HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
bind requests to the authenticating directory) using the required PTA syntax. There are only two
attributes in this entry that are significant:
• nsslapd-pluginEnabled, which sets whether the plug-in is enabled or disabled. The value
for this attribute can be on or off.
• nsslapd-pluginarg0, which points to the configuration directory. The value for this attribute
is the LDAP URL of the server and suffix to which to pass the bind requests, along with the
optional parameters, maxconns, maxops, timeout, ldver, connlifetime, startTLS.
The variable components of the PTA plug-in syntax are described in Table 35 (page 306).
NOTE:
The LDAP URL (ldap|ldaps://authDS/subtree) must be separated from the optional
parameters (maxconns, maxops, timeout, ldver, connlifetime, startTLS) by a single
space. If any of the optional parameters are defined, they all must be defined, even if only the
default values are used.
Several authenticating directories or subtrees can be specified by incrementing the
nsslapd-pluginarg attribute suffix by one each time, as in “Specifying multiple authenticating
Directory Servers” (page 310). For example:
nsslapd-pluginarg0: LDAP URL for the first server
nsslapd-pluginarg1: LDAP URL for the second server
nsslapd-pluginarg2: LDAP URL for the third server
...
The optional parameters are described in the following table in the order in which they appear in
the syntax.
Table 35 PTA plug-in parameters
DefinitionVariable
Defines whether the plug-in is enabled or disabled. Acceptable values are on or off.state
Defines whether SSL is used for communication between the two Directory Servers. See
“Configuring the servers to use a secure connection” (page 307) for more information.
ldap|ldaps
The authenticating directory host name. The port number of the Directory Server can be
given by adding a colon, then the port number. For example,
authDS
ldap://dirserver.example.com:389/. If the port number is not specified, the PTA
server attempts to connect using either of the standard ports:
Port 389 if ldap:// is specified in the URL.
Port 636 if ldaps:// is specified in the URL.
See “Specifying the authenticating Directory Server” (page 308) for more information.
The pass-through subtree. The PTA Directory Server passes through bind requests to the
authenticating Directory Server from all clients whose DN is in this subtree. See “Specifying
subtree
the pass-through subtree” (page 308) for more information. This subtree must not exist on this
server. To pass the bind requests for o=NetscapeRoot to the configuration directory, the
subtree o=NetscapeRoot must not exist on the server.
Optional. The maximum number of connections the PTA directory can simultaneously open
to the authenticating directory. The default is 3. See “Configuring the optional
parameters” (page 308) for more information.
maxconns
Optional. The maximum number of simultaneous operations (usually bind requests) the PTA
directory can send to the authenticating directory within a single connection. The default is
5. See “Configuring the optional parameters” (page 308) for more information.
maxops
Optional. The time limit, in seconds, that the PTA directory waits for a response from the
authenticating Directory Server. If this timeout is exceeded, the server returns an error to the
timeout
client. The default is 300 seconds (five minutes). Specify zero (0) to indicate no time limit
306 Managing User Authentication