Pass-through authentication
The pass-through mechanism authenticates a user on the authenticating server, even if the user entry or password is on a different server.
You
can run a bind or compare operation against the authenticating server,
even if the user entry or the credential is not on the server. If
the authentication server supports pass-through authentication for
bind operations, the root DSE search returns the ibm-supportedCapabilities
attribute
with the 1.3.18.0.2.32.78
OID value. If the server
supports pass-through for compare operations, the root DSE search
returns the ibm-supportedCapabilities
attribute with
the 1.3.18.0.2.32.100
OID value.
When pass-through authentication is set, the authenticating server attempts to verify the credentials from an external directory server, a pass-through server, on behalf of the client. For a directory server, the user entry or user credential might not be in the directory information tree (DIT). For a proxy server, the user entry or user credentials might not be on the proxy back-end servers.
A directory server supports pass-through only if all the following criteria are met:
- The
ibm-slapdPtaEnabled
attribute is set toTRUE
on a directory server with the pass-through interface configuration. When theibm-slapdPtaEnabled
attribute value isTRUE
, the server supports pass-through for bind and compare operations. Theibm-slapdPtaEnabled
attribute is a dynamic attribute. To apply the changes to the attribute, you must run areadconfig
extended operation. - Pass-through authentication is configured and set on the directory server for the appropriate subtree.
- The
authenticating DN entry is from the subtree that is configured for
pass-through authentication. The authenticating DN entry either does
not exist or does not have the
userpassword
attribute on the authenticating server. - The
credential for authentication is the password that is stored in the
userpassword
attribute.