UnboundID Identity Data Store - Pass Through Authentication Plugin

Identity Data Store Documentation Index
Configuration Reference Home

Pass Through Authentication Plugin

The Pass Through Authentication Plugin may be used to allow simple bind attempts to be passed through to an external LDAP server. It may be used to either pass through all authentication attempts instead of processing them locally, or to only pass through attempts if a local bind attempt fails. In the event that a local bind fails but a passed-through attempt succeeds, then it may optionally update the local password to match the successful remote attempt.

If multiple external servers are defined, then the server-access-mode property may be used to indicate how servers are selected. If the Identity Data Store and all associated external servers all have locations defined, then the selection process will favor external servers in the same location as the Identity Data Store, and then remote servers in the order specified by the preferred-failover-location property for the location used by this Identity Data Store.

↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage

Parent Component

The Pass Through Authentication Plugin component inherits from the Plugin

Relations from This Component

The following components have a direct aggregation relation from Pass Through Authentication Plugins:

Connection Criteria

DN Map

LDAP External Server

Request Criteria

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	↓ plugin-type
↓ enabled	↓ invoke-for-internal-operations
↓ server	↓ connection-criteria
↓ try-local-bind	↓ request-criteria
↓ override-local-password
↓ update-local-password
↓ allow-lax-pass-through-authentication-passwords
↓ server-access-mode
↓ dn-map
↓ initial-connections
↓ max-connections

Basic Properties

description

Description	A description for this Plugin
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Description	Indicates whether the plug-in is enabled for use.
Default Value	None
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

server

Description	Specifies the LDAP external server(s) to which authentication attempts should be forwarded.
Default Value	None
Allowed Values	The DN of any LDAP External Server.
Multi-Valued	Yes
Required	Yes
Admin Action Required	None. Modification requires no further action

try-local-bind

Description	Indicates whether the bind attempt should first be attempted against the local server. Depending on the value of the override-local-password property, the bind attempt may then be attempted against a remote server if the local bind fails.
Default Value	true
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

override-local-password

Description	Indicates whether the bind attempt should be attempted against a remote server in the event that the local bind fails but the local password is present. This option will only be used if the try-local-bind property has a value of "true".
Default Value	false
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

update-local-password

Description	Indicates whether the local password value should be updated to the value used in the bind request in the event that the local bind fails but the remote bind succeeds. This option will only be used if the try-local-bind property has a value of "true".
Default Value	false
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

allow-lax-pass-through-authentication-passwords

Description	Indicates whether updates to the local password value should accept passwords that do not meet password policy constraints. This option will only be used if the try-local-bind property is true and the update-local-password property is true. Setting this property to true will allow the local password to be updated even if the pass through authentication password does not meet all of the password policy constraints, for example, the password strength or password history requirements. Setting this property to false and attempting a bind with a pass through authentication password causing an update to the local password where the password does not meet local password policy constaints will result in a failure to bind.
Default Value	true
Allowed Values	true false
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

server-access-mode

Description	Specifies the manner in which external servers should be used for pass-through authentication attempts if multiple servers are defined.
Default Value	round-robin
Allowed Values	round-robin - Bind attempts to external servers should be spread evenly across all defined external servers (in a location-aware manner if appropriate). Any single bind request will only be attempted on multiple servers if earlier attempts were to a server that was unavailable. failover-on-unavailable - All bind attempts will be sent to the same server (in a location-aware manner if appropriate) and will only be attempted on other servers if the primary server is unavailable. failover-on-any-failure - All bind attempts will be sent to the same server (in a location-aware manner if appropriate). In the event that the first server is unavailable, or if the bind attempt fails on that server, then it will be attempted on the next server in the list, and binds will be re-tried on different servers until all servers have been exhausted.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

dn-map

Description	Specifies one or more DN mappings that may be used to transform bind DNs before attempting to bind to backend servers.
Default Value	None
Allowed Values	The DN of any DN Map.
Multi-Valued	Yes
Required	No
Admin Action Required	None. Modification requires no further action

initial-connections

Description	Specifies the initial number of connections to establish to each external server against which authentication may be attempted.
Default Value	1
Allowed Values	An integer value. Lower limit is 1.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

max-connections

Description	Specifies the maximum number of connections to maintain to each external server against which authentication may be attempted. This value must be greater than or equal to the value for the initial-connections property.
Default Value	10
Allowed Values	An integer value. Lower limit is 1.
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

Advanced Properties

plugin-type (Advanced Property)

Description	Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
Default Value	preoperationbind postoperationbind
Allowed Values	startup - Invoked during the Identity Data Store startup process. shutdown - Invoked during a graceful Identity Data Store shutdown. postconnect - Invoked whenever a new connection is established to the server. postdisconnect - Invoked whenever an existing connection is terminated (by either the client or the server). ldifimport - Invoked for each entry read during an LDIF import. ldifexport - Invoked for each operation to be written during an LDIF export. preparseabandon - Invoked prior to parsing an abandon request. preparseadd - Invoked prior to parsing an add request. preparsebind - Invoked prior to parsing a bind request. preparsecompare - Invoked prior to parsing a compare request. preparsedelete - Invoked prior to parsing a delete request. preparseextended - Invoked prior to parsing an extended request. preparsemodify - Invoked prior to parsing a modify request. preparsemodifydn - Invoked prior to parsing a modify DN request. preparsesearch - Invoked prior to parsing a search request. preparseunbind - Invoked prior to parsing an unbind request. preoperationadd - Invoked prior to performing the core add processing. preoperationbind - Invoked prior to performing the core bind processing. preoperationcompare - Invoked prior to performing the core compare processing. preoperationdelete - Invoked prior to performing the core delete processing. preoperationextended - Invoked prior to performing the core extended processing. preoperationmodify - Invoked prior to performing the core modify processing. preoperationmodifydn - Invoked prior to performing the core modify DN processing. preoperationsearch - Invoked prior to performing the core search processing. postoperationabandon - Invoked after completing the abandon processing. postoperationadd - Invoked after completing the core add processing but before sending the response to the client. postoperationbind - Invoked after completing the core bind processing but before sending the response to the client. postoperationcompare - Invoked after completing the core compare processing but before sending the response to the client. postoperationdelete - Invoked after completing the core delete processing but before sending the response to the client. postoperationextended - Invoked after completing the core extended processing but before sending the response to the client. postoperationmodify - Invoked after completing the core modify processing but before sending the response to the client. postoperationmodifydn - Invoked after completing the core modify DN processing but before sending the response to the client. postoperationsearch - Invoked after completing the core search processing but before sending the response to the client. postoperationunbind - Invoked after completing the unbind processing. preresponseadd - Invoked just before sending the add response to the client. preresponsebind - Invoked just before sending the bind response to the client. preresponsecompare - Invoked just before sending the compare response to the client. preresponsedelete - Invoked just before sending the delete response to the client. preresponseextended - Invoked just before sending the extended response to the client. preresponsemodify - Invoked just before sending the modify response to the client. preresponsemodifydn - Invoked just before sending the modify DN response to the client. preresponsesearch - Invoked just before sending the search result done response to the client. postresponseadd - Invoked after sending the add response to the client. postresponsebind - Invoked after sending the bind response to the client. postresponsecompare - Invoked after sending the compare response to the client. postresponsedelete - Invoked after sending the delete response to the client. postresponseextended - Invoked after sending the extended response to the client. postresponsemodify - Invoked after sending the modify response to the client. postresponsemodifydn - Invoked after sending the modify DN response to the client. postresponsesearch - Invoked after sending the search result done message to the client. postsynchronizationadd - Invoked after completing post-synchronization processing for an add operation. postsynchronizationdelete - Invoked after completing post-synchronization processing for a delete operation. postsynchronizationmodify - Invoked after completing post-synchronization processing for a modify operation. postsynchronizationmodifydn - Invoked after completing post-synchronization processing for a modify DN operation. searchresultentry - Invoked before sending a search result entry to the client. searchresultreference - Invoked before sending a search result reference to the client. subordinatemodifydn - Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation. intermediateresponse - Invoked before sending an intermediate response message to the client.
Multi-Valued	Yes
Required	Yes
Admin Action Required	The Pass Through Authentication Plugin must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

invoke-for-internal-operations (Advanced Property)

Description	Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked.
Default Value	true
Allowed Values	true false
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

connection-criteria (Advanced Property)

Description	Specifies a set of connection criteria that must match the client associated with the bind request for the bind to be passed through to an alternate server.
Default Value	None
Allowed Values	The DN of any Connection Criteria.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

request-criteria (Advanced Property)

Description	Specifies a set of request criteria that must match the bind request for the bind to be passed through to an alternate server.
Default Value	None
Allowed Values	The DN of any Request Criteria.
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Plugins:

dsconfig list-plugins
     [--property {propertyName}] ...

To view the configuration for an existing Plugin:

dsconfig get-plugin-prop
     --plugin-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Plugin:

dsconfig set-plugin-prop
     --plugin-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Pass Through Authentication Plugin:

dsconfig create-plugin
     --plugin-name {name}
     --type pass-through-authentication
     --set enabled:{propertyValue}
     --set server:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Plugin:

dsconfig delete-plugin
     --plugin-name {name}