Example of setting up native authentication
The following diagram shows an example of how you could set up native authentication.
Note: Because of space limitations in the diagram, the entries in
the example do not contain all of the necessary information to make
them valid directory entries. For example, object classes and required
attributes have been left out of many of the entries.
Note: In the behavior table for each of the following examples, a
password phrase can be used instead of a password, with the same results.
Example 1:
- Assuming these settings:
- useNativeAuth selected
- nativeUpdateAllowed on
- nativeAuthSubtree ou=END,o=IBM,c=US
- nativeAuthSubtree ou=POK,o=IBM,c=US
Table 1. Behavior of native authentication in example 1 LDAP entry Operation Behavior cn=User1,ou=END,o=IBM,c=US Bind Can bind natively because the entry contains a valid ibm-nativeId. Bind with native password change Can change this native password because the entry contains a valid ibm-nativeId. modify-delete and modify-add (userPassword) Can change this native password because the entry contains a valid ibm-nativeId. modify-replace (userPassword) Cannot perform a modify-replace of the userPassword attribute because the entry is subject to native authentication and password replace is not allowed. cn=User2,ou=END,o=IBM,c=US All Entry is not configured for native authentication so all operations are regular LDAP operations. cn=User3,ou=END,o=IBM,c=US Bind Attempts native authentication but fails because the Security Server ID USER3 is not defined, then a regular LDAP bind is performed. Bind with native password change Cannot change the password on the bind because the Security Server ID USER3 is not defined. modify-delete and modify-add (userPassword) Native password change is attempted but fails because the Security Server ID USER3 is not defined. modify-replace (userPassword) An attempt to modify-replace the userPassword attribute fails because the entry is configured for native authentication. cn=User4,ou=POK,o=IBM,c=US All Performs regular LDAP operations because the entry does not contain the ibm-nativeId attribute. cn=User5,ou=POK,o=IBM,c=US All Performs regular LDAP operations because the entry does not contain the ibm-nativeId attribute. cn=User6,ou=RAL,o=IBM,c=US All Performs regular LDAP operations because the entry does not exist in a native subtree. Example 2:
- Assume these settings:
- useNativeAuth all
- nativeUpdateAllowed on
- nativeAuthSubtree ou=END,o=IBM,c=US
- nativeAuthSubtree ou=POK,o=IBM,c=US
Table 2. Behavior of native authentication in example 2 LDAP Entry Operation Behavior cn=User1,ou=END,o=IBM,c=US Bind Can bind natively because the entry contains a valid ibm-nativeId. Bind with native password change Can change this native password because the entry contains a valid ibm-nativeId. modify-delete and modify-add (userPassword) Can change this native password because the entry contains a valid ibm-nativeId. modify-replace (userPassword) Cannot perform a modify-replace of the userPasssword attribute because the entry is subject to native authentication and password replace is not allowed. cn=User2,ou=END,o=IBM,c=US Bind Because there are no native attributes in this entry, a regular LDAP bind is attempted. Bind with native password change Cannot change the password on the bind because the entry is not properly set up for native authentication. A regular LDAP bind is attempted. modify-delete and modify-add (userPassword) Because there are no native attributes on this entry, native authentication password update is not attempted. A regular modification of the userPassword attribute value is attempted. modify-replace (userPassword) Because there are no native attributes on this entry, native authentication password update is not attempted. A regular modification of the userPassword attribute value is attempted. cn=User3,ou=END,o=IBM,c=US Bind Attempts native authentication but fails because the Security Server ID USER3 is not defined, then a regular LDAP bind is performed. Bind with native password change Cannot change the native password on the bind because the Security Server ID USER3 is not defined. modify-delete and modify-add (userPassword) Native password change is attempted but fails because the Security Server ID USER3 is not defined. modify-replace (userPassword) An attempt to modify-replace the userPassword attribute fails because the entry is configured for native authentication. cn=User4,ou=POK,o=IBM,c=US Bind Can bind natively because the entry contains a valid uid (with one value). Bind with native password change Can change this native password because the entry contains a valid uid (with one value). modify-delete and modify-add (userPassword) Can change this native password because the entry contains a valid uid (with one value). modify-replace (userPassword) An attempt to modify-replace the userPassword attribute fails because the entry is configured for native authentication. cn=User5,ou=POK,o=IBM,c=US Bind Native bind fails because 2 uid values exist. Bind with native password change Cannot change the native password on the bind because 2 uid attribute values exist. modify-delete and modify-add (userPassword) Cannot change the native password on modify operations because 2 uid attribute values exist. modify-replace (userPassword) An attempt to modify-replace the userPassword fails because the entry is configured for native authentication. cn=User6,ou=RAL,o=IBM,c=US All Performs regular LDAP operations because the entry does not exist in a native subtree.