Consider the following points before using the Pass-Through Authentication plugin:

  • Configure the plugin to attempt a local bind, to set or update a local password, and to bypass local password policies to ensure remote passwords are migrated.
  • Remote servers that accept a forwarded bind request might require connection security, such as a secure StartTLS or LDAPS TLS connection.
  • Updating a password in PingDirectory Server might result in divergent passwords between the local and remote server. If necessary, use PingDataSync Server to synchronize passwords between servers.

The following table identifies and describes the configuration properties associated with the Pass-Through Authentication plugin.

Property Description

server-access-mode

Determines whether the servers are accessed in round-robin, failover-on-unavailable, or failover-on-any-failure mode.

The default server access mode is round-robin.

update-local-password

Indicates whether the local password value requires updating to the value used in the bind request in the event that the local bind fails but the forwarded bind succeeds.

To update passwords, a local entry must previously exist.

allow-lax-pass-through-authentication-passwords

Indicates whether updates to the local password value accept passwords that do not meet local password policy requirements.

connection-criteria

Specifies a set of connection criteria that must match the client associated with the local bind request for the bind to be forwarded to the remote server.

request-criteria

Specifies a set of request criteria that must match the local bind request or a local target entry for the bind to be forwarded to the remote server.

dn-map

Specifies one or more distinguished name (DN) mappings that can transform bind DNs before attempting to forward the bind to remote servers.

search-base-dn

Use when searching for a remote user entry by using a filter constructed from the pattern that the search-filter-pattern property defines.

A DN map and search filter pattern cannot both be configured. If neither a DN map nor a search filter pattern is defined, user entries are expected to have the same DN in the local server and the remote servers.

  • Enable the plugin on all servers that use the same configuration.