LDAP Pass Through Authentication Policy

An authentication policy for users whose credentials are managed by a remote LDAP directory service.

Authentication attempts will be redirected to the remote LDAP directory service based on a combination of the criteria specified in this policy and the content of the user’s entry in this directory server.

Parent

The LDAP Pass Through Authentication Policy object inherits from Authentication Policy.

Dependencies

LDAP Pass Through Authentication Policies depend on the following objects:

LDAP Pass Through Authentication Policy Properties

You can use configuration expressions to set property values at startup time. For details, see Property Value Substitution.

Basic Properties Advanced Properties

cached-password-storage-scheme
cached-password-ttl
connection-timeout
mapped-attribute
mapped-search-base-dn
mapped-search-bind-dn
mapped-search-bind-password
mapped-search-filter-template
mapping-policy
primary-remote-ldap-server
secondary-remote-ldap-server
source-address
trust-manager-provider
use-password-caching
use-ssl

java-class
ssl-cipher-suite
ssl-protocol
use-tcp-keep-alive
use-tcp-no-delay

Basic Properties

Use the --advanced option to access advanced properties.

cached-password-storage-scheme

Synopsis

Specifies the name of a password storage scheme which should be used for encoding cached passwords.

Description

Changing the password storage scheme will cause all existing cached passwords to be discarded.

Default Value

None

Allowed Values

The name of an existing password-storage-scheme.

The referenced password storage schemes must be enabled.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

cached-password-ttl

Synopsis

Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service.

Description

This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.

Default Value

8 hours

Allowed Values

Lower limit: 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-timeout

Synopsis

Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests.

Description

If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.

Default Value

3 seconds

Allowed Values

Lower limit: 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

mapped-attribute

Synopsis

Specifies one or more attributes in the user’s entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies.

Description

At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user’s local entry in order for authentication to proceed. When multiple attributes or values are found in the user’s entry then the behavior is determined by the mapping policy.

Default Value

None

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

mapped-search-base-dn

Synopsis

Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy.

Description

If multiple values are given, searches are performed below all specified base DNs.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

mapped-search-bind-dn

Synopsis

Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.

Default Value

Searches will be performed anonymously.

Allowed Values

A valid DN.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

mapped-search-bind-password

Synopsis

Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A string.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

mapped-search-filter-template

Synopsis

If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry’s "mapped-attribute".

Description

The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (

) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)". You can also use the filter to restrict search results. For example: "{@code (&(uid=%s)(objectclass=student))}"

Default Value

None

Allowed Values

A string.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

mapping-policy

Synopsis

Specifies the mapping algorithm for obtaining the bind DN from the user’s entry.

Default Value

unmapped

Allowed Values

  • mapped-bind: Bind to the remote LDAP directory service using a DN obtained from an attribute in the user’s entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.

  • mapped-search: Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user’s entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).

  • unmapped: Bind to the remote LDAP directory service using the DN of the user’s entry in this directory server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

primary-remote-ldap-server

Synopsis

Specifies the primary list of remote LDAP servers which should be used for pass through authentication.

Description

If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined. When using an IPv6 address as the hostname, put brackets around the address as in "[IPv6Address]:port".

Default Value

None

Allowed Values

A host name or an IP address followed by a ":" and a port number.

Port number must be greater than 1 and less than 65535.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

secondary-remote-ldap-server

Synopsis

Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable.

Description

If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available. When using an IPv6 address as the hostname, put brackets around the address as in "[IPv6Address]:port".

Default Value

No secondary LDAP servers.

Allowed Values

A host name or an IP address followed by a ":" and a port number.

Port number must be greater than 1 and less than 65535.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

source-address

Synopsis

If specified, the server will bind to the address before connecting to the remote server.

Description

The address must be one assigned to an existing network interface.

Default Value

Let the server decide.

Allowed Values

A hostname or an IP address.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

trust-manager-provider

Synopsis

Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.

Default Value

By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.

Allowed Values

The name of an existing trust-manager-provider.

The referenced trust manager provider must be enabled when SSL is enabled.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately, but only impact subsequent SSL connection negotiations.

Advanced

No

Read-Only

No

use-password-caching

Synopsis

Indicates whether passwords should be cached locally within the user’s entry.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

use-ssl

Synopsis

Indicates whether the LDAP Pass Through Authentication Policy should use SSL.

Description

If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

Advanced Properties

Use the --advanced option to access advanced properties.

java-class

Synopsis

Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.

Default Value

org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.AuthenticationPolicyFactory

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

ssl-cipher-suite

Synopsis

Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.

Default Value

Uses the default set of SSL cipher suites provided by the server’s JVM.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.

Advanced

Yes

Read-Only

No

ssl-protocol

Synopsis

Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.

Default Value

Uses the default set of SSL protocols provided by the server’s JVM.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but will only impact new SSL LDAP connections created after the change.

Advanced

Yes

Read-Only

No

use-tcp-keep-alive

Synopsis

Indicates whether LDAP connections should use TCP keep-alive.

Description

If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

use-tcp-no-delay

Synopsis

Indicates whether LDAP connections should use TCP no-delay.

Description

If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No