The PingDirectory server also provides support for pass-through authentication in which the client sends a simple bind request to the local server, and the server can forward the request to another server to actually verify the credentials.
The server allows the authentication attempt to be passed through to two different types of servers:
- Another LDAP directory server
- This can be useful when migrating to the PingDirectory server from another type of directory server, especially if that server does not provide any way to export the authentication credentials from that server. This can be enabled through the pass-through authentication plugin.
- The cloud-based PingOne service
- This can be useful when migrating between an on-premise PingDirectory server and the PingOne service. This can be enabled through the PingOne pass-through authentication plugin.
Both of these pass-through authentication mechanisms offer a similar set of options, including:
- The bind attempt can be tried locally first, or you can have it always pass through the authentication attempt to the backend service.
- The plugin can optionally update the password in the user’s entry if the local authentication attempt fails, but the credentials are accepted by the service to which the request is passed through.
- You can use criteria to indicate which bind requests should be passed through to the backend service.
Only one pass-through authentication plugin instance can be enabled in the server at any one time.