GitHubContribute in GitHub: Open doc issue|Edit online

Configuring pass-through authentication

Use pass-through authentication to delegate authentication back to the endpoint so that you do not have to migrate the credentials to the target IBM® Security Directory Server.

Before you begin

  • Configure IBM Security Verify Directory for pass-through authentication. See Pass-through authentication in the IBM Security Directory Server documentation.
  • Verify the connection to the target IBM Security Directory Server from Federated Directory Server. A green tick mark next to the Connection Settings link under Directory Server indicates that the connection is successful. If the connection is not successful, the Pass-through Authentication link is disabled.
  • NOTE: If the target directory for Federated Directory Server is the IBM Security Verify Directory Container, any modifications made by FDS for PTA will be directed to the ibmslapd.conf file, and these changes will not persist after an ISVD restart. Therefore, it is essential to configure PTA through the ISVD config map to ensure persistence. - https://www.ibm.com/docs/api/v1/content/SSEP7NB_10.0.2/html/verify-directory-server.html#server_pass-through-authentication_items

About this task

Pass-through authentication is an optional feature of IBM Security Directory Server that delegates authentication of users to a different LDAP server. If you configure pass-through authentication, then IBM Security Directory Server attempts to verify the credentials from an external LDAP directory server on behalf of the client.

Procedure

  1. In the navigation pane, click Pass-through Authentication under Directory Server.

  2. Click Add and specify a Name to identify the configuration.

  3. In the Target subtree field, specify the IBM Security Directory Server target subtree. Pass-through authentication is enabled only for the users in the containers of the target subtree.

    • Click Select to view the subtree and specify the container.
    • Click Browse Data to view, add, delete, or modify the entries in the target directory server.
  4. Optional: Select Enable password cache to store the password in the target server during the first authentication. Subsequent authentications use the cached password.

    If a user changes the password on the endpoint, you must run a synchronization operation to update the password change in the target server.

    The password cache is supported for all the endpoint types that are supported by the IBM Security Directory Server pass-through authentication feature.

    Limitation: If you enable the password cache feature and later disable it after a user authenticates, the user can still authenticate with the old password even after changing the password on the source.

  5. Select an endpoint from Select endpoint to copy connection details from. The details are automatically filled in based on the connection parameters that you specified when you created the endpoint.

  6. Optional: Edit the Host name, Port, Search base, Username, and Password fields, if necessary.

  7. Click Test Connection to verify the connection settings for pass-through authentication.

  8. Take one of the following actions:

    • Click Save to enable the pass-through authentication mechanism for the flows that are affected by this configuration.

      Affected flows are one or more flows whose target search base matches or is under the container hierarchy of the search base that you specified in the pass-through authentication configuration.

    • Click Delete if you do not want to enable pass-through authentication for affected flows.

  9. Manually restart IBM Security Directory Server for the changes to take effect and to enable pass-through authentication for affected flows.

Related tasks:

Browsing the directory entries