Aggregate Pass Through Authentication Handler

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

Aggregate Pass Through Authentication Handlers provide a mechanism for invoking one or more other pass-through authentication handlers in the course of processing a single operation.

Ideally, each subordinate pass-through authentication handler should be configured with mutually exclusive sets of criteria and/or included base DNs so that each bind request is only applicable to at most one of the subordinate handlers. If there are cases in which a single bind request might need to be evaluated by multiple pass-through authentication handlers, then the continue-on-failure-type property must be configured to allow at least certain types of failures from the initial handler to be at least temporarily overlooked in the hopes that a subsequent handler will be able to more correctly process the request.
Pass-through authentication processing for this handler will try the subordinate handlers in the order in which they are configured. It will use the following logic for processing an authentication attempt:

  1. If the current subordinate authentication is not applicable to the bind operation being processed (for example if the target user is not below an included base DN for the handler, or if the bind operation does not match a connection or request criteria configured for the handler), then the subordinate handler will be skipped and the next one in the list will be evaluated.
  2. If the current subordinate authentication handler completes with a successful authentication, then its result will be used.
  3. If the current subordinate authentication handler fails with a result that is not included in the set of values for the continue-on-failure-type property, then its result will be used.
  4. If the current subordinate authentication handler fails with a result that is included in the set of values for the continue-on-failure-type property, then its result will be collected in a list and the next subordinate handler in the list will be attempted.
  5. If all of the subordinate authentication handlers have been exhausted and all of the handlers were skipped because they were not applicable for the bind operation (that is, no failures were encountered), then bind processing will proceed as if the pluggable pass-through authentication plugin had not been enabled.
  6. If all of the subordinate authentication handlers have been exhausted and all of the failures encountered were of the same type (which must have been in the set of continue-on-failure-type values), then the authentication attempt will fail with that reason and the failure message will be an aggregate of all of the subordinate failures.
  7. If all of the subordinate authentication handlers have been exhausted and there were multiple failure types, then the authentication attempt will fail with a failure result code of "other-failure" and the failure message will be an aggregate of all of the subordinate failures.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The Aggregate Pass Through Authentication Handler component inherits from the Pass Through Authentication Handler

Relations from This Component

The following components have a direct aggregation relation from Aggregate Pass Through Authentication Handlers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 included-local-entry-base-dn
 connection-criteria
 request-criteria
 subordinate-pass-through-authentication-handler
 continue-on-failure-type

Basic Properties

description

Description
A description for this Pass Through Authentication Handler
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

included-local-entry-base-dn

Description
The base DNs for the local users whose authentication attempts may be passed through to the external authentication service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the external authentication service.
If no base DNs are specified, then only the associated pass-through authentication plugin's set of included local entry base DNs will be used.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

connection-criteria

Description
A reference to connection criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the external authentication service. If no connection criteria object is specified, then bind requests from any client may be passed through.
Default Value
None
Allowed Values
The DN of any Connection Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

request-criteria

Description
A reference to request criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the external authentication service. If no request criteria object is specified, then all bind requests may be passed through.
Default Value
None
Allowed Values
The DN of any Request Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

subordinate-pass-through-authentication-handler

Description
The set of subordinate pass-through authentication handlers that may be used to perform the authentication processing. Handlers will be invoked in order until one is found for which the bind operation matches the associated criteria and either succeeds or fails in a manner that should not be ignored.
Default Value
None
Allowed Values
The DN of any Pass Through Authentication Handler.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

continue-on-failure-type

Description
The set of pass-through authentication failure types that should not result in an immediate failure, but should instead allow the aggregate handler to proceed with the next configured subordinate handler. Note that in some cases, it may not be possible to determine the exact nature of a pass-through authentication failure. For example, a standards-compliant LDAP server will return the same result code (49, invalid credentials) for a variety of cases, including when the target user doesn't exist, when the provided password is incorrect, or the target user's account is locked, disabled, or in an otherwise unusable state.
Default Value
None
Allowed Values
no-such-user - The failure type that will be used if the subordinate handler can determine that the target user does not exist in the associated external service.

wrong-password - The failure type that will be used if the subordinate handler can determine that the authentication attempt failed because the incorrect password was provided for the user in the associated external service.

must-change-password - The failure type that will be used if the subordinate handler can determine that the user's password must be changed in the associated external service before the user will be allowed to perform any other operations.

account-not-usable - The failure type that will be used if the subordinate handler can determine that the user's account is not in a usable state (e.g., the account is locked or administratively disabled, the password is expired, etc.) in the associated external service.

non-specific-authentication-failure - The failure type that will be used if the subordinate handler reports that the pass-through authentication attempt failed in the external service, but the specific reason for the failure could not be determined.

external-service-error - The failure type that will be used if the subordinate handler encountered an unexpected error while attempting to process the authentication attempt in the external service.

external-service-unavailable - The failure type that will be used if the subordinate handler determined that the external service is not currently available.

timeout - The failure type that will be used if the subordinate handler encountered a timeout while attempting to communicate with the external service.

other-failure - The failure type that will be used if the subordinate handler encountered some kind of error that does not fit into any other defined category.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Pass Through Authentication Handlers:

dsconfig list-pass-through-authentication-handlers
     [--property {propertyName}] ...

To view the configuration for an existing Pass Through Authentication Handler:

dsconfig get-pass-through-authentication-handler-prop
     --handler-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Pass Through Authentication Handler:

dsconfig set-pass-through-authentication-handler-prop
     --handler-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Aggregate Pass Through Authentication Handler:

dsconfig create-pass-through-authentication-handler
     --handler-name {name}
     --type aggregate
     --set subordinate-pass-through-authentication-handler:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Pass Through Authentication Handler:

dsconfig delete-pass-through-authentication-handler
     --handler-name {name}