Pass-through authentication

The pass-through mechanism authenticates a user on the authenticating server, even if the user entry or password is on a different server.

You can run a bind or compare operation against the authenticating server, even if the user entry or the credential is not on the server. If the authentication server supports pass-through authentication for bind operations, the root DSE search returns the ibm-supportedCapabilities attribute with the 1.3.18.0.2.32.78 OID value. If the server supports pass-through for compare operations, the root DSE search returns the ibm-supportedCapabilities attribute with the 1.3.18.0.2.32.100 OID value.

When pass-through authentication is set, the authenticating server attempts to verify the credentials from an external directory server, a pass-through server, on behalf of the client. For a directory server, the user entry or user credential might not be in the directory information tree (DIT). For a proxy server, the user entry or user credentials might not be on the proxy back-end servers.

A directory server supports pass-through only if all the following criteria are met:

• The ibm-slapdPtaEnabled attribute is set to TRUE on a directory server with the pass-through interface configuration. When the ibm-slapdPtaEnabled attribute value is TRUE, the server supports pass-through for bind and compare operations. The ibm-slapdPtaEnabled attribute is a dynamic attribute. To apply the changes to the attribute, you must run a readconfig extended operation.
• Pass-through authentication is configured and set on the directory server for the appropriate subtree.
• The authenticating DN entry is from the subtree that is configured for pass-through authentication. The authenticating DN entry either does not exist or does not have the userpassword attribute on the authenticating server.
• The credential for authentication is the password that is stored in the userpassword attribute.