The Pass Through Authentication Plugin may be used to allow simple bind attempts to be passed through to an external LDAP server. It may be used to either pass through all authentication attempts instead of processing them locally, or to only pass through attempts if a local bind attempt fails. In the event that a local bind fails but a passed-through attempt succeeds, then it may optionally update the local password to match the successful remote attempt.
If multiple external servers are defined, then the server-access-mode property may be used to indicate how servers are selected. If the Directory Server and all associated external servers all have locations defined, then the selection process will favor external servers in the same location as the Directory Server, and then remote servers in the order specified by the preferred-failover-location property for the location used by this Directory Server.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The Pass Through Authentication Plugin component inherits from the Plugin
The following components have a direct aggregation relation from Pass Through Authentication Plugins:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | ↓ plugin-type |
| ↓ enabled | ↓ invoke-for-internal-operations |
| ↓ server | ↓ connection-criteria |
| ↓ try-local-bind | ↓ request-criteria |
| ↓ override-local-password | |
| ↓ update-local-password | |
| ↓ allow-lax-pass-through-authentication-passwords | |
| ↓ server-access-mode | |
| ↓ dn-map | |
| ↓ search-base-dn | |
| ↓ search-filter-pattern | |
| ↓ initial-connections | |
| ↓ max-connections |
| Description | A description for this Plugin |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the plug-in is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the LDAP external server(s) to which authentication attempts should be forwarded. |
| Default Value | None |
| Allowed Values | The DN of any LDAP External Server. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the bind attempt should first be attempted against the local server. Depending on the value of the override-local-password property, the bind attempt may then be attempted against a remote server if the local bind fails. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the bind attempt should be attempted against a remote server in the event that the local bind fails but the local password is present. This option will only be used if the try-local-bind property has a value of "true". |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the local password value should be updated to the value used in the bind request in the event that the local bind fails but the remote bind succeeds. This option will only be used if the try-local-bind property has a value of "true". |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
allow-lax-pass-through-authentication-passwords
| Description | Indicates whether updates to the local password value should accept passwords that do not meet password policy constraints. This option will only be used if the try-local-bind property is true and the update-local-password property is true. Setting this property to true will allow the local password to be updated even if the pass through authentication password does not meet all of the password policy constraints, for example, the password strength or password history requirements. Setting this property to false and attempting a bind with a pass through authentication password causing an update to the local password where the password does not meet local password policy constraints will result in a failure to bind. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the manner in which external servers should be used for pass-through authentication attempts if multiple servers are defined. |
| Default Value | round-robin |
| Allowed Values | round-robin - Bind attempts to external servers should be spread evenly across all defined external servers (in a location-aware manner if appropriate). Any single bind request will only be attempted on multiple servers if earlier attempts were to a server that was unavailable. failover-on-unavailable - All bind attempts will be sent to the same server (in a location-aware manner if appropriate) and will only be attempted on other servers if the primary server is unavailable. failover-on-any-failure - All bind attempts will be sent to the same server (in a location-aware manner if appropriate). In the event that the first server is unavailable, or if the bind attempt fails on that server, then it will be attempted on the next server in the list, and binds will be re-tried on different servers until all servers have been exhausted. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies one or more DN mappings that may be used to transform bind DNs before attempting to bind to the external servers. It is not possible to configure both a DN map and a search filter pattern. If a DN map is configured, it will be used to construct the DN of the entry to use when binding to an external server. If a search filter pattern is configured, it will be used to search for the entry of the user as whom to bind. If neither a DN map nor a filter pattern is defined, then user accounts are expected to have the same DN in the local server and the external servers. |
| Default Value | None |
| Allowed Values | The DN of any DN Map. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The base DN to use when searching for the user entry using a filter constructed from the pattern defined in the search-filter-pattern property. If no base DN is specified, the null DN will be used as the search base DN. |
| Default Value | The null DN will be used as the search base DN. |
| Allowed Values | A valid DN. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | A pattern to use to construct a filter to use when searching an external server for the entry of the user as whom to bind. For example, "(mail={uid}@example.com)" would construct a search filter to search for a user whose entry in the local server contains a uid attribute whose value appears before "@example.com" in the mail attribute in the external server. By default, any text provided in the search-filter-pattern is copied verbatim into the constructed filter, with the exception of attribute names embedded in curly braces. Attributes are substituted using the value from the local server's copy of the entry of the user trying to authenticate (e.g., '{uid}' will be replaced with the value of the uid attribute). Each referenced attribute must have exactly one value in the local copy of the user's entry, and filter construction will fail if the local user's does not contain the specified attribute or has multiple values for that attribute. To include the '{' character in the constructed value, use '{{' in the filter pattern. Likewise, using '}}' in the pattern will cause '}' to appear in the constructed filter. Furthermore, a regular expression with a substitution pattern can be used to further manipulate an individual attribute value. The java.util.regex.Pattern and java.util.regex.Matcher classes are used to perform the substitution. The regular expression with replacement value uses this syntax '{attr-name:/regex/replacement/flags}'. 'attr-name' is an attribute name such as 'cn'. 'regex' is a regular expression using the syntax described in the java.util.regex.Pattern javadoc. The optional flags value can also be used to change how this regular expression is interpreted. 'replacement' is a replacement value that is passed to the java.util.regex.Matcher#replaceFirst or java.util.regex.Matcher#replaceAll method to perform the replacement. The 'g' (global) flag controls whether replaceFirst or replaceAll is called.
Pattern pattern = Pattern.compile(regex, flagsMask); Here is an example to summarize these points. Suppose the external server has a uid attribute whose value is the users' first initial, last initial, and employee number. For example, a user named John Smith with employee number 12345 would have a uid value of js12345. If the local server uses the givenName attribute to hold first names, the sn attribute to hold last names, and the employeeNumber attribute to hold employee numbers, then a pattern of '(uid={givenname:/^(.)(.*)/$1/s}{sn:/^(.)(.*)/$1/s}{employeeNumber})' would yield an appropriate filter to use to search for a user in the external server. The '^(.).*' regular expression used for the givenName and sn attributes matches the entire value and stores the initial character in the $1 variable, which used for the replacement. (The 's' flag is used to guard against the unlikely event that the user's 'givenname' or 'sn' attribute includes a newline character.) It is not possible to configure both a DN map and a search filter pattern. If a DN map is configured, it will be used to construct the DN of the entry to use when binding to an external server. If a search filter pattern is configured, it will be used to search for the entry of the user as whom to bind. If neither a DN map nor a filter pattern is defined, then user accounts are expected to have the same DN in the local server and the external servers. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the initial number of connections to establish to each external server against which authentication may be attempted. |
| Default Value | 1 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the maximum number of connections to maintain to each external server against which authentication may be attempted. This value must be greater than or equal to the value for the initial-connections property. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
plugin-type (Advanced Property)
| Description | Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked. |
| Default Value | preoperationbind postoperationbind |
| Allowed Values | startup - Invoked during the Directory Server startup process. shutdown - Invoked during a graceful Directory Server shutdown. postconnect - Invoked whenever a new connection is established to the server. postdisconnect - Invoked whenever an existing connection is terminated (by either the client or the server). ldifimport - Invoked for each entry read during an LDIF import. ldifexport - Invoked for each operation to be written during an LDIF export. preparseabandon - Invoked prior to parsing an abandon request. preparseadd - Invoked prior to parsing an add request. preparsebind - Invoked prior to parsing a bind request. preparsecompare - Invoked prior to parsing a compare request. preparsedelete - Invoked prior to parsing a delete request. preparseextended - Invoked prior to parsing an extended request. preparsemodify - Invoked prior to parsing a modify request. preparsemodifydn - Invoked prior to parsing a modify DN request. preparsesearch - Invoked prior to parsing a search request. preparseunbind - Invoked prior to parsing an unbind request. preoperationadd - Invoked prior to performing the core add processing. preoperationbind - Invoked prior to performing the core bind processing. preoperationcompare - Invoked prior to performing the core compare processing. preoperationdelete - Invoked prior to performing the core delete processing. preoperationextended - Invoked prior to performing the core extended processing. preoperationmodify - Invoked prior to performing the core modify processing. preoperationmodifydn - Invoked prior to performing the core modify DN processing. preoperationsearch - Invoked prior to performing the core search processing. postoperationabandon - Invoked after completing the abandon processing. postoperationadd - Invoked after completing the core add processing but before sending the response to the client. postoperationbind - Invoked after completing the core bind processing but before sending the response to the client. postoperationcompare - Invoked after completing the core compare processing but before sending the response to the client. postoperationdelete - Invoked after completing the core delete processing but before sending the response to the client. postoperationextended - Invoked after completing the core extended processing but before sending the response to the client. postoperationmodify - Invoked after completing the core modify processing but before sending the response to the client. postoperationmodifydn - Invoked after completing the core modify DN processing but before sending the response to the client. postoperationsearch - Invoked after completing the core search processing but before sending the response to the client. postoperationunbind - Invoked after completing the unbind processing. preresponseadd - Invoked just before sending the add response to the client. preresponsebind - Invoked just before sending the bind response to the client. preresponsecompare - Invoked just before sending the compare response to the client. preresponsedelete - Invoked just before sending the delete response to the client. preresponseextended - Invoked just before sending the extended response to the client. preresponsemodify - Invoked just before sending the modify response to the client. preresponsemodifydn - Invoked just before sending the modify DN response to the client. preresponsesearch - Invoked just before sending the search result done response to the client. postresponseadd - Invoked after sending the add response to the client. postresponsebind - Invoked after sending the bind response to the client. postresponsecompare - Invoked after sending the compare response to the client. postresponsedelete - Invoked after sending the delete response to the client. postresponseextended - Invoked after sending the extended response to the client. postresponsemodify - Invoked after sending the modify response to the client. postresponsemodifydn - Invoked after sending the modify DN response to the client. postresponsesearch - Invoked after sending the search result done message to the client. postsynchronizationadd - Invoked after completing post-synchronization processing for an add operation. postsynchronizationdelete - Invoked after completing post-synchronization processing for a delete operation. postsynchronizationmodify - Invoked after completing post-synchronization processing for a modify operation. postsynchronizationmodifydn - Invoked after completing post-synchronization processing for a modify DN operation. searchresultentry - Invoked before sending a search result entry to the client. searchresultreference - Invoked before sending a search result reference to the client. subordinatemodifydn - Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation. intermediateresponse - Invoked before sending an intermediate response message to the client. |
| Multi-Valued | Yes |
| Required | Yes |
| Admin Action Required | The Pass Through Authentication Plugin must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server |
invoke-for-internal-operations (Advanced Property)
| Description | Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
connection-criteria (Advanced Property)
| Description | Specifies a set of connection criteria that must match the client associated with the bind request for the bind to be passed through to an alternate server. |
| Default Value | None |
| Allowed Values | The DN of any Connection Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
request-criteria (Advanced Property)
| Description | Specifies a set of request criteria that must match the bind request for the bind to be passed through to an alternate server. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Plugins:
dsconfig list-plugins
[--property {propertyName}] ...
To view the configuration for an existing Plugin:
dsconfig get-plugin-prop
--plugin-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Plugin:
dsconfig set-plugin-prop
--plugin-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Pass Through Authentication Plugin:
dsconfig create-plugin
--plugin-name {name}
--type pass-through-authentication
--set enabled:{propertyValue}
--set server:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Plugin:
dsconfig delete-plugin
--plugin-name {name}