Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The LDAP Pass Through Authentication Handler may be used to pass through authentication attempts to an external LDAP directory server. Similar functionality is already available through the original pass-through authentication plugin, but using this handler in conjunction with the pluggable pass-through authentication plugin may allow for additional functionality.
The LDAP Pass Through Authentication Handler component inherits from the Pass Through Authentication Handler
The following components have a direct aggregation relation from LDAP Pass Through Authentication Handlers:
The properties supported by this managed object are as follows:
Description | A description for this Pass Through Authentication Handler |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The base DNs for the local users whose authentication attempts may be passed through to the external authentication service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the external authentication service. If no base DNs are specified, then only the associated pass-through authentication plugin's set of included local entry base DNs will be used. |
Default Value | None |
Allowed Values | A valid DN. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | A reference to connection criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the external authentication service. If no connection criteria object is specified, then bind requests from any client may be passed through. |
Default Value | None |
Allowed Values | The DN of any Connection Criteria. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | A reference to request criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the external authentication service. If no request criteria object is specified, then all bind requests may be passed through. |
Default Value | None |
Allowed Values | The DN of any Request Criteria. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the LDAP external server(s) to which authentication attempts should be forwarded. |
Default Value | None |
Allowed Values | The DN of any LDAP External Server. |
Multi-Valued | Yes |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the manner in which external servers should be used for pass-through authentication attempts if multiple servers are defined. |
Default Value | round-robin |
Allowed Values | round-robin - Bind attempts to external servers should be spread evenly across all defined external servers (in a location-aware manner if appropriate). Any single bind request will only be attempted on multiple servers if earlier attempts were to a server that was unavailable. failover-on-unavailable - All bind attempts will be sent to the same server (in a location-aware manner if appropriate) and will only be attempted on other servers if the primary server is unavailable. failover-on-any-failure - All bind attempts will be sent to the same server (in a location-aware manner if appropriate). In the event that the first server is unavailable, or if the bind attempt fails on that server, then it will be attempted on the next server in the list, and binds will be re-tried on different servers until all servers have been exhausted. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies one or more DN mappings that may be used to transform bind DNs before attempting to bind to the external servers. Note that while there is a significant amount of overlap between the capabilities of the dn-map and bind-dn-pattern properties, there are also key differences between them. Both mechanisms can be used to construct the bind DN to use to authenticate to an external server using a combination of static text and attribute values from the target user's entry. However, a DN map can also use information from the original bind DN in constructing the remote bind DN, while a bind DN pattern can be used if you need to construct a remote bind DN that is not actually a valid LDAP distinguished name (e.g., if you want ot use a user principal name to authenticate to an Active Directory server). At most one of the dn-map, bind-dn-pattern, and search-filter-pattern properties may be present in the configuration. If none of these properties is present, then the bind DN used in the original bind request will also be used as the bind DN when authenticating to the remote server. |
Default Value | None |
Allowed Values | The DN of any DN Map. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | A pattern to use to construct the bind DN for the simple bind request to send to the remote server. This may consist of a combination of static text and attribute values and other directives enclosed in curly braces. For example, the value "cn={cn},ou=People,dc=example,dc=com" indicates that the remote bind DN should be constructed from the text "cn=" followed by the value of the local entry's cn attribute followed by the text "ou=People,dc=example,dc=com". If an attribute contains the value to use as the bind DN for pass-through authentication, then the pattern may simply be the name of that attribute in curly braces (e.g., if the seeAlso attribute contains the bind DN for the target user, then a bind DN pattern of "{seeAlso}" would be appropriate). Note that a bind DN pattern can be used to construct a bind DN that is not actually a valid LDAP distinguished name. For example, if authentication is being passed through to a Microsoft Active Directory server, then a bind DN pattern could be used to construct a user principal name (UPN) as an alternative to a distinguished name. Note that while there is a significant amount of overlap between the capabilities of the dn-map and bind-dn-pattern properties, there are also key differences between them. Both mechanisms can be used to construct the bind DN to use to authenticate to an external server using a combination of static text and attribute values from the target user's entry. However, a DN map can also use information from the original bind DN in constructing the remote bind DN, while a bind DN pattern can be used if you need to construct a remote bind DN that is not actually a valid LDAP distinguished name (e.g., if you want ot use a user principal name to authenticate to an Active Directory server). By default, any text provided in the bind-dn-pattern is copied verbatim into the constructed bind DN, with the exception of attribute names embedded in curly braces. Attributes are substituted using the value from the local server's copy of the entry of the user trying to authenticate (e.g., '{uid}' will be replaced with the value of the uid attribute). Each referenced attribute should have exactly one value. If any of the attributes is missing, or if any of the attributes has multiple values, then the bind DN pattern construction will fail. To include the '{' character in the constructed value, use '{{' in the bind DN pattern. Likewise, using '}}' in the pattern will cause '}' to appear in the constructed DN. Furthermore, a regular expression with a substitution pattern can be used to further manipulate an individual attribute value. The java.util.regex.Pattern and java.util.regex.Matcher classes are used to perform the substitution. The regular expression with replacement value uses this syntax '{attr-name:/regex/replacement/flags}'. 'attr-name' is an attribute name such as 'cn'. 'regex' is a regular expression using the syntax described in the java.util.regex.Pattern javadoc. The optional flags value can also be used to change how this regular expression is interpreted. 'replacement' is a replacement value that is passed to the java.util.regex.Matcher#replaceFirst or java.util.regex.Matcher#replaceAll method to perform the replacement. The 'g' (global) flag controls whether replaceFirst or replaceAll is called. 'flags' is an optional set of single character flags that control how the regular expression is interpreted and how the replacement is performed. The flags are:
Pattern pattern = Pattern.compile(regex, flagsMask); To apply modifiers to the values extracted, append ':' and then the name of the modifier to apply. For example, if attribute 'uid' is to be included in a bind DN pattern, but the value should be explicitly converted to uppercase, then you could use a pattern like: 'uid={uid:upperCase},ou=People,dc=example,dc=com'. The modifiers are:
At most one of the dn-map, bind-dn-pattern, and search-filter-pattern properties may be present in the configuration. If none of these properties is present, then the bind DN used in the original bind request will also be used as the bind DN when authenticating to the remote server. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | The base DN to use when searching for the user entry using a filter constructed from the pattern defined in the search-filter-pattern property. If no base DN is specified, the null DN will be used as the search base DN. |
Default Value | The null DN will be used as the search base DN. |
Allowed Values | A valid DN. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | A pattern to use to construct a filter to use when searching an external server for the entry of the user as whom to bind. For example, "(mail={uid:ldapFilterEscape}@example.com)" would construct a search filter to search for a user whose entry in the local server contains a uid attribute whose value appears before "@example.com" in the mail attribute in the external server. Note that the "ldapFilterEscape" modifier should almost always be used with attributes specified in the pattern. By default, any text provided in the search-filter-pattern is copied verbatim into the constructed filter, with the exception of attribute names embedded in curly braces. Attributes are substituted using the value from the local server's copy of the entry of the user trying to authenticate (e.g., '{uid}' will be replaced with the value of the uid attribute). At most one referenced attribute may be multivalued in the local copy of the user's entry. If one attribute is multivalued then the target value will be multivalued with the same number of values minus any duplicates. For example a mapping of '{givenName} {sn}' would produce values ['Jim Smith', 'James Smith'] if givenName had values of ['Jim', 'James'] and sn had a value of 'Smith'. If the source entry has no value or if there are multiple multivalued attributes, the filter construction will fail. To include the '{' character in the constructed value, use '{{' in the filter pattern. Likewise, using '}}' in the pattern will cause '}' to appear in the constructed filter. Furthermore, a regular expression with a substitution pattern can be used to further manipulate an individual attribute value. The java.util.regex.Pattern and java.util.regex.Matcher classes are used to perform the substitution. The regular expression with replacement value uses this syntax '{attr-name:/regex/replacement/flags}'. 'attr-name' is an attribute name such as 'cn'. 'regex' is a regular expression using the syntax described in the java.util.regex.Pattern javadoc. The optional flags value can also be used to change how this regular expression is interpreted. 'replacement' is a replacement value that is passed to the java.util.regex.Matcher#replaceFirst or java.util.regex.Matcher#replaceAll method to perform the replacement. The 'g' (global) flag controls whether replaceFirst or replaceAll is called. 'flags' is an optional set of single character flags that control how the regular expression is interpreted and how the replacement is performed. The flags are:
Pattern pattern = Pattern.compile(regex, flagsMask); To apply modifiers to the values extracted, append ':' and then the name of the modifier to apply. For example, if attribute 'uid' is to be included in a search filter pattern, then modifier 'ldapFilterEscape' could be specified resulting in '(mail={uid:ldapFilterEscape}@example.com)' or '(mail={uid:/regex/replacement/flags:ldapFilterEscape}@example.com)' if a regular expression is to be used. The modifiers are:
At most one of the dn-map, bind-dn-pattern, and search-filter-pattern properties may be present in the configuration. If none of these properties is present, then the bind DN used in the original bind request will also be used as the bind DN when authenticating to the remote server. |
Default Value | None |
Allowed Values | A string |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the initial number of connections to establish to each external server against which authentication may be attempted. |
Default Value | 1 |
Allowed Values | An integer value. Lower limit is 1. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the maximum number of connections to maintain to each external server against which authentication may be attempted. This value must be greater than or equal to the value for the initial-connections property. |
Default Value | 10 |
Allowed Values | An integer value. Lower limit is 1. |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether to take server locations into account when prioritizing the servers to use for pass-through authentication attempts. If this is true, and if this Directory Server is configured with a location, then external servers in the same location as this Directory Server will be prioritized over those in the most preferred failover location, which will be preferred over those in the second-most preferred failover location, and so on. Any servers without a location, or with a location that is not configured as a failover location for the location used by this Directory Server, will be prioritized last. If this is false, or if this Directory Server is not configured with a location, then all servers will be considered to have the same priority. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-allowed-local-response-time
Description | The maximum length of time to wait for a response from an external server in the same location as this Directory Server before considering it unavailable. This timeout will only be used if use-location is true, if both this Directory Server and the target external server are configured with a location, and if the location for both is the same. |
Default Value | 1000 milliseconds |
Allowed Values | A duration. Lower limit is 1 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
maximum-allowed-nonlocal-response-time
Description | The maximum length of time to wait for a response from an external server in a different location from this Directory Server before considering it unavailable. This timeout will be used if use-location is false, if either this Directory Server or the target external server is not configured with a location, or if their configured locations are not the same. |
Default Value | 5 seconds |
Allowed Values | A duration. Lower limit is 1 milliseconds. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Indicates whether to include the password policy request control (as defined in draft-behera-ldap-password-policy-10) in bind requests sent to the external server. If the external server supports this control, it may make it possible for this LDAP Pass Through Authentication Handler to better certain types of authentication failure conditions. If no value is specified for this property, then the control will be used if and only if the external server's root DSE advertises support for it. |
Default Value | The control will be used if and only if the external server's root DSE advertises support for it. |
Allowed Values | true false |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Pass Through Authentication Handlers:
dsconfig list-pass-through-authentication-handlers [--property {propertyName}] ...
To view the configuration for an existing Pass Through Authentication Handler:
dsconfig get-pass-through-authentication-handler-prop --handler-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Pass Through Authentication Handler:
dsconfig set-pass-through-authentication-handler-prop --handler-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new LDAP Pass Through Authentication Handler:
dsconfig create-pass-through-authentication-handler --handler-name {name} --type ldap --set server:{propertyValue} [--set {propertyName}:{propertyValue}] ...
To delete an existing Pass Through Authentication Handler:
dsconfig delete-pass-through-authentication-handler --handler-name {name}