Specifying Multiple Servers and Subtrees

You may configure the PTA plug-in with multiple arguments to specify multiple authenticating servers, multiple PTA subtrees, or both. Each argument contains one LDAP URL and may have its own set of connection options.

When there are multiple authenticating servers for the same PTA subtree, they act as failover servers. The plug-in will establish connections to them in the order listed whenever a PTA connection reaches the timeout limit. If all connections time out, the authentication fails.

When there are multiple PTA subtrees defined, the plug-in will pass-through the authentication request to the corresponding server according to the bind DN. The following example shows four PTA plug-in arguments that define two PTA subtrees, each with a failover server for authentication and server-specific connection parameters:

$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\
 argument:"ldaps://configdir.example.com/o=example.com\
 10,10,60,3,300"
$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\
 argument+:"ldaps://configbak.example.com/o=example.com\
 10,10,60,3,300"
$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\
 argument+:"ldaps://east.example.com/ou=East,ou=People,dc=example,dc=com\
 10,10,60,3,300"
$ dsconf set-plugin-prop -h PTAhost -p port "Pass Through Authentication"\
 argument+:"ldaps://eastbak.example.com/ou=East,ou=People,dc=example,dc=com\
 10,10,60,3,300"