HP-UX Directory Server 8.1 administrator guide
DescriptionAttribute
Specifies the maximum time the server spends processing a search operation. Giving
this attribute a value of -1 indicates that there is no time limit.
nsTimeLimit
Specifies the time a connection to the server can be idle before the connection is dropped.
The value is given in seconds. Giving this attribute a value of -1 indicates that there
is no limit.
nsIdleTimeout
For example, this sets the size limit for Barbara Jensen by using ldapmodify to modify her
entry:
ldapmodify -D "cn=directory manager" -w secret -p 389 -h server.example.com
dn: uid=bjensen,ou=people,dc=example,dc=com
changetype: modify
add:nsSizeLimit
nsSizeLimit: 500
The ldapmodify statement adds the nsSizeLimit attribute to Babs Jensen's entry and gives
it a search return size limit of 500 entries.
7.4 Using pass-through authentication
Pass-through authentication (PTA) is a mechanism that allows one Directory Server instance to
consult another to authenticate bind requests. Pass-through authentication is implement through
the PTA Plug-in; when enabled, the plug-in lets a Directory Server instance accept simple bind
operations (password-based) for entries not stored in its local database.
Directory Server uses PTA to administer the user and configuration directories on separate
instances of Directory Server.
7.4.1 How Directory Server uses PTA
If the configuration directory and the user directory are installed on separate instances of Directory
Server, the setup program automatically sets up PTA to allow the Configuration Administrator
user (usually admin) to perform administrative duties.
PTA is required in this case because the admin user entry is stored under o=NetscapeRoot
suffix in the configuration directory. Therefore, attempts to bind to the user directory as admin
would normally fail. PTA allows the user directory to transmit the credentials to the configuration
directory, which verifies them. The user directory then allows the admin user to bind.
The user directory in this example acts as the PTA Directory Server, the server that passes through
bind requests to another Directory Server. The configuration directory acts as the
authenticating directory, the server that contains the entry and verifies the bind credentials
of the requesting client.
The pass-through subtree is the subtree not present on the PTA directory. When a user's bind
DN contains this subtree, the user's credentials are passed on to the authenticating directory.
NOTE:
The PTA Plug-in may not be listed in the Directory Server Console the same server instance is
used for the user directory and the configuration directory.
Here's how pass-through authentication works:
1. The configuration Directory Server (authenticating directory) is installed on machine A. The
configuration directory always contains the configuration database and suffix,
o=NetscapeRoot. In this example, the server name is configdir.example.com.
2. The user Directory Server (PTA directory) is then installed on machine B. The user directory
stores the root suffix, such as dc=example,dc=com. In this example, the server name is
userdir.example.com.
7.4 Using pass-through authentication 307