HP-UX Directory Server 8.1 administrator guide
Table 7-4 PTA plug-in parameters
DefinitionVariable
Defines whether the plug-in is enabled or disabled. Acceptable values are on or off.state
Defines whether SSL is used for communication between the two Directory Servers. See
“Configuring the servers to use a secure connection” for more information.
ldap|ldaps
The authenticating directory host name. The port number of the Directory Server can be
given by adding a colon, then the port number. For example,
ldap://dirserver.example.com:389/. If the port number is not specified, the PTA
server attempts to connect using either of the standard ports:
Port 389 if ldap:// is specified in the URL.
Port 636 if ldaps:// is specified in the URL.
See “Specifying the authenticating Directory Server” for more information.
authDS
The pass-through subtree. The PTA Directory Server passes through bind requests to the
authenticating Directory Server from all clients whose DN is in this subtree. See “Specifying
the pass-through subtree” for more information. This subtree must not exist on this server.
To pass the bind requests for o=NetscapeRoot to the configuration directory, the subtree
o=NetscapeRoot must not exist on the server.
subtree
Optional. The maximum number of connections the PTA directory can simultaneously
open to the authenticating directory. The default is 3. See “Configuring the optional
parameters” for more information.
maxconns
Optional. The maximum number of simultaneous operations (usually bind requests) the
PTA directory can send to the authenticating directory within a single connection. The
default is 5. See “Configuring the optional parameters” for more information.
maxops
Optional. The time limit, in seconds, that the PTA directory waits for a response from the
authenticating Directory Server. If this timeout is exceeded, the server returns an error to
the client. The default is 300 seconds (five minutes). Specify zero (0) to indicate no time
limit should be enforced. See “Configuring the optional parameters” for more information.
timeout
Optional. The version of the LDAP protocol used to connect to the authenticating directory.
Directory Server supports LDAP version 2 and 3. The default is version 3, and HP strongly
recommends against using LDAPv2, which is old and will be deprecated. See “Configuring
the optional parameters” for more information.
ldver
Optional. The time limit, in seconds, within which a connection may be used. If a bind
request is initiated by a client after this time has expired, the server closes the connection
and opens a new connection to the authenticating directory. The server will not close the
connection unless a bind request is initiated and the directory determines the connection
lifetime has been exceeded. If this option is not specified, or if only one host is listed, no
connection lifetime will be enforced. If two or more hosts are listed, the default is 300
seconds (five minutes). See “Configuring the optional parameters” for more information.
connlifetime
Optional. A flag of whether to use Start TLS for the connection to the authenticating
directory. Start TLS establishes a secure connection over the standard port, so it is useful
for connecting using LDAP instead of LDAPS. The SSL server and CA certificates need to
be available on both of the servers.
The default is 0, which is off. To enable Start TLS, set it to 1. To use Start TLS, the LDAP
URL must use ldap:, not ldaps:.
See “Configuring the optional parameters” for more information.
startTLS
7.4.3 Configuring the PTA plug-in
The only method for configuring the PTA plug-in is to modify the entry cn=Pass Through
Authentication, cn=plugins,cn=config. To modify the PTA configuration:
1. Use the ldapmodify command to modify cn=Pass Through Authentication,
cn=plugins,cn=config.
2. Restart Directory Server.
/opt/dirsrv/slapd-instance_name/restart-slapd
7.4 Using pass-through authentication 309