Configuring Pass-Through Authentication

This chapter focuses on pass-through authentication (PTA), whereby you configure another server to determine the response to an authentication request. A typical use case for PTA involves passing authentication through to Active Directory for users coming from Microsoft Windows systems. In this chapter you will learn to:

  • Configure password policies to use PTA

  • Assign PTA policies to users and to groups

About Pass-through Authentication

You use pass-through authentication (PTA) when the credentials for authenticating are stored in a remote directory service instead of OpenDJ. In effect OpenDJ redirects the bind operation against a remote LDAP server. The method OpenDJ uses to redirect the bind depends on the mapping from the user entry in OpenDJ to the corresponding user entry in the remote directory. OpenDJ provides you several choices to set up the mapping:

  • When both the local entry in OpenDJ and the remote entry in the other server have the same DN, you do not have to set up the mapping. By default, OpenDJ redirects the bind with the original DN and password from the client application.

  • When the local entry in OpenDJ has been provisioned with an attribute holding the DN of the remote entry, you can specify which attribute holds the DN, and OpenDJ redirects the bind on the remote server using the DN value.

  • When you cannot get the remote bind DN directly, you need an attribute and value on the OpenDJ entry that corresponds to an identical attribute and value on the remote server. In this case you also need the bind credentials for a user who can search for the entry on the remote server. OpenDJ performs a search for the entry using the matching attribute and value, and then redirects the bind with the DN from the remote entry.

You configure PTA as an authentication policy that you associate with a user’s entry in the same way that you associate a password policy with a user’s entry. Either a user has an authentication policy for PTA, or the user has a local password policy.

Setting Up Pass-Through Authentication

When setting up pass-through authentication, you need to know to which remote server or servers to redirect binds, and you need to know how you map user entries in OpenDJ to user entries in the remote directory.

To Set Up SSL Communication For Testing

When performing PTA, you protect communications between OpenDJ and the server providing authentication. If you test using SSL with self-signed certificates, and you do not want the client to blindly trust the server, follow these steps to import the authentication server’s certificate into the OpenDJ keystore.

  1. Export the server certificate from the authentication server.

    How you perform this step depends on the authentication directory server. With OpenDJ, you can export the certificate as shown here:

    $ cd /path/to/PTA-Server/config
    $ keytool \
     -exportcert \
     -rfc \
     -alias server-cert \
     -keystore keystore \
     -storepass `cat keystore.pin` \
     > /tmp/pta-srv-cert.pem
  2. Make note of the host name used in the certificate.

    You use the host name when configuring the SSL connection. With OpenDJ, you can view the certificate details as shown here:

    $ keytool \
     -list \
     -v \
     -alias server-cert \
     -keystore keystore \
     -storepass `cat keystore.pin`
    Alias name: server-cert
    Creation date: Sep 12, 2011
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
    Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
    Serial number: 4e6dc429
    Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
    Certificate fingerprints:
      MD5:  B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
      SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
      Signature algorithm name: SHA1withRSA
      Version: 3
  3. Import the authentication server certificate into OpenDJ’s keystore:

    $ cd /path/to/opendj/config
    $ keytool \
     -importcert \
     -alias pta-cert \
     -keystore truststore \
     -storepass `cat keystore.pin` \
     -file /tmp/pta-srv-cert.pem
    Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
    Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
    Serial number: 4e6dc429
    Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
    Certificate fingerprints:
      MD5:  B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
      SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
      Signature algorithm name: SHA1withRSA
      Version: 3
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
To Configure an LDAP Pass-Through Authentication Policy

You configure authentication policies with the dsconfig command. Notice that authentication policies are part of the server configuration, and therefore not replicated.

  1. Set up an authentication policy for pass-through authentication to the authentication server:

    $ dsconfig \
     create-password-policy \
     --port 4444 \
     --hostname opendj.example.com \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --type ldap-pass-through \
     --policy-name "PTA Policy" \
     --set primary-remote-ldap-server:pta-server.example.com:636 \
     --set mapped-attribute:uid \
     --set mapped-search-base-dn:"dc=PTA Server,dc=com" \
     --set mapping-policy:mapped-search \
     --set use-ssl:true \
     --set trust-manager-provider:JKS \
     --trustAll \
     --no-prompt

    The policy shown here maps identities with this this password policy to identities under dc=PTA Server,dc=com. Users must have the same uid values on both servers. The policy here also uses SSL between OpenDJ and the authentication server.

  2. Check that your policy has been added to the list:

    $ dsconfig \
     list-password-policies \
     --port 4444 \
     --hostname opendj.example.com \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --property use-ssl
    
    Password Policy         : Type              : use-ssl
    ------------------------:-------------------:--------
    Default Password Policy : password-policy   : -
    PTA Policy              : ldap-pass-through : true
    Root Password Policy    : password-policy   : -
To Configure Pass-Through Authentication To Active Directory

The steps below demonstrate how to set up PTA to Active Directory. Here is some information to help you make sense of the steps.

Entries on the OpenDJ side use uid as the naming attribute, and entries also have cn attributes. Active Directory entries use cn as the naming attribute. User entries on both sides share the same cn values. The mapping between entries therefore uses cn.

Consider the example where an OpenDJ account with cn=LDAP PTA User and DN uid=ldapptauser,ou=People,dc=example,dc=com corresponds to an Active Directory account with DN CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com. The steps below enable the user with cn=LDAP PTA User on OpenDJ authenticate through to Active Directory:

$ ldapsearch \
 --hostname opendj.example.com \
 --baseDN dc=example,dc=com \
 uid=ldapptauser \
 cn
dn: uid=ldapptauser,ou=People,dc=example,dc=com
cn: LDAP PTA User

$ ldapsearch \
 --hostname ad.example.com \
 --baseDN "CN=Users,DC=internal,DC=forgerock,DC=com" \
 --bindDN "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com" \
 --bindPassword password \
 "(cn=LDAP PTA User)" \
 cn
dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
cn: LDAP PTA User

OpenDJ must map its uid=ldapptauser,ou=People,dc=example,dc=com entry to the Active Directory entry, CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com. In order to do the mapping, OpenDJ has to perform a search for the user in Active Directory using the cn value it recovers from its own entry for the user. Active Directory does not allow anonymous searches, so part of the authentication policy configuration consists of the administrator DN and password OpenDJ uses to bind to Active Directory to be able to search.

Finally, before setting up the PTA policy, make sure OpenDJ can connect to Active Directory over a secure connection to avoid sending passwords in the clear.

  1. Export the certificate from the Windows server.

    1. Click start > All Programs > Administrative Tools > Certification Authority, then right-click the CA and select Properties.

    2. In the General tab, select the certificate and click View Certificate.

    3. In the Certificate dialog, click the Details tab, then click Copy to File…​

    4. Use the Certificate Export Wizard to export the certificate into a file, such as windows.cer.

  2. Copy the exported certificate to the system running OpenDJ.

  3. Import the server certificate into OpenDJ’s keystore:

    $ cd /path/to/opendj/config
    $ keytool \
     -importcert \
     -alias ad-cert \
     -keystore truststore \
     -storepass `cat keystore.pin` \
     -file ~/Downloads/windows.cer
    Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
    Issuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
    Serial number: 587465257200a7b14a6976cb47916b32
    Valid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016
    Certificate fingerprints:
      MD5:  A3:D6:F1:8D:0D:F9:9C:76:00:BC:84:8A:14:55:28:38
      SHA1: 0F:BD:45:E6:21:DF:BD:6A:CA:8A:7C:1D:F9:DA:A1:8E:8A:0D:A4:BF
      Signature algorithm name: SHA1withRSA
      Version: 3
    
    Extensions:
    
    #1: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    
    #2: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
      DigitalSignature
      Key_CertSign
      Crl_Sign
    ]
    
    #3: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: A3 3E C0 E3 B2 76 15 DC   97 D0 B3 C0 2E 77 8A 11  .>...v.......w..
    0010: 24 62 70 0A                                        $bp.
    ]
    ]
    
    #4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
    
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

    At this point OpenDJ can connect to Active Directory over SSL.

  4. Set up an authentication policy for OpenDJ users to authenticate to Active Directory:

    $ dsconfig \
     create-password-policy \
     --port 4444 \
     --hostname opendj.example.com \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --type ldap-pass-through \
     --policy-name "AD PTA Policy" \
     --set primary-remote-ldap-server:ad.example.com:636 \
     --set mapped-attribute:cn \
     --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com" \
     --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal, \
      DC=forgerock,DC=com" \
     --set mapped-search-bind-password:password \
     --set mapping-policy:mapped-search \
     --set trust-manager-provider:JKS \
     --set use-ssl:true \
     --trustAll \
     --no-prompt
  5. Assign the authentication policy to a test user:

    $ ldapmodify \
     --port 1389 \
     --bindDN "cn=Directory Manager" \
     --bindPassword password
    dn: uid=ldapptauser,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-pwp-password-policy-dn
    ds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config
    
    Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
    MODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com
  6. Check that the user can bind using PTA to Active Directory:

    $ ldapsearch \
     --hostname opendj.example.com \
     --port 1389 \
     --baseDN dc=example,dc=com \
     --bindDN uid=ldapptauser,ou=People,dc=example,dc=com \
     --bindPassword password \
     "(cn=LDAP PTA User)" \
     userpassword cn
    dn: uid=ldapptauser,ou=People,dc=example,dc=com
    cn: LDAP PTA User

    Notice that to complete the search, the user authenticated with a password to Active Directory, though no userpassword value is present on the entry on the OpenDJ side.

Assigning Pass-Through Authentication Policies

You assign authentication policies in the same way as you assign password policies, by using the ds-pwp-password-policy-dn attribute.

Although you assign the pass-through authentication policy using the same attribute as for password policy, the authentication policy is not in fact a password policy. Therefore, the user with a pass-through authentication policy does not have a value for the operational attribute pwdPolicySubentry:

$ ldapsearch \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 uid=user.0 \
 pwdPolicySubentry
dn: uid=user.0,ou=People,dc=example,dc=com
To Assign a Pass-Through Authentication Policy To a User

Users depending on PTA no longer need a local password policy, as they no longer authenticate locally.

Examples in the following procedure work for this user, whose entry on OpenDJ is as shown. Notice that the user has no password set. The user’s password on the authentication server is password:

dn: uid=user.0,ou=People,dc=example,dc=com
cn: Aaccf Amar
description: This is the description for Aaccf Amar.
employeeNumber: 0
givenName: Aaccf
homePhone: +1 225 216 5900
initials: ASA
l: Panama City
mail: user.0@maildomain.net
mobile: +1 010 154 3228
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: top
pager: +1 779 041 6341
postalAddress: Aaccf Amar$01251 Chestnut Street$Panama City, DE  50369
postalCode: 50369
sn: Amar
st: DE
street: 01251 Chestnut Street
telephoneNumber: +1 685 622 6202
uid: user.0

This user’s entry on the authentication server also has uid=user.0, and the pass-through authentication policy performs the mapping to find the user entry in the authentication server.

  1. Prevent users from changing their own password policies:

    $ cat protect-pta.ldif
    dn: ou=People,dc=example,dc=com
    changetype: modify
    add: aci
    aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
     "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
     word policy";deny (write)(userdn = "ldap:///self");)
    
    $ ldapmodify \
     --port 1389 \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --filename protect-pta.ldif
    Processing MODIFY request for ou=People,dc=example,dc=com
    MODIFY operation successful for DN ou=People,dc=example,dc=com
  2. Update the user’s ds-pwp-password-policy-dn attribute:

    $ ldapmodify \
     --port 1389 \
     --bindDN "cn=Directory Manager" \
     --bindPassword password
    dn: uid=user.0,ou=People,dc=example,dc=com
    changetype: modify
    add: ds-pwp-password-policy-dn
    ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config
    
    Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
    MODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com
  3. Check that the user can authenticate through to the authentication server:

    $ ldapsearch \
     --port 1389 \
     --baseDN dc=example,dc=com \
     --bindDN uid=user.0,ou=People,dc=example,dc=com \
     --bindPassword password \
     uid=user.0 \
     cn sn
    dn: uid=user.0,ou=People,dc=example,dc=com
    cn: Aaccf Amar
    sn: Amar
To Assign a Pass-Through Authentication Policy To a Group

Examples in the following steps use the PTA policy as defined above. Kirsten Vaughan’s entry has been reproduced on the authentication server under dc=PTA Server,dc=com.

  1. Create a subentry to assign a collective attribute that sets the ds-pwp-password-policy-dn attribute for group members' entries:

    $ cat pta-coll.ldif
    dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
    objectClass: collectiveAttributeSubentry
    objectClass: extensibleObject
    objectClass: subentry
    objectClass: top
    cn: PTA Policy for Dir Admins
    ds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies,
     cn=config
    subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
     cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
    
    $ ldapmodify \
     --port 1389 \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --defaultAdd \
     --filename pta-coll.ldif
    Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
    ADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com
  2. Check that OpenDJ has applied the policy.

    1. Make sure you can bind as the user on the authentication server:

      $ ldapsearch \
       --port 2389 \
       --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com" \
       --bindPassword password \
       --baseDN "dc=PTA Server,dc=com" \
       uid=kvaughan
      dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com
      objectClass: person
      objectClass: organizationalPerson
      objectClass: inetOrgPerson
      objectClass: top
      givenName: Kirsten
      uid: kvaughan
      cn: Kirsten Vaughan
      sn: Vaughan
      userPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w==
      ou: People
      mail: jvaughan@example.com
    2. Check that the user can authenticate through to the authentication server from OpenDJ directory server:

      $ ldapsearch \
       --port 1389 \
       --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
       --bindPassword password \
       --baseDN dc=example,dc=com \
       uid=kvaughan \
       cn sn
      dn: uid=kvaughan,ou=People,dc=example,dc=com
      cn: Kirsten Vaughan
      sn: Vaughan