Object classes and attributes for pass-through authentication

Edit online

To configure pass-through authentication interface in your directory server environment, you must use the appropriate object class and the associated attributes.

Configuration attribute to set pass-through authentication

The entries for pass-through authentication are in the directory server instance configuration file, ibmslapd.conf. To set or unset pass-through authentication, you must modify the ibm-slapdPtaEnabled attribute under the cn=configuration DN entry. To enable the pass-through support, set the ibm-slapdPtaEnabled attribute to TRUE. To disable the pass-through support, set the ibm-slapdPtaEnabled attribute to FALSE. To create a pass-through authentication interface, all the subtrees specific to pass-through authentication configuration must be one level below the cn=Passthrough Authentication, cn=configuration container entry. The following entry is an example of the pass-through authentication container:

    dn: cn=Passthrough Authentication, cn=Configuration
    cn: Passthrough Authentication
    objectclass: top
    objectclass: container

Structural object class

You must add a pass-through authentication entry one level under the

cn=Passthrough Authentication,
cn=configuration

container entry. The pass-through authentication entry must contain the ibm-slapdPta object class. This object class contains the subtree specific to pass-through authentication settings.

Auxiliary object class

To configure an entry for pass-through authentication, you might require to add an auxiliary object class. The following auxiliary object classes are associated with the pass-through authentication, ibm-slapdPtaExt, and ibm-PtaReferral.

ibm-slapdPtaExt: Contains attribute mapping settings for the pass-through authentication entry. To specify attribute mapping, you must add this object class to a pass-through authentication entry with the ibm-slapdPta object class.
ibm-PtaReferral: Contains the linking attribute for pass-through authentication for an entry in the directory information tree (DIT).

Attributes of the `ibm-slapdPta` object class

To configure a pass-through authentication entry with the ibm-slapdPta object class, you must set its attributes.

Table 1. The `MUST` and `MAY` attributes of the `ibm-slapdPta` object class
Attribute name	Attribute type (`MUST`/`MAY`)	Description	Example
`ibm-slapdPtaURL`	`MUST`	The URL information of the pass-through server. The URL must contain the fully qualified host name or IP address and the port information. Use `ldaps://` for SSL connection.	`ldap://server:port` or `ldaps://server:port` (for SSL)
`ibm-slapdPtaSubtree`	`MUST`	The subtrees in the directory server instance that is configured for pass-through authentication and validation of the authentication request.	`o=sample`
`ibm-slapdPtaResultTimeout`	`MAY`	The number of milliseconds that the pass-through authentication interface waits during the ldap_result() call. The value is specified in milliseconds. The default value is 1000 milliseconds.	1000
`ibm-slapdPtaMigratePwd`	`MAY`	Stores the user password in the local directory entry, if the authentication is successful. If the attribute is not in an entry, then the default value, `false`, is assigned.	`false`
`ibm-slapdPtaConnectionPoolSize`	`MAY`	Sets the number of connections for each pass-through server. The minimum pool size is 2, and the default is 4.	4

Attributes of the `ibm-slapdPtaExt` object class

To specify attribute mapping in the pass-through authentication entry with the ibm-slapdPtaExt object class, you must set its attributes.

Table 2. The `MUST` and `MAY` attributes of the `ibm-slapdPtaExt` object class
Attribute name	Attribute type (`MUST`/`MAY`)	Description	Example
`ibm-slapdPtaSearchBase`	`MUST`	The search base in the pass-through server where you want to search for the entry.	`o=sample1`
`ibm-slapdPtaAttrMapping`	`MUST`	The mapping of an attribute in IBM® Security Directory Server to an attribute in the pass-through server. An example of attribute mapping is `cn $ uid`, which indicates that the `cn` attribute from IBM Security Directory Server is mapped to the `uid` attribute in the pass-through server.	`attr1 $ attr2`
`ibm-slapdPtaBindDN`	`MUST`	The bind DN value of the pass-through server.	`cn=admin1`
`ibm-slapdPtaBindPW`	`MUST`	The bind password of the pass-through server.	`password123`

Attributes of the `ibm-PtaReferral` object class

To specify the linking attribute for pass-through authentication for an entry with the ibm-PtaReferral object class, you must set its attributes.

Table 3. The `MUST` and `MAY` attributes of the `ibm-PtaReferral` object class
Attribute name	Attribute type (`MUST`/`MAY`)	Description	Example
`ibm-PtaLinkAttribute`	`MUST`	This attribute contains the name of the mapping attribute in the pass-through server as its value. For example: `empNo`. There are two special cases: The `_DN_` value indicates that the `ibm-PtaLinkValue` attribute contains the DN of an entry. It must be mapped to the pass-through server. The `_DISABLE_` value indicates that pass-through authentication must not be run for the entry. In this case, an `LDAP_INVALID_CREDENTIALS` return code is sent to client. `_DN_` and `_DISABLE_` are not case-sensitive.	`empNo`
`ibm-PtaLinkValue`	`MUST`	The value that must be used with the linking attribute to search the pass-through server.	`E0345`