Pass-through authentication example
To configure and use pass-through authentication, you must identify the required pass-through interface for your directory server environment.
You must use IBM® Security Directory Server as the authentication server. A pass-through server that holds user entries or credentials can be any LDAP V3-compliant directory server.
If you make configuration changes to the pass-through interface, you must restart the directory server. The pass-through interface entries in the configuration file are not dynamic.
You can use the pass-through authentication against an authentication server if the server supports the following operations:
- Bind or compare requests against a proxy server that contains back-end servers with the pass-through interface.
- Bind or compare requests against a directory server that is configured with the pass-through interface.
You can run only simple bind or compare operations through a directory server or compare operations through an LDAP client with or without SSL. Digest, Kerberos, or customized bind operations are not supported.
For
example, consider an environment with two servers, server X and server
Y, where the user entry cn=Tom
Brown,o=sample
is stored on server Y.
When the user Tom Brown attempts to authenticate against directory server X, the following checks are run to authenticate the user:
- Server X checks whether the bind credentials of the user are on the server.
- If the entry or the credential is unavailable, then server X checks whether a pass-through authentication interface is set for the subtree.
- If the user entry is a candidate for pass-through authentication, then the bind credentials are sent to the pass-through server Y for authentication.
- If the pass-through server Y validates the user credentials, the authentication is successful, if not the authentication fails.
In a distributed directory scenario, the proxy server routes the credential information to the back-end servers for pass-through authentication checks.
In
the previous scenario, a simple pass-through authentication interface
is considered when the DN of the user entries is identical on server
X and server Y. If no attribute mapping is specified, then the DN
of entries in the authenticating server must mirror the DN of entries
in pass-through server. However, the user entries are not required
to be always identical on the authentication server and pass-through
server. A directory hierarchy layout might differ on both the servers.
A user entry, cn=Tom
Brown,o=sample
, on server X can map to some other DN on server
Y. In such situations, you must identify an attribute with a unique
value in the entries on server X and server Y, for example, uid
.
You can use an attribute with a unique value from IBM Security Directory Server to
map with an attribute in the pass-through server. You can use the
map information to query the pass-through server to retrieve the required
DN.
If
you use an invalid entry for pass-through authentication, you might
get an authentication denial with the LDAP_INVALID_CREDENTIALS
error.
You must not configure the following entries for pass-through support:
- The
following subtrees or any entries under these subtrees for pass-through
authentication:
cn=configuration, cn=schema, cn=ibmpolicies, cn=changelog
, andcn=localhost
. - Nested
pass-through entries are not supported. If there is a pass-through
interface for the
ou=myco, o=sample1
entry and another pass-through interface for theou=mydept, ou=myco, o=sample1
entry, then the server might fail to start in normal mode. - Multiple pass-through entries, each with a different pass-through server that is serving the same pass-through subtree, are not supported.