LDAP Pass Through Authentication Handler

Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.

The LDAP Pass Through Authentication Handler may be used to pass through authentication attempts to an external LDAP directory server. Similar functionality is already available through the original pass-through authentication plugin, but using this handler in conjunction with the pluggable pass-through authentication plugin may allow for additional functionality.

Parent Component Relations from This Component Properties dsconfig Usage

Parent Component

The LDAP Pass Through Authentication Handler component inherits from the Pass Through Authentication Handler

Relations from This Component

The following components have a direct aggregation relation from LDAP Pass Through Authentication Handlers:

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 included-local-entry-base-dn
 connection-criteria
 request-criteria
 server
 server-access-mode
 dn-map
 bind-dn-pattern
 search-base-dn
 search-filter-pattern
 initial-connections
 max-connections
 use-location
 maximum-allowed-local-response-time
 maximum-allowed-nonlocal-response-time
 use-password-policy-control

Basic Properties

description

Description
A description for this Pass Through Authentication Handler
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

included-local-entry-base-dn

Description
The base DNs for the local users whose authentication attempts may be passed through to the external authentication service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the external authentication service.
If no base DNs are specified, then only the associated pass-through authentication plugin's set of included local entry base DNs will be used.
Default Value
None
Allowed Values
A valid DN.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

connection-criteria

Description
A reference to connection criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the external authentication service. If no connection criteria object is specified, then bind requests from any client may be passed through.
Default Value
None
Allowed Values
The DN of any Connection Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

request-criteria

Description
A reference to request criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the external authentication service. If no request criteria object is specified, then all bind requests may be passed through.
Default Value
None
Allowed Values
The DN of any Request Criteria.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

server

Description
Specifies the LDAP external server(s) to which authentication attempts should be forwarded.
Default Value
None
Allowed Values
The DN of any LDAP External Server.
Multi-Valued
Yes
Required
Yes
Admin Action Required
None. Modification requires no further action

server-access-mode

Description
Specifies the manner in which external servers should be used for pass-through authentication attempts if multiple servers are defined.
Default Value
round-robin
Allowed Values
round-robin - Bind attempts to external servers should be spread evenly across all defined external servers (in a location-aware manner if appropriate). Any single bind request will only be attempted on multiple servers if earlier attempts were to a server that was unavailable.

failover-on-unavailable - All bind attempts will be sent to the same server (in a location-aware manner if appropriate) and will only be attempted on other servers if the primary server is unavailable.

failover-on-any-failure - All bind attempts will be sent to the same server (in a location-aware manner if appropriate). In the event that the first server is unavailable, or if the bind attempt fails on that server, then it will be attempted on the next server in the list, and binds will be re-tried on different servers until all servers have been exhausted.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

dn-map

Description
Specifies one or more DN mappings that may be used to transform bind DNs before attempting to bind to the external servers. Note that while there is a significant amount of overlap between the capabilities of the dn-map and bind-dn-pattern properties, there are also key differences between them. Both mechanisms can be used to construct the bind DN to use to authenticate to an external server using a combination of static text and attribute values from the target user's entry. However, a DN map can also use information from the original bind DN in constructing the remote bind DN, while a bind DN pattern can be used if you need to construct a remote bind DN that is not actually a valid LDAP distinguished name (e.g., if you want ot use a user principal name to authenticate to an Active Directory server).

At most one of the dn-map, bind-dn-pattern, and search-filter-pattern properties may be present in the configuration. If none of these properties is present, then the bind DN used in the original bind request will also be used as the bind DN when authenticating to the remote server.

Default Value
None
Allowed Values
The DN of any DN Map.
Multi-Valued
Yes
Required
No
Admin Action Required
None. Modification requires no further action

bind-dn-pattern

Description
A pattern to use to construct the bind DN for the simple bind request to send to the remote server. This may consist of a combination of static text and attribute values and other directives enclosed in curly braces.

For example, the value "cn={cn},ou=People,dc=example,dc=com" indicates that the remote bind DN should be constructed from the text "cn=" followed by the value of the local entry's cn attribute followed by the text "ou=People,dc=example,dc=com". If an attribute contains the value to use as the bind DN for pass-through authentication, then the pattern may simply be the name of that attribute in curly braces (e.g., if the seeAlso attribute contains the bind DN for the target user, then a bind DN pattern of "{seeAlso}" would be appropriate).

Note that a bind DN pattern can be used to construct a bind DN that is not actually a valid LDAP distinguished name. For example, if authentication is being passed through to a Microsoft Active Directory server, then a bind DN pattern could be used to construct a user principal name (UPN) as an alternative to a distinguished name. Note that while there is a significant amount of overlap between the capabilities of the dn-map and bind-dn-pattern properties, there are also key differences between them. Both mechanisms can be used to construct the bind DN to use to authenticate to an external server using a combination of static text and attribute values from the target user's entry. However, a DN map can also use information from the original bind DN in constructing the remote bind DN, while a bind DN pattern can be used if you need to construct a remote bind DN that is not actually a valid LDAP distinguished name (e.g., if you want ot use a user principal name to authenticate to an Active Directory server).

By default, any text provided in the bind-dn-pattern is copied verbatim into the constructed bind DN, with the exception of attribute names embedded in curly braces. Attributes are substituted using the value from the local server's copy of the entry of the user trying to authenticate (e.g., '{uid}' will be replaced with the value of the uid attribute). Each referenced attribute should have exactly one value. If any of the attributes is missing, or if any of the attributes has multiple values, then the bind DN pattern construction will fail.

To include the '{' character in the constructed value, use '{{' in the bind DN pattern. Likewise, using '}}' in the pattern will cause '}' to appear in the constructed DN.

Furthermore, a regular expression with a substitution pattern can be used to further manipulate an individual attribute value. The java.util.regex.Pattern and java.util.regex.Matcher classes are used to perform the substitution. The regular expression with replacement value uses this syntax '{attr-name:/regex/replacement/flags}'.

'attr-name' is an attribute name such as 'cn'.

'regex' is a regular expression using the syntax described in the java.util.regex.Pattern javadoc. The optional flags value can also be used to change how this regular expression is interpreted.

'replacement' is a replacement value that is passed to the java.util.regex.Matcher#replaceFirst or java.util.regex.Matcher#replaceAll method to perform the replacement. The 'g' (global) flag controls whether replaceFirst or replaceAll is called.

'flags' is an optional set of single character flags that control how the regular expression is interpreted and how the replacement is performed. The flags are:

  • 'g' : Matcher#replaceAll is called instead of Matcher#replaceFirst to replace all matching values instead of just the first one.
  • 'i' : the regex pattern is compiled with Pattern.CASE_INSENSITIVE.
  • 'x' : the regex pattern is compiled with Pattern.COMMENTS.
  • 's' : the regex pattern is compiled with Pattern.DOTALL.
  • 'm' : the regex pattern is compiled with Pattern.MULTILINE.
  • 'u' : the regex pattern is compiled with Pattern.UNICODE_CASE.
  • 'd' : the regex pattern is compiled with Pattern.UNIX_LINES.
The substitution value is constructed using Java code equivalent to:

Pattern pattern = Pattern.compile(regex, flagsMask);
Matcher matcher = pattern.matcher(attributeValueInput);
String substitutionValueOutput = matcher.replaceFirst(replacement);

To apply modifiers to the values extracted, append ':' and then the name of the modifier to apply. For example, if attribute 'uid' is to be included in a bind DN pattern, but the value should be explicitly converted to uppercase, then you could use a pattern like: 'uid={uid:upperCase},ou=People,dc=example,dc=com'. The modifiers are:

  • 'lowerCase' : Convert text to lower case.
  • 'trim' : Remove leading and trailing whitespace.
  • 'upperCase' : Convert text to upper case.

At most one of the dn-map, bind-dn-pattern, and search-filter-pattern properties may be present in the configuration. If none of these properties is present, then the bind DN used in the original bind request will also be used as the bind DN when authenticating to the remote server.

Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-base-dn

Description
The base DN to use when searching for the user entry using a filter constructed from the pattern defined in the search-filter-pattern property. If no base DN is specified, the null DN will be used as the search base DN.
Default Value
The null DN will be used as the search base DN.
Allowed Values
A valid DN.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

search-filter-pattern

Description
A pattern to use to construct a filter to use when searching an external server for the entry of the user as whom to bind. For example, "(mail={uid:ldapFilterEscape}@example.com)" would construct a search filter to search for a user whose entry in the local server contains a uid attribute whose value appears before "@example.com" in the mail attribute in the external server. Note that the "ldapFilterEscape" modifier should almost always be used with attributes specified in the pattern. By default, any text provided in the search-filter-pattern is copied verbatim into the constructed filter, with the exception of attribute names embedded in curly braces. Attributes are substituted using the value from the local server's copy of the entry of the user trying to authenticate (e.g., '{uid}' will be replaced with the value of the uid attribute). At most one referenced attribute may be multivalued in the local copy of the user's entry. If one attribute is multivalued then the target value will be multivalued with the same number of values minus any duplicates. For example a mapping of '{givenName} {sn}' would produce values ['Jim Smith', 'James Smith'] if givenName had values of ['Jim', 'James'] and sn had a value of 'Smith'. If the source entry has no value or if there are multiple multivalued attributes, the filter construction will fail.

To include the '{' character in the constructed value, use '{{' in the filter pattern. Likewise, using '}}' in the pattern will cause '}' to appear in the constructed filter.

Furthermore, a regular expression with a substitution pattern can be used to further manipulate an individual attribute value. The java.util.regex.Pattern and java.util.regex.Matcher classes are used to perform the substitution. The regular expression with replacement value uses this syntax '{attr-name:/regex/replacement/flags}'.

'attr-name' is an attribute name such as 'cn'.

'regex' is a regular expression using the syntax described in the java.util.regex.Pattern javadoc. The optional flags value can also be used to change how this regular expression is interpreted.

'replacement' is a replacement value that is passed to the java.util.regex.Matcher#replaceFirst or java.util.regex.Matcher#replaceAll method to perform the replacement. The 'g' (global) flag controls whether replaceFirst or replaceAll is called.

'flags' is an optional set of single character flags that control how the regular expression is interpreted and how the replacement is performed. The flags are:

  • 'g' : Matcher#replaceAll is called instead of Matcher#replaceFirst to replace all matching values instead of just the first one.
  • 'i' : the regex pattern is compiled with Pattern.CASE_INSENSITIVE.
  • 'x' : the regex pattern is compiled with Pattern.COMMENTS.
  • 's' : the regex pattern is compiled with Pattern.DOTALL.
  • 'm' : the regex pattern is compiled with Pattern.MULTILINE.
  • 'u' : the regex pattern is compiled with Pattern.UNICODE_CASE.
  • 'd' : the regex pattern is compiled with Pattern.UNIX_LINES.
The substitution value is constructed using Java code equivalent to:

Pattern pattern = Pattern.compile(regex, flagsMask);
Matcher matcher = pattern.matcher(attributeValueInput);
String substitutionValueOutput = matcher.replaceFirst(replacement);

To apply modifiers to the values extracted, append ':' and then the name of the modifier to apply. For example, if attribute 'uid' is to be included in a search filter pattern, then modifier 'ldapFilterEscape' could be specified resulting in '(mail={uid:ldapFilterEscape}@example.com)' or '(mail={uid:/regex/replacement/flags:ldapFilterEscape}@example.com)' if a regular expression is to be used. The modifiers are:

  • 'ldapFilterEscape' : Escape text for use in an LDAP filter.
  • 'lowerCase' : Convert text to lower case.
  • 'trim' : Remove leading and trailing whitespace.
  • 'upperCase' : Convert text to upper case.
Here is an example to summarize these points. Suppose the external server has a uid attribute whose value is the users' first initial, last initial, and employee number. For example, a user named John Smith with employee number 12345 would have a uid value of js12345. If the local server uses the givenName attribute to hold first names, the sn attribute to hold last names, and the employeeNumber attribute to hold employee numbers, then a pattern of '(uid={givenname:/^(.)(.*)/$1/s}{sn:/^(.)(.*)/$1/s}{employeeNumber})' would yield an appropriate filter to use to search for a user in the external server. The '^(.).*' regular expression used for the givenName and sn attributes matches the entire value and stores the initial character in the $1 variable, which used for the replacement. (The 's' flag is used to guard against the unlikely event that the user's 'givenname' or 'sn' attribute includes a newline character.)

At most one of the dn-map, bind-dn-pattern, and search-filter-pattern properties may be present in the configuration. If none of these properties is present, then the bind DN used in the original bind request will also be used as the bind DN when authenticating to the remote server.

Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

initial-connections

Description
Specifies the initial number of connections to establish to each external server against which authentication may be attempted.
Default Value
1
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

max-connections

Description
Specifies the maximum number of connections to maintain to each external server against which authentication may be attempted. This value must be greater than or equal to the value for the initial-connections property.
Default Value
10
Allowed Values
An integer value. Lower limit is 1.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

use-location

Description
Indicates whether to take server locations into account when prioritizing the servers to use for pass-through authentication attempts. If this is true, and if this Directory Server is configured with a location, then external servers in the same location as this Directory Server will be prioritized over those in the most preferred failover location, which will be preferred over those in the second-most preferred failover location, and so on. Any servers without a location, or with a location that is not configured as a failover location for the location used by this Directory Server, will be prioritized last.
If this is false, or if this Directory Server is not configured with a location, then all servers will be considered to have the same priority.
Default Value
true
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

maximum-allowed-local-response-time

Description
The maximum length of time to wait for a response from an external server in the same location as this Directory Server before considering it unavailable. This timeout will only be used if use-location is true, if both this Directory Server and the target external server are configured with a location, and if the location for both is the same.
Default Value
1000 milliseconds
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

maximum-allowed-nonlocal-response-time

Description
The maximum length of time to wait for a response from an external server in a different location from this Directory Server before considering it unavailable. This timeout will be used if use-location is false, if either this Directory Server or the target external server is not configured with a location, or if their configured locations are not the same.
Default Value
5 seconds
Allowed Values
A duration. Lower limit is 1 milliseconds.
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

use-password-policy-control

Description
Indicates whether to include the password policy request control (as defined in draft-behera-ldap-password-policy-10) in bind requests sent to the external server. If the external server supports this control, it may make it possible for this LDAP Pass Through Authentication Handler to better certain types of authentication failure conditions. If no value is specified for this property, then the control will be used if and only if the external server's root DSE advertises support for it.
Default Value
The control will be used if and only if the external server's root DSE advertises support for it.
Allowed Values
true
false
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Pass Through Authentication Handlers:

dsconfig list-pass-through-authentication-handlers
     [--property {propertyName}] ...

To view the configuration for an existing Pass Through Authentication Handler:

dsconfig get-pass-through-authentication-handler-prop
     --handler-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Pass Through Authentication Handler:

dsconfig set-pass-through-authentication-handler-prop
     --handler-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new LDAP Pass Through Authentication Handler:

dsconfig create-pass-through-authentication-handler
     --handler-name {name}
     --type ldap
     --set server:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Pass Through Authentication Handler:

dsconfig delete-pass-through-authentication-handler
     --handler-name {name}