Object classes and attributes for pass-through authentication
To configure pass-through authentication interface in your directory server environment, you must use the appropriate object class and the associated attributes.
Configuration attribute to set pass-through authentication
The entries for pass-through authentication are in the directory server instance configuration file, ibmslapd.conf. To set or unset pass-through authentication, you must modify theibm-slapdPtaEnabled
attribute
under the cn=configuration
DN entry. To enable the
pass-through support, set the ibm-slapdPtaEnabled
attribute
to TRUE. To disable the pass-through support,
set the ibm-slapdPtaEnabled
attribute to FALSE.
To create a pass-through authentication interface, all the subtrees
specific to pass-through authentication configuration must be one
level below the cn=Passthrough Authentication, cn=configuration
container
entry. The following entry is an example of the pass-through authentication
container: dn: cn=Passthrough Authentication, cn=Configuration
cn: Passthrough Authentication
objectclass: top
objectclass: container
Structural object class
You must add a pass-through authentication entry one level under thecn=Passthrough Authentication,
cn=configuration
container entry. The pass-through authentication
entry must contain the ibm-slapdPta
object class.
This object class contains the subtree specific to pass-through authentication
settings.Auxiliary object class
To configure an entry for pass-through authentication, you might require to add an auxiliary object class. The following auxiliary object classes are associated with the pass-through authentication,ibm-slapdPtaExt
,
and ibm-PtaReferral
.ibm-slapdPtaExt
- Contains attribute mapping settings for the pass-through authentication
entry. To specify attribute mapping, you must add this object class
to a pass-through authentication entry with the
ibm-slapdPta
object class. ibm-PtaReferral
- Contains the linking attribute for pass-through authentication for an entry in the directory information tree (DIT).
Attributes of the ibm-slapdPta
object
class
To configure a pass-through authentication entry with
the ibm-slapdPta
object class, you must set its attributes.
Attribute name | Attribute type (MUST /MAY ) |
Description | Example |
---|---|---|---|
ibm-slapdPtaURL |
MUST |
The URL information of the pass-through server.
The URL must contain the fully qualified host name or IP address and
the port information. Use ldaps:// for SSL connection. |
ldap://server:port ldaps://server:port (for SSL) |
ibm-slapdPtaSubtree |
MUST |
The subtrees in the directory server instance that is configured for pass-through authentication and validation of the authentication request. | o=sample |
ibm-slapdPtaResultTimeout |
MAY |
The number of milliseconds that the pass-through authentication interface waits during the ldap_result() call. The value is specified in milliseconds. The default value is 1000 milliseconds. | 1000 |
ibm-slapdPtaMigratePwd |
MAY |
Stores the user password in the local directory
entry, if the authentication is successful. If the attribute is not
in an entry, then the default value, false , is assigned. |
false |
ibm-slapdPtaConnectionPoolSize |
MAY |
Sets the number of connections for each pass-through server. The minimum pool size is 2, and the default is 4. | 4 |
Attributes of the ibm-slapdPtaExt
object
class
To specify attribute mapping
in the pass-through authentication entry with the ibm-slapdPtaExt
object
class, you must set its attributes.
Attribute name | Attribute type (MUST /MAY ) |
Description | Example |
---|---|---|---|
ibm-slapdPtaSearchBase |
MUST |
The search base in the pass-through server where you want to search for the entry. | o=sample1 |
ibm-slapdPtaAttrMapping |
MUST |
The mapping of an attribute in IBM® Security Directory
Server to
an attribute in the pass-through server. An example of attribute mapping
is cn $ uid , which indicates that the cn attribute
from IBM Security Directory
Server is
mapped to the uid attribute in the pass-through server. |
attr1 $ attr2 |
ibm-slapdPtaBindDN |
MUST |
The bind DN value of the pass-through server. | cn=admin1 |
ibm-slapdPtaBindPW |
MUST |
The bind password of the pass-through server. | password123 |
Attributes of the ibm-PtaReferral
object
class
To specify the linking attribute
for pass-through authentication for an entry with the ibm-PtaReferral
object
class, you must set its attributes.
Attribute name | Attribute type (MUST /MAY ) |
Description | Example |
---|---|---|---|
ibm-PtaLinkAttribute |
MUST |
This attribute contains the name of the mapping
attribute in the pass-through server as its value. For example: There are two special cases:
|
empNo |
ibm-PtaLinkValue |
MUST |
The value that must be used with the linking attribute to search the pass-through server. | E0345 |