HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3332, November 2013)
PTA is required in this case because the admin user entry is stored under o=NetscapeRoot suffix
in the configuration directory. Therefore, attempts to bind to the user directory as admin would
normally fail. PTA allows the user directory to transmit the credentials to the configuration directory,
which verifies them. The user directory then allows the admin user to bind.
The user directory in this example acts as the PTA Directory Server, the server that passes through
bind requests to another Directory Server. The configuration directory acts as the authenticating
directory, the server that contains the entry and verifies the bind credentials of the requesting
client.
The pass-through subtree is the subtree not present on the PTA directory. When a user's bind DN
contains this subtree, the user's credentials are passed on to the authenticating directory.
NOTE:
The PTA Plug-in may not be listed in the Directory Server Console the same server instance is used
for the user directory and the configuration directory.
Here's how pass-through authentication works:
1. The configuration Directory Server (authenticating directory) is installed on machine A. The
configuration directory always contains the configuration database and suffix,
o=NetscapeRoot. In this example, the server name is configdir.example.com.
2. The user Directory Server (PTA directory) is then installed on machine B. The user directory
stores the root suffix, such as dc=example,dc=com. In this example, the server name is
userdir.example.com.
3. When the user directory is set up on machine B, the setup script prompts for the LDAP URL of
the configuration directory on machine A.
4. The setup program enables the PTA Plug-in and configures it to use the configuration directory
LDAP URL.
This entry contains the LDAP URL for the configuration directory. For example:
dn: cn=Pass Through Authentication,cn=plugins,
...
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: ldap://configdir.example.com/o=NetscapeRoot
...
The user directory is now configured to send all bind requests for entries with a DN containing
o=NetscapeRoot to the configuration directory configdir.example.com.
5. When installation is complete, the admin user attempts to connect to the user directory to
begin adding users.
6. The setup program adds the admin user's entry to the directory as uid=admin,
ou=TopologyManagement,o=NetscapeRoot. So the user directory passes the bind
request through to the configuration directory as defined by the PTA Plug-in configuration.
7. The configuration directory authenticates the user's credentials and sends the information back
to the user directory.
8. The user directory allows the admin user to bind.
PTA plug-in syntax
PTA Plug-in configuration information is specified in the cn=Pass Through Authentication,
cn=plugins,cn=config entry on the PTA directory (the user directory configured to pass through
Using pass-through authentication 305