6443N/A<?
xml version="1.0" encoding="UTF-8"?>
6443N/A ! This work is licensed under the Creative Commons 6443N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 6443N/A ! To view a copy of this license, visit 6443N/A ! or send a letter to Creative Commons, 444 Castro Street, 6443N/A ! Suite 900, Mountain View, California, 94041, USA. 6443N/A ! You can also obtain a copy of the license at 6443N/A ! See the License for the specific language governing permissions 6443N/A ! and limitations under the License. 6443N/A ! If applicable, add the following below this CCPL HEADER, with the fields 6443N/A ! enclosed by brackets "[]" replaced with your own identifying information: 6443N/A ! Portions Copyright [yyyy] [name of copyright owner] 7097N/A ! Copyright 2011-2014 ForgeRock AS 6443N/A <
title>Configuring Pass Through Authentication</
title>
6443N/A <
indexterm><
primary>Pass through authentication</
primary></
indexterm>
6443N/A <
para>This chapter focuses on pass through authentication (PTA), whereby you
6443N/A configure another server to determine the response to an authentication
6443N/A request. A typical use case for pass through authentication involves
6443N/A passing authentication through to Active Directory for users coming
6443N/A from Microsoft Windows systems.</
para>
6443N/A <
section xml:
id="about-pta">
6443N/A <
title>About Pass Through Authentication</
title>
6443N/A <
para>You use <
firstterm>LDAP pass through authentication</
firstterm> when
6443N/A the credentials for authenticating are stored not in OpenDJ, but instead
6443N/A in a remote directory service. In effect OpenDJ redirects the bind operation
6443N/A against a remote LDAP server.</
para>
6443N/A <
para>Exactly how OpenDJ redirects the bind depends on how the user entry
6443N/A in OpenDJ maps to the corresponding user entry in the remote directory.</
para>
6443N/A <
para>OpenDJ provides you several choices to set up the mapping.</
para>
6443N/A <
para>When both the local entry in OpenDJ and the remote entry in the
6443N/A other server have the same DN, you do not have to set up the mapping at
6443N/A all. By default, OpenDJ redirects the bind with the original DN and
6443N/A password from the client application.</
para>
6443N/A <
para>When the local entry in OpenDJ has been provisioned with an attribute
6443N/A holding the DN of the remote entry, you can specify which attribute holds
6443N/A the DN, and OpenDJ redirects the bind on the remote server using the DN
6443N/A <
para>When you cannot get the remote bind DN directly, you need an
6443N/A attribute and value on the OpenDJ entry that corresponds to an identical
6443N/A attribute and value on the remote server in order to map the local entry
6443N/A to the remote entry. In this case you also need the bind credentials for
6443N/A a user who can search for the entry on the remote server. OpenDJ performs
6443N/A a search for the entry using the matching attribute and value, and then
6443N/A redirects the bind with the DN from the remote entry.</
para>
6443N/A <
para>You configure pass through authentication as an authentication policy
6443N/A that you associate with a user's entry in the same way that you associate
6443N/A a password policy with a user's entry. Either a user has an authentication
6443N/A policy for pass through authentication, or the user has a local password
6443N/A <
section xml:
id="configure-pta">
6443N/A <
title>Setting Up Pass Through Authentication</
title>
6443N/A <
para>When setting up pass through authentication, you need to know to which
6443N/A remote server or servers to redirect binds, and you need to know how you map
6443N/A user entries in OpenDJ to user entries in the remote directory.</
para>
6443N/A <
procedure xml:
id="configure-ssl-to-test-pta">
6443N/A <
title>To Set Up SSL Communication For Testing</
title>
6443N/A <
para>When performing pass through authentication, you no doubt protect
6443N/A communications between OpenDJ and the server providing authentication. If
6443N/A you test using SSL with self-signed certificates, and you do not want
6443N/A the client blindly to trust the server, follow these steps to import
6443N/A the authentication server's certificate into the OpenDJ key store.</
para>
6443N/A <
para>Export the server certificate from the authentication server.</
para>
6443N/A <
para>How you perform this step depends on the authentication directory
6443N/A server. With OpenDJ, you can export the certificate as shown here.</
para>
6443N/A <
para>Make note of the host name used in the certificate.</
para>
6443N/A <
para>You use the host name when configuring the SSL connection. With
6443N/A OpenDJ, you can view the certificate details as shown here.</
para>
7097N/A<
computeroutput>Alias name: server-cert
6443N/AValid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
6443N/A MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
6443N/A SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
6443N/A Signature algorithm name: SHA1withRSA
7097N/A Version: 3</
computeroutput>
7097N/A <
para>Import the authentication server certificate into OpenDJ's
7097N/AValid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
7097N/A MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
7097N/A SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
7097N/A Signature algorithm name: SHA1withRSA
7097N/ATrust this certificate? [no]:</
computeroutput> <
userinput>yes</
userinput>
7097N/A<
computeroutput>Certificate was added to keystore</
computeroutput>
6443N/A <
procedure xml:
id="configure-pta-policy">
6443N/A <
title>To Configure an LDAP Pass Through Authentication Policy</
title>
6443N/A <
para>You configure authentication policies with the
6443N/A <
command>dsconfig</
command> command. Notice that authentication policies
6443N/A are part of the server configuration, and therefore not replicated.</
para>
6443N/A <
para>Set up an authentication policy for pass through
6443N/A authentication to the authentication server.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --policy-name "PTA Policy" \
7097N/A --set mapped-attribute:uid \
7097N/A --set mapped-search-base-dn:"dc=PTA Server,dc=com" \
7097N/A --set mapping-policy:mapped-search \
7097N/A --set trust-manager-provider:JKS \
6443N/A <
para>The policy shown here maps identities having this password policy
6443N/A to identities under <
literal>dc=PTA Server,dc=com</
literal>. Users must
6443N/A have the same <
literal>uid</
literal> values on both servers. The policy
6443N/A here also uses SSL between OpenDJ and the authentication server.</
para>
6443N/A <
para>Check that your policy has been added to the list.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --property use-ssl</
userinput>
6443N/APassword Policy : Type : use-ssl
6443N/A------------------------:-------------------:--------
6443N/ADefault Password Policy : password-policy : -
6443N/APTA Policy : ldap-pass-through : true
7097N/ARoot Password Policy : password-policy : -</
computeroutput>
6443N/A <
procedure xml:
id="configure-pta-to-ad">
6443N/A <
title>To Configure Pass Through Authentication To Active Directory</
title>
6443N/A <
primary>Active Directory</
primary>
6443N/A <
see>Pass through authentication</
see>
6443N/A <
para>The steps below demonstrate setting up pass through authentication
6443N/A to Active Directory. Here is some background to help you make sense of the
6443N/A <
para>Entries on the OpenDJ side use <
literal>uid</
literal> as the naming
6443N/A attribute, and entries also have <
literal>cn</
literal> attributes. Active
6443N/A Directory entries use <
literal>cn</
literal> as the naming attribute.
6443N/A User entries on both sides share the same <
literal>cn</
literal> values. The
6443N/A mapping between entries therefore uses <
literal>cn</
literal>.</
para>
6443N/A <
para>Consider the example where an OpenDJ account with <
literal>cn=LDAP
6443N/A <
literal>uid=ldapptauser,ou=People,dc=example,dc=com</
literal> corresponds
6443N/A to an Active Directory account with DN <
literal>CN=LDAP PTA
6443N/A User,CN=Users,DC=internal,DC=forgerock,DC=com</
literal>. The steps below
6443N/A enable the user with <
literal>cn=LDAP PTA User</
literal> on OpenDJ
6443N/A authenticate through to Active Directory.</
para>
7097N/A --baseDN dc=example,dc=com \
7097N/A<
computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
7097N/Acn: LDAP PTA User</
computeroutput>
7097N/A --baseDN "CN=Users,DC=internal,DC=forgerock,DC=com" \
7097N/A --bindDN "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com" \
7097N/A<
computeroutput>dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
7097N/Acn: LDAP PTA User</
computeroutput>
6443N/A <
literal>uid=ldapptauser,ou=People,dc=example,dc=com</
literal> entry to the
6443N/A Active Directory entry, <
literal>CN=LDAP PTA
6443N/A User,CN=Users,DC=internal,DC=forgerock,DC=com</
literal>. In order to do the
6443N/A mapping, OpenDJ has to perform a search for the user in Active Directory
6443N/A using the <
literal>cn</
literal> value it recovers from its own entry for the
6443N/A user. Active Directory does not allow anonymous searches, so part of the
6443N/A authentication policy configuration consists of the administrator DN and
6443N/A password OpenDJ uses to bind to Active Directory to be able to search.</
para>
6443N/A <
para>Finally, before setting up the pass through authentication policy,
6443N/A make sure OpenDJ can connect to Active Directory over a secure connection
6443N/A to avoid sending passwords in the clear.</
para>
6443N/A <
para>Export the certificate from the Windows server.</
para>
6443N/A <
para>Click start > All Programs > Administrative Tools >
6443N/A Certification Authority, then right-click the CA and select
6443N/A <
para>In the General tab, select the certificate and click View
6443N/A <
para>In the Certificate dialog, click the Details tab, then click
6443N/A <
para>Use the Certificate Export Wizard to export the certificate into
6443N/A <
para>Copy the exported certificate to the system running OpenDJ.</
para>
6443N/A <
para>Import the server certificate into OpenDJ's key store.</
para>
7097N/A<
computeroutput>Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
6443N/AIssuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
6443N/ASerial number: 587465257200a7b14a6976cb47916b32
6443N/AValid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016
6443N/A MD5: A3:D6:F1:8D:0D:F9:9C:76:00:BC:84:8A:14:55:28:38
6443N/A SHA1: 0F:BD:45:E6:21:DF:BD:6A:CA:8A:7C:1D:F9:DA:A1:8E:8A:0D:A4:BF
6443N/A Signature algorithm name: SHA1withRSA
6443N/A#1: ObjectId: 2.5.29.19 Criticality=true
6443N/A#2: ObjectId: 2.5.29.15 Criticality=false
6443N/A#3: ObjectId: 2.5.29.14 Criticality=false
6443N/A#4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
7097N/ATrust this certificate? [no]:</
computeroutput> <
userinput>yes</
userinput>
7097N/A<
computeroutput>Certificate was added to keystore</
computeroutput>
6443N/A <
para>At this point OpenDJ can connect to Active Directory over SSL.</
para>
6443N/A <
para>Set up an authentication policy for OpenDJ users to authenticate
6443N/A to Active Directory.</
para>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A --policy-name "AD PTA Policy" \
7097N/A --set mapped-attribute:cn \
7097N/A --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com" \
7097N/A --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal, \
7097N/A --set mapped-search-bind-password:password \
7097N/A --set mapping-policy:mapped-search \
7097N/A --set trust-manager-provider:JKS \
6443N/A <
para>Assign the authentication policy to a test user.</
para>
7097N/A --bindDN "cn=Directory Manager" \
6443N/Adn: uid=ldapptauser,ou=People,dc=example,dc=com
6443N/Aadd: ds-pwp-password-policy-dn
7097N/Ads-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config</
userinput>
7097N/A<
computeroutput>Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
7097N/AMODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com</
computeroutput>
6443N/A <
para>Check that the user can bind using pass through authentication to
7097N/A --baseDN dc=example,dc=com \
7097N/A --bindDN uid=ldapptauser,ou=People,dc=example,dc=com \
7097N/A userpassword cn</
userinput>
7097N/A<
computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
7097N/Acn: LDAP PTA User</
computeroutput>
6443N/A <
para>Notice that to complete the search, the user authenticated with a
6443N/A password to Active Directory, though no <
literal>userpassword</
literal>
6443N/A value is present on the entry on the OpenDJ side.</
para>
6443N/A <
section xml:
id="assigning-pta">
6443N/A <
title>Assigning Pass Through Authentication Policies</
title>
6443N/A <
para>You assign authentication policies in the same way as you
6443N/A assign password policies, by using the
6443N/A <
literal>ds-pwp-password-policy-dn</
literal> attribute.</
para>
6443N/A <
para>Although you assign the pass through authentication policy using
6443N/A the same attribute as for password policy, the authentication policy is
6443N/A not in fact a password policy. Therefore, the user with a pass through
6443N/A authentication policy does not have a value for the operational attribute
6443N/A <
literal>pwdPolicySubentry</
literal>.</
para>
7097N/A --baseDN dc=example,dc=com \
7097N/A pwdPolicySubentry</
userinput>
7097N/A<
computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com</
computeroutput>
6443N/A <
procedure xml:
id="assign-pta-to-user">
6443N/A <
title>To Assign a Pass Through Authentication Policy To a User</
title>
6443N/A <
para>Users depending on pass through authentication no longer need a local
6443N/A password policy, as they no longer authenticate locally.</
para>
6443N/A <
para>Examples in the following procedure work for this user, whose
6443N/A entry on OpenDJ is as shown. Notice that the user has no password set. The
6443N/A user's password on the authentication server is
6443N/A <
literal>password</
literal>.</
para>
7097N/A <
programlisting language="ldif">
7097N/Adn: uid=user.0,ou=People,dc=example,dc=com
6443N/Adescription: This is the description for Aaccf Amar.
6443N/AobjectClass: organizationalperson
6443N/ApostalAddress: Aaccf Amar$01251 Chestnut Street$Panama City, DE 50369
6443N/Astreet: 01251 Chestnut Street
6443N/AtelephoneNumber: +1 685 622 6202
6443N/A <
para>This user's entry on the authentication server also has
6443N/A <
literal>uid=user.0</
literal>, and the pass through authentication policy
6443N/A performs the mapping to find the user entry in the authentication
6443N/A <
para>Prevent users from changing their own password policies.</
para>
7097N/A<
computeroutput>dn: ou=People,dc=example,dc=com
6443N/Aaci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
6443N/A "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
7097N/A word policy";deny (write)(userdn = "ldap:///self");)</
computeroutput>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A<
computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
7097N/AMODIFY operation successful for DN ou=People,dc=example,dc=com</
computeroutput>
6443N/A <
para>Update the user's <
literal>ds-pwp-password-policy-dn</
literal>
7097N/A --bindDN "cn=Directory Manager" \
6443N/Adn: uid=user.0,ou=People,dc=example,dc=com
6443N/Aadd: ds-pwp-password-policy-dn
7097N/Ads-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config</
userinput>
7097N/A<
computeroutput>Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
7097N/AMODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com</
computeroutput>
6443N/A <
para>Check that the user can authenticate through to the authentication
7097N/A --baseDN dc=example,dc=com \
7097N/A --bindDN uid=user.0,ou=People,dc=example,dc=com \
7097N/A<
computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com
6443N/A <
procedure xml:
id="assign-pta-to-group">
6443N/A <
title>To Assign a Pass Through Authentication Policy To a Group</
title>
6443N/A <
para>Examples in the following steps use the pass through authentication
6443N/A policy as defined above. Kirsten Vaughan's entry has been reproduced on
6443N/A the authentication server under <
literal>dc=PTA
6443N/A Server,dc=com</
literal>.</
para>
6443N/A <
para>Create a subentry to assign a collective attribute that sets the
6443N/A <
literal>ds-pwp-password-policy-dn</
literal> attribute for group
7097N/A<
computeroutput>dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
6443N/AobjectClass: collectiveAttributeSubentry
6443N/AobjectClass: extensibleObject
6443N/Acn: PTA Policy for Dir Admins
6443N/Ads-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies,
6443N/AsubtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
7097N/A cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}</
computeroutput>
7097N/A --bindDN "cn=Directory Manager" \
7097N/A<
computeroutput>Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
7097N/AADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com</
computeroutput>
6443N/A <
para>Check that OpenDJ has applied the policy.</
para>
6443N/A <
para>Make sure you can bind as the user on the authentication
7097N/A --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com" \
7097N/A --baseDN "dc=PTA Server,dc=com" \
7097N/A<
computeroutput>dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com
6443N/AobjectClass: organizationalPerson
6443N/AuserPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w==
7097N/Amail: jvaughan@example.com</
computeroutput>
6443N/A <
para>Check that the user can authenticate through to the authentication
7097N/A --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
7097N/A --baseDN dc=example,dc=com \
7097N/A<
computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
7097N/Asn: Vaughan</
computeroutput>