Pass-through authentication example

Edit online

To configure and use pass-through authentication, you must identify the required pass-through interface for your directory server environment.

You must use IBM® Security Directory Server as the authentication server. A pass-through server that holds user entries or credentials can be any LDAP V3-compliant directory server.

Figure 1. Pass-through authentication architecture
Pass-through authentication architecture

If you make configuration changes to the pass-through interface, you must restart the directory server. The pass-through interface entries in the configuration file are not dynamic.

You can use the pass-through authentication against an authentication server if the server supports the following operations:

  • Bind or compare requests against a proxy server that contains back-end servers with the pass-through interface.
  • Bind or compare requests against a directory server that is configured with the pass-through interface.

You can run only simple bind or compare operations through a directory server or compare operations through an LDAP client with or without SSL. Digest, Kerberos, or customized bind operations are not supported.

For example, consider an environment with two servers, server X and server Y, where the user entry cn=Tom Brown,o=sample is stored on server Y.

When the user Tom Brown attempts to authenticate against directory server X, the following checks are run to authenticate the user:

  1. Server X checks whether the bind credentials of the user are on the server.
  2. If the entry or the credential is unavailable, then server X checks whether a pass-through authentication interface is set for the subtree.
  3. If the user entry is a candidate for pass-through authentication, then the bind credentials are sent to the pass-through server Y for authentication.
  4. If the pass-through server Y validates the user credentials, the authentication is successful, if not the authentication fails.

In a distributed directory scenario, the proxy server routes the credential information to the back-end servers for pass-through authentication checks.

In the previous scenario, a simple pass-through authentication interface is considered when the DN of the user entries is identical on server X and server Y. If no attribute mapping is specified, then the DN of entries in the authenticating server must mirror the DN of entries in pass-through server. However, the user entries are not required to be always identical on the authentication server and pass-through server. A directory hierarchy layout might differ on both the servers. A user entry, cn=Tom Brown,o=sample, on server X can map to some other DN on server Y. In such situations, you must identify an attribute with a unique value in the entries on server X and server Y, for example, uid. You can use an attribute with a unique value from IBM Security Directory Server to map with an attribute in the pass-through server. You can use the map information to query the pass-through server to retrieve the required DN.

If you use an invalid entry for pass-through authentication, you might get an authentication denial with the LDAP_INVALID_CREDENTIALS error.

You must not configure the following entries for pass-through support:

  • The following subtrees or any entries under these subtrees for pass-through authentication: cn=configuration, cn=schema, cn=ibmpolicies, cn=changelog, and cn=localhost.
  • Nested pass-through entries are not supported. If there is a pass-through interface for the ou=myco, o=sample1 entry and another pass-through interface for the ou=mydept, ou=myco, o=sample1 entry, then the server might fail to start in normal mode.
  • Multiple pass-through entries, each with a different pass-through server that is serving the same pass-through subtree, are not supported.