtree options"

    The plug-in argument specifies the LDAP URL identifying the hostname of the authenticating directory server, an optional port, and the PTA subtree. If no port is specified, the default port is 389 with LDAP and 636 with LDAPS. You may also set the optional connection parameters described in the following sections. If the PTAsubtree exists in the PTAhost, the plug-in will not pass the bind request to the authenticatingHost, and the bind will be processed locally without any pass-through.

  2. Restart the server as described in Starting, Stopping, and Restarting a Directory Server Instance.

Configuring PTA to Use a Secure Connection

Because the PTA plug-in must send bind credentials including the password to the authenticating directory, we recommend using a secure connection. To configure the PTA directory to communicate with the authenticating directory over SSL:

Setting the Optional Connection Parameters

The PTA plug-in arguments accept a set of optional connection parameters after the LDAP URL:

http[s]://host:port/subtree [maxconns,maxops,timeout,ldapver,connlife]

The parameters must be given in the order shown. Although these parameters are optional, if you specify one of them, you must specify them all. If you do not want to customize all parameters, specify their default values given below. Make sure there is a space between the subtree parameter and the optional parameters.

You can configure the following optional parameters for each LDAP URL:

Note –

While setting the argument property using the dsconf command, put the value in double quotes to protect spaces. For example:

dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\

Specifying Multiple Servers and Subtrees

You may configure the PTA plug-in with multiple arguments to specify multiple authenticating servers, multiple PTA subtrees, or both. Each argument contains one LDAP URL and may have its own set of connection options.

When there are multiple authenticating servers for the same PTA subtree, they act as failover servers. The plug-in will establish connections to them in the order listed whenever a PTA connection reaches the timeout limit. If all connections time out, the authentication fails.

When there are multiple PTA subtrees defined, the plug-in will pass-through the authentication request to the corresponding server according to the bind DN. The following example shows four PTA plug-in arguments that define two PTA subtrees, each with a failover server for authentication and server-specific connection parameters:

$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\
$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\
$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\
$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\