Working with pass-through authentication
The PingDirectory server provides support for passing through LDAP simple bind attempts to an external service for authentication processing, either instead of or in addition to the processing that it typically performs against the locally stored data.
Pass-through authentication can be useful when migrating to the PingDirectory server from a different type of datastore, especially when that datastore doesn’t provide a means of directly migrating passwords.
The server provides pass-through authentication support for other LDAP servers (including Active Directory (AD), Oracle DSEE, OpenLDAP, and any other standards-compliant LDAPv3 server) and PingOne by default. You can also use the Server SDK to implement support for custom pass-through authentication handlers for interacting with other types of external services.
Configuration properties for pass-through authentication to LDAP servers
When used with the LDAP pass-through authentication handler, the pluggable pass-through authentication plugin can forward LDAP simple bind requests to another type of LDAP server for processing.
The following table contains the pluggable pass-through authentication plugin configuration properties.
Property | Description |
---|---|
|
The pass-through authentication handler that is used to interact with the external service. For passing through authentication to an LDAP directory server, create an LDAP pass-through authentication handler. |
|
The base distinguished names (DNs) of subtrees containing local entries for which pass-through authentication is attempted. If this isn’t provided, then all regular user entries (excluding root users and topology administrators) might be passed through. |
|
Optional connection criteria that can be used to indicate which clients can have their bind attempts passed through. |
|
Optional request criteria that can be used to indicate which bind requests should be passed through. |
|
Indicates whether to try the bind attempt against the entry in the local server, only passing through to the external service if the local attempt fails. If this is |
|
Indicates whether to pass through bind attempts for local accounts that have passwords. If this is set to |
|
Indicates whether to update the password for the local account if authentication succeeds against the external service. This only applies if |
|
The DN to use as the authorization identity when updating local passwords, which can be helpful if you want to synchronize other types of changes between the PingDirectory server and the external repository. If this isn’t provided, an internal root account is used. |
|
Indicates whether to update the password for the local account even if it wouldn’t have otherwise been accepted by the server (for example, if the password doesn’t satisfy the configured set of password validators). This only applies if |
|
Optionally allows pass-through authentication attempts to proceed against local accounts that are in certain states that don’t allow them to authenticate locally (for example, if the account is locked or the password is expired). |
The following table contains the LDAP pass-through authentication handler configuration properties.
Property | Description |
---|---|
|
The LDAP external servers to which bind attempts should be passed through. |
|
The mechanism that the server should use when choosing the order that the servers should be selected for pass-through authentication attempts. |
|
An optional mapping that can be used to construct the remote bind DN from the local PingDirectory server entry when authenticating to the external servers. |
|
An optional pattern that can be used to construct the remote bind DN from the local PingDirectory server entry when authenticating to the external servers. |
|
The search base DN to use when searching for the corresponding entry in the external servers. |
|
An optional pattern you can use to construct a filter to search for the entry in the external servers that corresponds to an entry in the local PingDirectory server. |
|
The initial number of connections to establish to each of the LDAP external servers. |
|
The maximum number of connections to maintain to each of the LDAP external servers. |
|
Indicates whether to consider each server’s location relative to the local PingDirectory server instance location when choosing the order that servers should be selected for pass-through authentication attempts. |
|
The maximum length of time to wait for a response from an external server in the same location as the local PingDirectory server. |
|
The maximum length of time to wait for a response from an external server in a different location from the local PingDirectory server. |
|
Indicates whether to include the password policy request control in bind requests forwarded to the external LDAP servers. This control can improve the server’s ability to categorize authentication failures against the remote server, but not all types of LDAP servers support it. By default, the server includes the password policy request control if the server’s root DSA-specific entry (DSE) advertises support for it. |
At most one of the dn-map
, bind-dn-pattern
, and search-filter-pattern
properties can be provided to indicate how the server should identify the entry in the remote server that corresponds to the entry in the local server. If none of these properties are provided, the local entry DN is used as the remote entry DN.