How To
Archived

How do I configure mapping for Pass Through Authentication (PTA) in OpenDJ 3.x to Active Directory?

Last updated Jan 5, 2021

The purpose of this article is to provide information on configuring mapping for Pass Through Authentication (PTA) in OpenDJ to Active Directory®.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Overview

This article only provides details for OpenDJ 3 because changes were made in OpenDJ 3.5 to improve this functionality and the process is fully documented:

OpenDJ 3.5 and later

You can map different attributes, such as uid in OpenDJ to sAMAccountName in Active Directory. You can set the mapped-search-filter-template to a value such as "(samAccountName=%s)" and the mapped-attribute to "uid". During a search, the local entry's value for the mapped-attribute replaces %s in the mapped-search-filter-template, meaning you can map samAccountName to uid.

See Administration Guide › Configuring Pass-Through Authentication for further information on setting this up.

OpenDJ 3

You must use the same mapping attribute in both OpenDJ and Active Directory; you cannot map different attributes, such as uid in OpenDJ to sAMAccountName in Active Directory. See the following sections for information:

Configuring mapping for PTA (OpenDJ 3.x)

OpenDJ uses the attribute value specified for the ds-cfg-mapped-attribute configuration element to search AD with. You can use either mapped-search or mapped-bind for the ds-cfg-mapping-policy configuration element.

The mapped-search or mapped-bind mapping-policy works providing the following requirements are met:

  • The PTA configuration has a ds-cfg-mapped-attribute with a value. For example: ds-cfg-mapped-attribute: cn
  • The OpenDJ user must have the mapped attribute with a value that matches the attribute:value pair on the AD side. For example, both the OpenDJ user and AD user have: cn: OpenDJ User

For example, the OpenDJ User could have:

dn: uid=opendj.sustaining,ou=People,dc=forgerock,dc=com cn: OpenDJ Sustaining

or

dn: uid=opendj.sustaining,ou=People,dc=forgerock,dc=com sAMAccountName: OpenDJ Sustaining

And the AD User would have:

dn: CN=OpenDJ Sustaining,CN=Users,DC=forgerock,DC=com cn: OpenDJ Sustaining sAMAccountName: OpenDJ Sustaining

Example 1

In this example, ds-cfg-mapped-attribute: cn will use the OpenDJ's users "cn" attribute:value pair to search against AD. Providing AD has the same attribute:value pair and the search returns result=0 (success) then the user can authenticate to AD.

OpenDJ PTA Configuration

dn: cn=AD PTA Policy,cn=Password Policies,cn=config objectClass: top objectClass: ds-cfg-authentication-policy objectClass: ds-cfg-ldap-pass-through-authentication-policy ds-cfg-mapped-search-bind-password: password ds-cfg-mapped-search-base-dn: CN=Users,DC=example,DC=com ds-cfg-mapped-attribute: cn ds-cfg-mapped-search-bind-dn: CN=Administrator,CN=Users,DC=example,DC=com cn: AD PTA Policy ds-cfg-java-class: org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory ds-cfg-mapping-policy: mapped-search ds-cfg-use-password-caching: false ds-cfg-primary-remote-ldap-server: ad.example.com:389

DJ User (with cn: OpenDJ User)

dn: uid=opendj.user,ou=People,dc=forgerock,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top mail: opendj.user@forgerock.com givenName: OpenDJ uid: opendj.user cn: OpenDJ User

AD User (with cn: OpenDJ User)

dn: CN=OpenDJ User,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: OpenDJ User sn: User givenName: OpenDJ distinguishedName: CN=OpenDJ User,CN=Users,DC=example,DC=com name: OpenDJ User sAMAccountName: OpenDJ User

When a user BINDs to OpenDJ, it will use the value defined in the ds-cfg-mapped-attribute in the config.ldif. In this case, it will retrieve the OpenDJ users "cn" attribute and issue a search against AD with the same attribute:value pair:

  1. User "uid=opendj.user" BINDs to OpenDJ.
  2. OpenDJ retrieves the cn value from the user uid: opendj.user.
  3. OpenDJ searches AD with --baseDN <suffix> "(cn=OpenDJ User)"
  4. If the search return is 0 (success) the PTA Plugin authenticates the user to AD.

Providing the OpenDJ user has the same attribute:value pair that is contained on the AD side, the PTA Plugin can utilize that attribute:value combination.

Example 2

In this example, the following PTA configuration will work as long as the attribute specified for ds-cfg-mapped-attribute (sAMAccountName) is available and contains the same value on both the OpenDJ server as well as the AD sever as seen in the following configurations.

OpenDJ PTA Configuration

dn: cn=AD PTA Policy,cn=Password Policies,cn=config objectClass: top objectClass: ds-cfg-authentication-policy objectClass: ds-cfg-ldap-pass-through-authentication-policy ds-cfg-mapped-search-bind-password: password ds-cfg-mapped-search-base-dn: CN=Users,DC=example,DC=com ds-cfg-mapped-attribute: sAMAccountName ds-cfg-mapped-search-bind-dn: CN=Administrator,CN=Users,DC=example,DC=com cn: AD PTA Policy ds-cfg-java-class: org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory ds-cfg-mapping-policy: mapped-search ds-cfg-use-password-caching: false ds-cfg-primary-remote-ldap-server: ad.example.com:389

OpenDJ User (with sAMAccountName: OpenDJ User)

dn: uid=opendj.user,ou=People,dc=forgerock,dc=com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top mail: opendj.user@forgerock.com givenName: OpenDJ uid: opendj.user cn: OpenDJ User sn: User sAMAccountName: OpenDJ User

AD User (with sAMAccountName: OpenDJ User)

dn: CN=OpenDJ User,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: OpenDJ User sn: Sustaining givenName: OpenDJ distinguishedName: CN=OpenDJ User,CN=Users,DC=example,DC=com displayName: OpenDJ User name: OpenDJ User sAMAccountName: OpenDJ User

See Also

N/A

Related Training

N/A

Related Issue Tracker IDs

OPENDJ-1103 (Pass Through Authentication mapped-search-filter-template)

OPENDJ-1626 (Mapping attributes for passthrough authentication)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.