Manualshelf

Red Hat Directory Server 8.0 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Red Hat Directory Server Software
511512513514515516517518519520
Using the Pass-through
Authentication Plug-in
Pass-through authentication (PTA) is a mechanism which allows one Red Hat Directory Server
instance to consult another to authenticate bind requests. Pass-through authentication is
implement through the PTA Plug-in; when enabled, the plug-in lets a Directory Server instance
accept simple bind operations (password-based) for entries not stored in its local database.
Directory Server uses PTA to administer the user and configuration directories on separate
instances of Directory Server.
1. How Directory Server Uses PTA
If the configuration directory and the user directory are installed on separate instances of
Directory Server, the setup program automatically sets up PTA to allow the Configuration
Administrator user (usually admin) to perform administrative duties.
PTA is required in this case because the admin user entry is stored under o=NetscapeRoot
suffix in the configuration directory. Therefore, attempts to bind to the user directory as admin
would normally fail. PTA allows the user directory to transmit the credentials to the configuration
directory, which verifies them. The user directory then allows the admin user to bind.
The user directory in this example acts as the PTA Directory Server, the server that passes
through bind requests to another Directory Server. The configuration directory acts as the
authenticating directory, the server that contains the entry and verifies the bind credentials
of the requesting client.
The pass-through subtree is the subtree not present on the PTA directory. When a user's bind
DN contains this subtree, the user's credentials are passed on to the authenticating directory.
NOTE
The PTA Plug-in may not be listed in the Directory Server Console the same
server instance is used for the user directory and the configuration directory.
Here's how pass-through authentication works:
1. The configuration Directory Server (authenticating directory) is installed on machine A. The
configuration directory always contains the configuration database and suffix,
o=NetscapeRoot. In this example, the server name is configdir.example.com.
2. The user Directory Server (PTA directory) is then installed on machine B. The user directory
stores the root suffix, such as dc=example,dc=com. In this example, the server name is
Chapter 17.
491