Example of setting up native authentication

The following diagram shows an example of how you could set up native authentication.

Note: Because of space limitations in the diagram, the entries in the example do not contain all of the necessary information to make them valid directory entries. For example, object classes and required attributes have been left out of many of the entries.
Figure 1. Native authentication example
Note: In the behavior table for each of the following examples, a password phrase can be used instead of a password, with the same results.

Example 1:

  • Assuming these settings:
    • useNativeAuth selected
    • nativeUpdateAllowed on
    • nativeAuthSubtree ou=END,o=IBM,c=US
    • nativeAuthSubtree ou=POK,o=IBM,c=US
    the following table indicates the results of operations involving each user entry:
    Table 1. Behavior of native authentication in example 1
    LDAP entry Operation Behavior
    cn=User1,ou=END,o=IBM,c=US Bind Can bind natively because the entry contains a valid ibm-nativeId.
      Bind with native password change Can change this native password because the entry contains a valid ibm-nativeId.
      modify-delete and modify-add (userPassword) Can change this native password because the entry contains a valid ibm-nativeId.
      modify-replace (userPassword) Cannot perform a modify-replace of the userPassword attribute because the entry is subject to native authentication and password replace is not allowed.
    cn=User2,ou=END,o=IBM,c=US All Entry is not configured for native authentication so all operations are regular LDAP operations.
    cn=User3,ou=END,o=IBM,c=US Bind Attempts native authentication but fails because the Security Server ID USER3 is not defined, then a regular LDAP bind is performed.
      Bind with native password change Cannot change the password on the bind because the Security Server ID USER3 is not defined.
      modify-delete and modify-add (userPassword) Native password change is attempted but fails because the Security Server ID USER3 is not defined.
      modify-replace (userPassword) An attempt to modify-replace the userPassword attribute fails because the entry is configured for native authentication.
    cn=User4,ou=POK,o=IBM,c=US All Performs regular LDAP operations because the entry does not contain the ibm-nativeId attribute.
    cn=User5,ou=POK,o=IBM,c=US All Performs regular LDAP operations because the entry does not contain the ibm-nativeId attribute.
    cn=User6,ou=RAL,o=IBM,c=US All Performs regular LDAP operations because the entry does not exist in a native subtree.

    Example 2:

  • Assume these settings:
    • useNativeAuth all
    • nativeUpdateAllowed on
    • nativeAuthSubtree ou=END,o=IBM,c=US
    • nativeAuthSubtree ou=POK,o=IBM,c=US
    the following table indicates the results of operations involving each user entry:
    Table 2. Behavior of native authentication in example 2
    LDAP Entry Operation Behavior
    cn=User1,ou=END,o=IBM,c=US Bind Can bind natively because the entry contains a valid ibm-nativeId.
      Bind with native password change Can change this native password because the entry contains a valid ibm-nativeId.
      modify-delete and modify-add (userPassword) Can change this native password because the entry contains a valid ibm-nativeId.
      modify-replace (userPassword) Cannot perform a modify-replace of the userPasssword attribute because the entry is subject to native authentication and password replace is not allowed.
    cn=User2,ou=END,o=IBM,c=US Bind Because there are no native attributes in this entry, a regular LDAP bind is attempted.
      Bind with native password change Cannot change the password on the bind because the entry is not properly set up for native authentication. A regular LDAP bind is attempted.
      modify-delete and modify-add (userPassword) Because there are no native attributes on this entry, native authentication password update is not attempted. A regular modification of the userPassword attribute value is attempted.
      modify-replace (userPassword) Because there are no native attributes on this entry, native authentication password update is not attempted. A regular modification of the userPassword attribute value is attempted.
    cn=User3,ou=END,o=IBM,c=US Bind Attempts native authentication but fails because the Security Server ID USER3 is not defined, then a regular LDAP bind is performed.
      Bind with native password change Cannot change the native password on the bind because the Security Server ID USER3 is not defined.
      modify-delete and modify-add (userPassword) Native password change is attempted but fails because the Security Server ID USER3 is not defined.
      modify-replace (userPassword) An attempt to modify-replace the userPassword attribute fails because the entry is configured for native authentication.
    cn=User4,ou=POK,o=IBM,c=US Bind Can bind natively because the entry contains a valid uid (with one value).
      Bind with native password change Can change this native password because the entry contains a valid uid (with one value).
      modify-delete and modify-add (userPassword) Can change this native password because the entry contains a valid uid (with one value).
      modify-replace (userPassword) An attempt to modify-replace the userPassword attribute fails because the entry is configured for native authentication.
    cn=User5,ou=POK,o=IBM,c=US Bind Native bind fails because 2 uid values exist.
      Bind with native password change Cannot change the native password on the bind because 2 uid attribute values exist.
      modify-delete and modify-add (userPassword) Cannot change the native password on modify operations because 2 uid attribute values exist.
      modify-replace (userPassword) An attempt to modify-replace the userPassword fails because the entry is configured for native authentication.
    cn=User6,ou=RAL,o=IBM,c=US All Performs regular LDAP operations because the entry does not exist in a native subtree.