docbkx/admin-guide/chap-pta.xml

51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<?xml version="1.0" encoding="UTF-8"?>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<!--
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! http://creativecommons.org/licenses/by-nc-nd/3.0/
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !      Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  ! CCPL HEADER END
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  !      Copyright 2011-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  !
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark-->
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark<chapter xml:id='chap-pta'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
08248b5c5b494aff8d1922e8e0b5777796d7450dmark xsi:schemaLocation='http://docbook.org/ns/docbook
08248b5c5b494aff8d1922e8e0b5777796d7450dmark                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Configuring Pass Through Authentication</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Pass through authentication</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter focuses on pass through authentication (PTA), whereby you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configure another server to determine the response to an authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark request. A typical use case for pass through authentication involves
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passing authentication through to Active Directory for users coming
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark from Microsoft Windows systems.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="about-pta">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>About Pass Through Authentication</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>You use <firstterm>LDAP pass through authentication</firstterm> when
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  the credentials for authenticating are stored not in OpenDJ, but instead
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  in a remote directory service. In effect OpenDJ redirects the bind operation
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  against a remote LDAP server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>Exactly how OpenDJ redirects the bind depends on how the user entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  in OpenDJ maps to the corresponding user entry in the remote directory.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>OpenDJ provides you several choices to set up the mapping.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>When both the local entry in OpenDJ and the remote entry in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    other server have the same DN, you do not have to set up the mapping at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    all. By default, OpenDJ redirects the bind with the original DN and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    password from the client application.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>When the local entry in OpenDJ has been provisioned with an attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    holding the DN of the remote entry, you can specify which attribute holds
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    the DN, and OpenDJ redirects the bind on the remote server using the DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    value.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>When you cannot get the remote bind DN directly, you need an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    attribute and value on the OpenDJ entry that corresponds to an identical
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    attribute and value on the remote server in order to map the local entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    to the remote entry. In this case you also need the bind credentials for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    a user who can search for the entry on the remote server. OpenDJ performs
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    a search for the entry using the matching attribute and value, and then
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    redirects the bind with the DN from the remote entry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>You configure pass through authentication as an authentication policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  that you associate with a user's entry in the same way that you associate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  a password policy with a user's entry. Either a user has an authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  policy for pass through authentication, or the user has a local password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="configure-pta">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Setting Up Pass Through Authentication</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>When setting up pass through authentication, you need to know to which
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  remote server or servers to redirect binds, and you need to know how you map
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  user entries in OpenDJ to user entries in the remote directory.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="configure-ssl-to-test-pta">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Set Up SSL Communication For Testing</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>When performing pass through authentication, you no doubt protect
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   communications between OpenDJ and the server providing authentication. If
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   you test using SSL with self-signed certificates, and you do not want
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   the client blindly to trust the server, follow these steps to import
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   the authentication server's certificate into the OpenDJ key store.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Export the server certificate from the authentication server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>How you perform this step depends on the authentication directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    server. With OpenDJ, you can export the certificate as shown here.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cd /path/to/PTA-Server/config</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -exportcert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -rfc \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias server-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark > /tmp/pta-srv-cert.pem</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Make note of the host name used in the certificate.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>You use the host name when configuring the SSL connection. With
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    OpenDJ, you can view the certificate details as shown here.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -list \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -v \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias server-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat keystore.pin`</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Alias name: server-cert
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCreation date: Sep 12, 2011
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkEntry type: PrivateKeyEntry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate chain length: 1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate[1]:
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkOwner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkIssuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 4e6dc429
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  MD5:  B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Signature algorithm name: SHA1withRSA
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  Version: 3</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Import the authentication server certificate into OpenDJ's
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    key store.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cd /path/to/opendj/config</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -importcert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias pta-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -file /tmp/pta-srv-cert.pem</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 4e6dc429
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  MD5:  B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Signature algorithm name: SHA1withRSA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Version: 3
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkTrust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Certificate was added to keystore</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="configure-pta-policy">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Configure an LDAP Pass Through Authentication Policy</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>You configure authentication policies with the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <command>dsconfig</command> command. Notice that authentication policies
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   are part of the server configuration, and therefore not replicated.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Set up an authentication policy for pass through
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    authentication to the authentication server.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type ldap-pass-through \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "PTA Policy" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set primary-remote-ldap-server:pta-server.example.com:636 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-attribute:uid \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-base-dn:"dc=PTA Server,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapping-policy:mapped-search \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set use-ssl:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set trust-manager-provider:JKS \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>The policy shown here maps identities having this password policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    to identities under <literal>dc=PTA Server,dc=com</literal>. Users must
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    have the same <literal>uid</literal> values on both servers. The policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    here also uses SSL between OpenDJ and the authentication server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Check that your policy has been added to the list.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark list-password-policies \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --property use-ssl</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Policy         : Type              : use-ssl
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------:-------------------:--------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkDefault Password Policy : password-policy   : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPTA Policy              : ldap-pass-through : true
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkRoot Password Policy    : password-policy   : -</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="configure-pta-to-ad">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Configure Pass Through Authentication To Active Directory</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <primary>Active Directory</primary>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <see>Pass through authentication</see>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>The steps below demonstrate setting up pass through authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   to Active Directory. Here is some background to help you make sense of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   steps.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Entries on the OpenDJ side use <literal>uid</literal> as the naming
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   attribute, and entries also have <literal>cn</literal> attributes. Active
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   Directory entries use <literal>cn</literal> as the naming attribute.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   User entries on both sides share the same <literal>cn</literal> values. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   mapping between entries therefore uses <literal>cn</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Consider the example where an OpenDJ account with <literal>cn=LDAP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   PTA User</literal> and DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <literal>uid=ldapptauser,ou=People,dc=example,dc=com</literal> corresponds
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   to an Active Directory account with DN <literal>CN=LDAP PTA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   User,CN=Users,DC=internal,DC=forgerock,DC=com</literal>. The steps below
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   enable the user with <literal>cn=LDAP PTA User</literal> on OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   authenticate through to Active Directory.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=ldapptauser \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: LDAP PTA User</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname ad.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "CN=Users,DC=internal,DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(cn=LDAP PTA User)" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: LDAP PTA User</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>OpenDJ must map its
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <literal>uid=ldapptauser,ou=People,dc=example,dc=com</literal> entry to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   Active Directory entry, <literal>CN=LDAP PTA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   User,CN=Users,DC=internal,DC=forgerock,DC=com</literal>. In order to do the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   mapping, OpenDJ has to perform a search for the user in Active Directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   using the <literal>cn</literal> value it recovers from its own entry for the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   user. Active Directory does not allow anonymous searches, so part of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   authentication policy configuration consists of the administrator DN and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   password OpenDJ uses to bind to Active Directory to be able to search.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Finally, before setting up the pass through authentication policy,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   make sure OpenDJ can connect to Active Directory over a secure connection
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   to avoid sending passwords in the clear.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Export the certificate from the Windows server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <para>Click start &gt; All Programs &gt; Administrative Tools &gt;
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      Certification Authority, then right-click the CA and select
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      Properties.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <para>In the General tab, select the certificate and click View
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      Certificate.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <para>In the Certificate dialog, click the Details tab, then click
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      Copy to File...</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <para>Use the Certificate Export Wizard to export the certificate into
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      a file, such as <filename>windows.cer</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Copy the exported certificate to the system running OpenDJ.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Import the server certificate into OpenDJ's key store.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cd /path/to/opendj/config</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -importcert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias ad-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -file ~/Downloads/windows.cer</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 587465257200a7b14a6976cb47916b32
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  MD5:  A3:D6:F1:8D:0D:F9:9C:76:00:BC:84:8A:14:55:28:38
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  SHA1: 0F:BD:45:E6:21:DF:BD:6A:CA:8A:7C:1D:F9:DA:A1:8E:8A:0D:A4:BF
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Signature algorithm name: SHA1withRSA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Version: 3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkExtensions:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#1: ObjectId: 2.5.29.19 Criticality=true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBasicConstraints:[
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  CA:true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  PathLen:2147483647
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#2: ObjectId: 2.5.29.15 Criticality=false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeyUsage [
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  DigitalSignature
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Key_CertSign
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  Crl_Sign
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#3: ObjectId: 2.5.29.14 Criticality=false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSubjectKeyIdentifier [
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeyIdentifier [
08248b5c5b494aff8d1922e8e0b5777796d7450dmark0000: A3 3E C0 E3 B2 76 15 DC   97 D0 B3 C0 2E 77 8A 11  .>...v.......w..
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0010: 24 62 70 0A                                        $bp.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkTrust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Certificate was added to keystore</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>At this point OpenDJ can connect to Active Directory over SSL.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Set up an authentication policy for OpenDJ users to authenticate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    to Active Directory.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type ldap-pass-through \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "AD PTA Policy" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set primary-remote-ldap-server:ad.example.com:636 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-attribute:cn \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal, \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark  DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-bind-password:password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapping-policy:mapped-search \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set trust-manager-provider:JKS \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set use-ssl:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Assign the authentication policy to a test user.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=ldapptauser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-pwp-password-policy-dn
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Check that the user can bind using pass through authentication to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    Active Directory.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --hostname opendj.example.com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=ldapptauser,ou=People,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(cn=LDAP PTA User)" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark userpassword cn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: LDAP PTA User</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Notice that to complete the search, the user authenticated with a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    password to Active Directory, though no <literal>userpassword</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    value is present on the entry on the OpenDJ side.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <section xml:id="assigning-pta">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <title>Assigning Pass Through Authentication Policies</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <para>You assign authentication policies in the same way as you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  assign password policies, by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <literal>ds-pwp-password-policy-dn</literal> attribute.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <note>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Although you assign the pass through authentication policy using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   the same attribute as for password policy, the authentication policy is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   not in fact a password policy. Therefore, the user with a pass through
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   authentication policy does not have a value for the operational attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <literal>pwdPolicySubentry</literal>.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=user.0 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark pwdPolicySubentry</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </note>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="assign-pta-to-user">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Assign a Pass Through Authentication Policy To a User</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Users depending on pass through authentication no longer need a local
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   password policy, as they no longer authenticate locally.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Examples in the following procedure work for this user, whose
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   entry on OpenDJ is as shown. Notice that the user has no password set. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   user's password on the authentication server is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <literal>password</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark   <programlisting language="ldif">
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkdn: uid=user.0,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Aaccf Amar
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdescription: This is the description for Aaccf Amar.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkemployeeNumber: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgivenName: Aaccf
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkhomePhone: +1 225 216 5900
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkinitials: ASA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkl: Panama City
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: user.0@maildomain.net
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmobile: +1 010 154 3228
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetorgperson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalperson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpager: +1 779 041 6341
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpostalAddress: Aaccf Amar$01251 Chestnut Street$Panama City, DE  50369
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpostalCode: 50369
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksn: Amar
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkst: DE
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkstreet: 01251 Chestnut Street
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarktelephoneNumber: +1 685 622 6202
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: user.0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>This user's entry on the authentication server also has
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <literal>uid=user.0</literal>, and the pass through authentication policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   performs the mapping to find the user entry in the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Prevent users from changing their own password policies.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat protect-pta.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: aci
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
08248b5c5b494aff8d1922e8e0b5777796d7450dmark word policy";deny (write)(userdn = "ldap:///self");)</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename protect-pta.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN ou=People,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    attribute.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=user.0,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-pwp-password-policy-dn
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Check that the user can authenticate through to the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    server.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=user.0,ou=People,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=user.0 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn sn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Aaccf Amar
08248b5c5b494aff8d1922e8e0b5777796d7450dmarksn: Amar</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  <procedure xml:id="assign-pta-to-group">
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <title>To Assign a Pass Through Authentication Policy To a Group</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <para>Examples in the following steps use the pass through authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   policy as defined above. Kirsten Vaughan's entry has been reproduced on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   the authentication server under <literal>dc=PTA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   Server,dc=com</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Create a subentry to assign a collective attribute that sets the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <literal>ds-pwp-password-policy-dn</literal> attribute for group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    members' entries.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>cat pta-coll.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: PTA Policy for Dir Admins
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark cn=config
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --filename pta-coll.ldif</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark    </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <para>Check that OpenDJ has applied the policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    <substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <para>Make sure you can bind as the user on the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      server.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark      <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 2389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "dc=PTA Server,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=kvaughan</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgivenName: Kirsten
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: kvaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Kirsten Vaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksn: Vaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w==
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkou: People
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmail: jvaughan@example.com</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark      </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     <step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      <para>Check that the user can authenticate through to the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark      server from OpenDJ.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark
08248b5c5b494aff8d1922e8e0b5777796d7450dmark      <screen>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=kvaughan \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn sn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Kirsten Vaughan
08248b5c5b494aff8d1922e8e0b5777796d7450dmarksn: Vaughan</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark      </screen>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark     </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark    </substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark   </step>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark  </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</chapter>