The Pluggable Pass Through Authentication Plugin provides the ability for a local user to authenticate with a password from an account in an external service. Interaction with that service is controlled by a pass-through authentication handler. Only simple bind operations are supported.
Only one instance of this plugin may be active in the server at any time. It cannot be used in conjunction with other pass-through authentication plugins, including the original LDAP pass-through authentication plugin, the PingOne pass-through authentication plugin, or another instance of the pluggable pass-through authentication plugin. If you need multiple types of pass-through authentication active in the server at one time, use the aggregate pass-through authentication handler.
Depending on the configuration, the authentication may be attempted only in that external service (if try-local-bind is false), or it may be attempted locally first and only forwarded to the external service if the local attempt fails (if try-local-bind is true).
If local authentication is attempted first, it may optionally allow authentication even in cases where the local account is in certain unusable states (for example, if the user's password is expired or their account is locked as a result of too many failed attempts).
Also, if local authentication is attempted first, and if the authentication attempt ultimately succeeds in the external service, the local account may optionally be updated with the provided password.
The Pluggable Pass Through Authentication Plugin component inherits from the Plugin
The following components have a direct aggregation relation from Pluggable Pass Through Authentication Plugins:
The properties supported by this managed object are as follows:
| Description | A description for this Plugin |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether the plug-in is enabled for use. |
| Default Value | None |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
pass-through-authentication-handler
| Description | The component used to manage authentication with the external authentication service. |
| Default Value | None |
| Allowed Values | The DN of any Pass Through Authentication Handler. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The base DNs for the local users whose authentication attempts may be passed through to the external authentication service. If one or more base DNs are specified, then only binds attempted by users at or below one of those base DNs may be passed through to the external authentication service. If no base DNs are specified, then all public naming contexts will be used as the default set of base DNs. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | A reference to connection criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a connection criteria object is specified, then only bind requests from clients that match this criteria may be passed through to the external authentication service. If no connection criteria object is specified, then bind requests from any client may be passed through. |
| Default Value | None |
| Allowed Values | The DN of any Connection Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | A reference to request criteria that will be used to indicate which bind requests should be passed through to the external authentication service. If a request criteria object is specified, then only bind requests that match this criteria may be passed through to the external authentication service. If no request criteria object is specified, then all bind requests may be passed through. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether to attempt the bind in the local server first and only send the request to the external authentication service if the local bind attempt fails, or to only attempt the bind in the external service. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether to attempt the authentication in the external service if the local user entry includes a password. This property will be ignored if try-local-bind is false. If this property has a value of false, then authentication attempts will only be forwarded to the external service for users who don't have a local password, and bind attempts for users with a local password will only be attempted locally. If this property has a value of true, then authentication attempts will be forwarded to the external service if the local attempt fails, even if the local entry has a password. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Indicates whether to overwrite the user's local password if the local bind fails but the authentication attempt succeeds when attempted in the external service. This property may only be set to true if try-local-bind is also true. If update-local-password is true, if the local bind attempt fails, and if the authentication attempt succeeds against the external service, then the local entry will be updated to set the user's password to the provided bind password. The local password will not be altered if the external authentication attempt fails. If the Data Sync Server will be used to synchronize passwords between the local server and the external service, then the 'update-local-password-dn' property should be set to a DN whose updates will be ignored by the Data Sync Server. If update-local-password is false, if the local bind attempt fails, and if the external authentication attempt succeeds, then the LDAP bind operation will still be considered a success, but the user's local password will not be altered. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The DN of the authorization identity that will be used when updating the user's local password if update-local-password is true. This is primarily intended for use if the Data Sync Server will be used to synchronize passwords between the local server and the external service, and in that case, the DN used here should also be added to the ignore-changes-by-dn property in the appropriate Sync Source object in the Data Sync Server configuration. This property can be used to help avoid a password update loop that may arise if the Data Sync Server is configured to synchronize password changes between the local server and the external authentication service, and if the Data Sync Server is configured to wipe out the password in the local server if it detects that the password has been changed in the external service. With this property, the password wouldn't need to be wiped. This plugin would update the password as the DN used in this property, and then if the Data Sync Server is configured to ignore changes by the user with this DN, the password change wouldn't be synchronized to the external service after the bind, which would avoid the password being wiped in the local server. The account used for this property must have access control permission to update the passwords for any users that may use pass-through authentication (or the bypass-acl privilege), and it must also have the password-reset privilege. |
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allow-lax-pass-through-authentication-passwords
| Description | Indicates whether to overwrite the user's local password even if the password used to authenticate to the external service would have failed validation if the user attempted to set it directly. This property is only used if the try-local-bind and update-local-password properties both have values of true. If this property has a value of true, if the local bind attempt fails, and if the authentication attempt to the external service succeeds, then the local password will be overwritten regardless of whether it would have passed the validation requirements of the local user's password policy. If this property has a value of false, if the local bind attempt fails, and if the authentication attempt to the external service succeeds, then the local password will be overwritten only if it satisfies the requirements for all password validators in the local user's password policy. In that case, if the password from the external service does not meet local password policy constraints, then the bind attempt will fail. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
ignored-password-policy-state-error-condition
| Description | A set of password policy state error conditions that should not be enforced when authentication succeeds when attempted in the external service. This option can only be used if try-local-bind is true. |
| Default Value | None |
| Allowed Values | temporarily-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the external service even if their account is currently temporarily locked after too many failed authentication attempts. If this value is absent, then a user whose account is temporarily locked will not be permitted to authenticate until the lockout period expires, until the user's local password is reset by an administrator, or until the administrator manually unlocks the account. permanently-locked-due-to-failures - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the external service even if their account is currently permanently locked after too many failed authentication attempts. If this value is absent, then a user whose account is permanently locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account. locked-due-to-idle-interval - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the external service even if their account is locked because it has been unused for too long. If this value is absent, then a user whose account is idle-locked will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually unlocks the account. locked-due-to-maximum-reset-age - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the extneral service even if their account is locked because their password was reset by an administrator but they failed to choose a new password in a timely manner. If this value is absent, then a user whose account is reset-locked will not be permitted to authenticate until their local password is again reset by an administrator or until the administrator manually unlocks the account. locked-due-to-validation-failure - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the external service even if their account is locked because their password did not satisfy all of the configured password validators. If this value is absent, then a user whose account is validation-locked will not be permitted to authenticate until their local password is reset or until an administrator manually unlocks the account. password-is-expired - If this value is present, then it indicates that the user should be permitted to authenticate with a password from the external service even if their local password is expired. If this value is absent, then a user whose password is expired will not be permitted to authenticate until their local password is reset by an administrator or until the administrator manually resets the password changed. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
invoke-for-internal-operations (Advanced Property)
| Description | Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operations that can cause the same plug-in to be re-invoked. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Plugins:
dsconfig list-plugins
[--property {propertyName}] ...
To view the configuration for an existing Plugin:
dsconfig get-plugin-prop
--plugin-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Plugin:
dsconfig set-plugin-prop
--plugin-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Pluggable Pass Through Authentication Plugin:
dsconfig create-plugin
--plugin-name {name}
--type pluggable-pass-through-authentication
--set enabled:{propertyValue}
--set pass-through-authentication-handler:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing Plugin:
dsconfig delete-plugin
--plugin-name {name}