HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

311

312

313

314

315

316

317

318

319

320

7.4.3.3 Specifying the pass-through subtree

The PTA directory passes through bind requests to the authenticating directory from all clients

with a DN defined in the pass-through subtree. The subtree is specified by replacing the subtree

parameter in the LDAP URL of the PTA directory.

The pass-through subtree must not exist in the PTA directory. If it does, the PTA directory

attempts to resolve bind requests using its own directory contents and the binds fail.

1. Use the ldapmodify command to import the LDIF file into the directory.

ldapmodify -p 389 -D "cn=Directory Manager" -w secret -h example

dn: cn=Pass Through Authentication,cn=plugins,cn=config

changetype: modify

replace: nsslapd-pluginarg0

nsslapd-pluginarg0: ldap://dirserver.example.com/o=NetscapeRoot

For information on the variable components in this syntax, see Table 7-4 “PTA plug-in

parameters”.

2. Restart the server.

/opt/dirsrv/slapd-instance_name/restart-slapd

For more information about the command to start and stop the HP-UX Directory Server,

see“Starting and stopping servers”.

7.4.3.4 Configuring the optional parameters

Additional parameters the control the PTA connection can be set with the LDAP URL.

ldap|ldaps://authDS/subtree maxconns, maxops, timeout, ldver, connlifetime, startTLS

• The maximum number of connections the PTA Directory Server can open simultaneously

to the authenticating directory, represented by maxconns in the PTA syntax.

The default value is 3.

• The maximum number of bind requests the PTA Directory Server can send simultaneously

to the authenticating Directory Server within a single connection.

In the PTA syntax, this parameter is maxops. The default is value is 5.

• The time limit for the PTA Directory Server to wait for a response from the authenticating

Directory Server.

In the PTA syntax, this parameter is timeout. The default value is 300 seconds (five

minutes).

• The version of the LDAP protocol for the PTA Directory Server to use to connect to the

authenticating Directory Server.

In the PTA syntax, this parameter is ldver. The default is LDAPv3.

• The time limit in seconds within which a connection may be used.

If a bind request is initiated by a client after this time has expired, the server closes the

connection and opens a new connection to the authenticating Directory Server. The server

will not close the connection unless a bind request is initiated and the server determines the

timeout has been exceeded. If this option is not specified or if only one authenticating

Directory Server is listed in the authDS parameter, no time limit will be enforced. If two or

more hosts are listed, the default is 300 seconds (five minutes). In the PTA syntax, this

parameter is connlifetime.

• Whether to use Start TLS for the connection.

Start TLS creates a secure connection over a standard LDAP port. For Start TLS, the servers

must have their server and CA certificates installed, but they do not need to be running in

SSL.

7.4 Using pass-through authentication 311