Pass-through authentication (PTA) is a mechanism using which if a client attempts to bind to a directory server and if the user credential is not available locally, then the server attempts to verify the credential from another external directory server or a pass-through server on behalf of the client. The credential here refers to the userpassword attribute in Tivoli® Directory Server. To gain a better understanding of the pass-through authentication mechanism, consider an example given below:
To illustrate use case of pass-through authentication, let us consider two servers say server X and server Y and a user entry cn=Tom Brown,o=sample stored on server Y. Now, if the user Tom Brown attempts to access server X to perform any operation it has to first bind to server X with its credential for authentication. Since the credential is not present on server X the user will be unable to bind to the server. However, using the pass-through authentication mechanism, server X can verify the credential by contacting server Y. After the credential is validated using server Y, server X presumes that the user is authenticated and hence returns success for the bind operation.
Alternatively, if a user is present on server X while its credential is available on server Y, again server X will contact server Y to verify the credential.
In the above cases it is assumed that the DN's on server Y and server X are identical. However, this may not be true always as the directory structure layout may differ on both the servers. This means that DN “cn=Tom Brown,o=sample" on server X may map to some other DN on server Y. In such situations it is possible that the entries on server X and server Y have some attribute whose value is unique for every entry, say for instance uid. Therefore, an attribute from Tivoli Directory Server can be mapped to another attribute in the pass-through server. This information can then be used to query the pass-through server to fetch the required DN. A bind operation will then be performed for this DN to identify if the userpassword is correct.
[ Top of Page | Previous Page | Next Page ]