51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER START
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! This work is licensed under the Creative Commons
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! To view a copy of this license, visit
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! or send a letter to Creative Commons, 444 Castro Street,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Suite 900, Mountain View, California, 94041, USA.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! You can also obtain a copy of the license at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! See the License for the specific language governing permissions
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! and limitations under the License.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! If applicable, add the following below this CCPL HEADER, with the fields
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! enclosed by brackets "[]" replaced with your own identifying information:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! Portions Copyright [yyyy] [name of copyright owner]
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark ! CCPL HEADER END
08248b5c5b494aff8d1922e8e0b5777796d7450dmark ! Copyright 2011-2014 ForgeRock AS
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm><primary>Pass through authentication</primary></indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This chapter focuses on pass through authentication (PTA), whereby you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark configure another server to determine the response to an authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark request. A typical use case for pass through authentication involves
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark passing authentication through to Active Directory for users coming
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark from Microsoft Windows systems.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You use <firstterm>LDAP pass through authentication</firstterm> when
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the credentials for authenticating are stored not in OpenDJ, but instead
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in a remote directory service. In effect OpenDJ redirects the bind operation
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark against a remote LDAP server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Exactly how OpenDJ redirects the bind depends on how the user entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark in OpenDJ maps to the corresponding user entry in the remote directory.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ provides you several choices to set up the mapping.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When both the local entry in OpenDJ and the remote entry in the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark other server have the same DN, you do not have to set up the mapping at
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark all. By default, OpenDJ redirects the bind with the original DN and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password from the client application.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When the local entry in OpenDJ has been provisioned with an attribute
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark holding the DN of the remote entry, you can specify which attribute holds
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the DN, and OpenDJ redirects the bind on the remote server using the DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When you cannot get the remote bind DN directly, you need an
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute and value on the OpenDJ entry that corresponds to an identical
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute and value on the remote server in order to map the local entry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to the remote entry. In this case you also need the bind credentials for
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a user who can search for the entry on the remote server. OpenDJ performs
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a search for the entry using the matching attribute and value, and then
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark redirects the bind with the DN from the remote entry.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </listitem>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </itemizedlist>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure pass through authentication as an authentication policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark that you associate with a user's entry in the same way that you associate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a password policy with a user's entry. Either a user has an authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy for pass through authentication, or the user has a local password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When setting up pass through authentication, you need to know to which
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark remote server or servers to redirect binds, and you need to know how you map
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user entries in OpenDJ to user entries in the remote directory.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>When performing pass through authentication, you no doubt protect
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark communications between OpenDJ and the server providing authentication. If
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark you test using SSL with self-signed certificates, and you do not want
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the client blindly to trust the server, follow these steps to import
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the authentication server's certificate into the OpenDJ key store.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Export the server certificate from the authentication server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>How you perform this step depends on the authentication directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server. With OpenDJ, you can export the certificate as shown here.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -exportcert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias server-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat keystore.pin` \
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Make note of the host name used in the certificate.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You use the host name when configuring the SSL connection. With
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark OpenDJ, you can view the certificate details as shown here.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias server-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore keystore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Alias name: server-cert
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCreation date: Sep 12, 2011
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkEntry type: PrivateKeyEntry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate chain length: 1
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate[1]:
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkOwner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkIssuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 4e6dc429
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Signature algorithm name: SHA1withRSA
08248b5c5b494aff8d1922e8e0b5777796d7450dmark Version: 3</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Import the authentication server certificate into OpenDJ's
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark key store.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -importcert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias pta-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 4e6dc429
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Signature algorithm name: SHA1withRSA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Version: 3
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkTrust this certificate? [no]:</computeroutput> <userinput>yes</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Certificate was added to keystore</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Configure an LDAP Pass Through Authentication Policy</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You configure authentication policies with the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <command>dsconfig</command> command. Notice that authentication policies
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark are part of the server configuration, and therefore not replicated.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set up an authentication policy for pass through
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authentication to the authentication server.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type ldap-pass-through \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "PTA Policy" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set primary-remote-ldap-server:pta-server.example.com:636 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-attribute:uid \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-base-dn:"dc=PTA Server,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapping-policy:mapped-search \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set use-ssl:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set trust-manager-provider:JKS \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The policy shown here maps identities having this password policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to identities under <literal>dc=PTA Server,dc=com</literal>. Users must
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark have the same <literal>uid</literal> values on both servers. The policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark here also uses SSL between OpenDJ and the authentication server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that your policy has been added to the list.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark list-password-policies \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --property use-ssl</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPassword Policy : Type : use-ssl
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark------------------------:-------------------:--------
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkDefault Password Policy : password-policy : -
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkPTA Policy : ldap-pass-through : true
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkRoot Password Policy : password-policy : -</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Configure Pass Through Authentication To Active Directory</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </indexterm>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>The steps below demonstrate setting up pass through authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to Active Directory. Here is some background to help you make sense of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark steps.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Entries on the OpenDJ side use <literal>uid</literal> as the naming
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute, and entries also have <literal>cn</literal> attributes. Active
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Directory entries use <literal>cn</literal> as the naming attribute.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark User entries on both sides share the same <literal>cn</literal> values. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark mapping between entries therefore uses <literal>cn</literal>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Consider the example where an OpenDJ account with <literal>cn=LDAP
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark PTA User</literal> and DN
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=ldapptauser,ou=People,dc=example,dc=com</literal> corresponds
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to an Active Directory account with DN <literal>CN=LDAP PTA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark User,CN=Users,DC=internal,DC=forgerock,DC=com</literal>. The steps below
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark enable the user with <literal>cn=LDAP PTA User</literal> on OpenDJ
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authenticate through to Active Directory.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=ldapptauser \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: LDAP PTA User</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "CN=Users,DC=internal,DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(cn=LDAP PTA User)" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: LDAP PTA User</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>OpenDJ must map its
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=ldapptauser,ou=People,dc=example,dc=com</literal> entry to the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Active Directory entry, <literal>CN=LDAP PTA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark User,CN=Users,DC=internal,DC=forgerock,DC=com</literal>. In order to do the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark mapping, OpenDJ has to perform a search for the user in Active Directory
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark using the <literal>cn</literal> value it recovers from its own entry for the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user. Active Directory does not allow anonymous searches, so part of the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authentication policy configuration consists of the administrator DN and
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password OpenDJ uses to bind to Active Directory to be able to search.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Finally, before setting up the pass through authentication policy,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark make sure OpenDJ can connect to Active Directory over a secure connection
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to avoid sending passwords in the clear.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Export the certificate from the Windows server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Click start > All Programs > Administrative Tools >
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Certification Authority, then right-click the CA and select
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Properties.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the General tab, select the certificate and click View
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Certificate.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>In the Certificate dialog, click the Details tab, then click
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Copy to File...</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Use the Certificate Export Wizard to export the certificate into
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark a file, such as <filename>windows.cer</filename>.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Copy the exported certificate to the system running OpenDJ.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Import the server certificate into OpenDJ's key store.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>keytool \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -importcert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -alias ad-cert \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -keystore truststore \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark -storepass `cat keystore.pin` \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkIssuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSerial number: 587465257200a7b14a6976cb47916b32
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkValid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkCertificate fingerprints:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark MD5: A3:D6:F1:8D:0D:F9:9C:76:00:BC:84:8A:14:55:28:38
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark SHA1: 0F:BD:45:E6:21:DF:BD:6A:CA:8A:7C:1D:F9:DA:A1:8E:8A:0D:A4:BF
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Signature algorithm name: SHA1withRSA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Version: 3
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkExtensions:
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#1: ObjectId: 2.5.29.19 Criticality=true
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkBasicConstraints:[
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark PathLen:2147483647
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#2: ObjectId: 2.5.29.15 Criticality=false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark DigitalSignature
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Key_CertSign
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#3: ObjectId: 2.5.29.14 Criticality=false
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkSubjectKeyIdentifier [
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkKeyIdentifier [
08248b5c5b494aff8d1922e8e0b5777796d7450dmark0000: A3 3E C0 E3 B2 76 15 DC 97 D0 B3 C0 2E 77 8A 11 .>...v.......w..
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark0010: 24 62 70 0A $bp.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark#4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkTrust this certificate? [no]:</computeroutput> <userinput>yes</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Certificate was added to keystore</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>At this point OpenDJ can connect to Active Directory over SSL.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Set up an authentication policy for OpenDJ users to authenticate
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark to Active Directory.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>dsconfig \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark create-password-policy \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 4444 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --type ldap-pass-through \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --policy-name "AD PTA Policy" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set primary-remote-ldap-server:ad.example.com:636 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-attribute:cn \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal, \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark DC=forgerock,DC=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapped-search-bind-password:password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set mapping-policy:mapped-search \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set trust-manager-provider:JKS \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --set use-ssl:true \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --trustAll \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --no-prompt</userinput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Assign the authentication policy to a test user.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=ldapptauser,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-pwp-password-policy-dn
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the user can bind using pass through authentication to
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark Active Directory.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=ldapptauser,ou=People,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark "(cn=LDAP PTA User)" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark userpassword cn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkcn: LDAP PTA User</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Notice that to complete the search, the user authenticated with a
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password to Active Directory, though no <literal>userpassword</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark value is present on the entry on the OpenDJ side.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>Assigning Pass Through Authentication Policies</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>You assign authentication policies in the same way as you
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark assign password policies, by using the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Although you assign the pass through authentication policy using
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the same attribute as for password policy, the authentication policy is
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark not in fact a password policy. Therefore, the user with a pass through
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark authentication policy does not have a value for the operational attribute
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=user.0 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark pwdPolicySubentry</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Assign a Pass Through Authentication Policy To a User</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Users depending on pass through authentication no longer need a local
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark password policy, as they no longer authenticate locally.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Examples in the following procedure work for this user, whose
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark entry on OpenDJ is as shown. Notice that the user has no password set. The
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark user's password on the authentication server is
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkdn: uid=user.0,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Aaccf Amar
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdescription: This is the description for Aaccf Amar.
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkemployeeNumber: 0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgivenName: Aaccf
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkhomePhone: +1 225 216 5900
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkinitials: ASA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkl: Panama City
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmail: user.0@maildomain.net
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkmobile: +1 010 154 3228
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetorgperson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalperson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpager: +1 779 041 6341
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpostalAddress: Aaccf Amar$01251 Chestnut Street$Panama City, DE 50369
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkpostalCode: 50369
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkstreet: 01251 Chestnut Street
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarktelephoneNumber: +1 685 622 6202
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: user.0
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark</programlisting>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>This user's entry on the authentication server also has
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>uid=user.0</literal>, and the pass through authentication policy
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark performs the mapping to find the user entry in the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server.</para>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Prevent users from changing their own password policies.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkaci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
08248b5c5b494aff8d1922e8e0b5777796d7450dmark word policy";deny (write)(userdn = "ldap:///self");)</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark attribute.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark --bindPassword password
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkdn: uid=user.0,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkchangetype: modify
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkadd: ds-pwp-password-policy-dn
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkMODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the user can authenticate through to the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN uid=user.0,ou=People,dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=user.0 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn sn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Aaccf Amar
08248b5c5b494aff8d1922e8e0b5777796d7450dmarksn: Amar</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <title>To Assign a Pass Through Authentication Policy To a Group</title>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Examples in the following steps use the pass through authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark policy as defined above. Kirsten Vaughan's entry has been reproduced on
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark the authentication server under <literal>dc=PTA
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Create a subentry to assign a collective attribute that sets the
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <literal>ds-pwp-password-policy-dn</literal> attribute for group
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark members' entries.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: collectiveAttributeSubentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: extensibleObject
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: subentry
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: PTA Policy for Dir Admins
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies,
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksubtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}</computeroutput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapmodify \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "cn=Directory Manager" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --defaultAdd \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Make sure you can bind as the user on the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 2389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN "dc=PTA Server,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=kvaughan</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: person
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: organizationalPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: inetOrgPerson
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkobjectClass: top
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkgivenName: Kirsten
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuid: kvaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Kirsten Vaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarksn: Vaughan
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkuserPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w==
08248b5c5b494aff8d1922e8e0b5777796d7450dmarkmail: jvaughan@example.com</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark <para>Check that the user can authenticate through to the authentication
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark server from OpenDJ.</para>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark$ <userinput>ldapsearch \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --port 1389 \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --bindPassword password \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark --baseDN dc=example,dc=com \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark uid=kvaughan \
08248b5c5b494aff8d1922e8e0b5777796d7450dmark cn sn</userinput>
08248b5c5b494aff8d1922e8e0b5777796d7450dmark<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmarkcn: Kirsten Vaughan
08248b5c5b494aff8d1922e8e0b5777796d7450dmarksn: Vaughan</computeroutput>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </substeps>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </procedure>
51607ea01068c9047391e4c8b46bc9dbd0edb7fdmark </section>