The Pass-Through Authentication plugin is used to delegate bind operations to remote LDAP servers by forwarding simple bind requests to an external LDAP server, including Active Directory. The plugin can be configured to attempt a local bind, to set or update a local password, and to bypass local password policies to ensure remote passwords are migrated.

Consider the following points when using the Pass-Through Authentication plugin:

  • Enable the plugin on all servers that use the same configuration.
  • Remote servers that accept a forwarded bind request might require connection security, such as a secure StartTLS or LDAPS TLS connection.
  • Consider the manner in which password changes and resets are handled. Updating a password in PingDirectory Server might result in divergent passwords between the local and remote server. If necessary, use PingDataSync Server to synchronize passwords between servers.
  • The plugin updates local passwords only if the forwarded simple bind is successful. Expired passwords on a remote server might return an invalid credentials error and cause the overall bind operation to fail.
  • Multiple remote servers can be specified. The server-access-mode property determines whether the servers are accessed in round-robin, failover-on-unavailable, or failover-on-any-failure mode. The default server access mode is round-robin.
  • The update-local-password property indicates whether the local password value requires updating to the value used in the bind request, in the event that the local bind fails but the forwarded bind succeeds. To update passwords, a local entry must previously exist.
  • The allow-lax-pass-through-authentication-passwords property indicates whether updates to the local password value accept passwords that do not meet local password policy requirements.
  • The connection-criteria property specifies a set of connection criteria that must match the client associated with the local bind request for the bind to be forwarded to the remote server.
  • The request-criteria property specifies a set of request criteria that must match the local bind request or a local target entry for the bind to be forwarded to the remote server.
  • The dn-map property specifies one or more DN mappings that can be used to transform bind DNs before attempting to forward the bind to remote servers.
  • The search-base-dn property is used when searching for a remote user entry by using a filter constructed from the pattern that the search-filter-pattern property defines. A DN map and search filter pattern cannot both be configured. If neither a DN map nor a search filter pattern is defined, user entries are expected to have the same DN in the local server and the remote servers.