HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
7.4.3.2 Specifying the authenticating Directory Server
The authenticating directory contains the bind credentials for the entry with which the client is
attempting to bind. The PTA directory passes the bind request to the host defines as the authenticating
directory. To specify the authenticating Directory Server, replace authDS in the LDAP URL of the
PTA directory with the authenticating directory's host name, as described in Table 35 (page 306).
1. Use ldapmodify edit the PTA Plug-in entry.
ldapmodify -p 389 -D "cn=Directory Manager" -w secret -h example
dn: cn=Pass Through Authentication,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginarg0
nsslapd-pluginarg0: ldap://dirserver.example.com/o=NetscapeRoot
Optionally, include the port number. If the port number is not given, the PTA Directory Server
attempts to connect using either the standard port (389) for ldap:// or the secure port (636)
for ldaps://.
If the connection between the PTA Directory Server and the authenticating Directory Server is
broken or the connection cannot be opened, the PTA Directory Server sends the request to
the next server specified, if any. There can be multiple authenticating Directory Servers
specified, as required, to provide failover if the first Directory Server is unavailable. All the
authentication Directory Server is set in the nsslapd-pluginarg0 attribute.
Multiple authenticating Directory Servers are listed in a space-separate list of host:port
pairs, with this format:
ldap|ldaps://host1:port1 host2:port2/subtree
2. Restart the server.
/opt/dirsrv/slapd-instance_name/restart-slapd
For more information about the command to start and stop the HP-UX Directory Server,
see“Starting and Stopping Servers” (page 19).
7.4.3.3 Specifying the pass-through subtree
The PTA directory passes through bind requests to the authenticating directory from all clients with
a DN defined in the pass-through subtree. The subtree is specified by replacing the subtree
parameter in the LDAP URL of the PTA directory.
The pass-through subtree must not exist in the PTA directory. If it does, the PTA directory attempts
to resolve bind requests using its own directory contents and the binds fail.
1. Use the ldapmodify command to import the LDIF file into the directory.
ldapmodify -p 389 -D "cn=Directory Manager" -w secret -h example
dn: cn=Pass Through Authentication,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginarg0
nsslapd-pluginarg0: ldap://dirserver.example.com/o=NetscapeRoot
For information on the variable components in this syntax, see Table 35 (page 306).
2. Restart the server.
/opt/dirsrv/slapd-instance_name/restart-slapd
For more information about the command to start and stop the HP-UX Directory Server,
see“Starting and Stopping Servers” (page 19).
7.4.3.4 Configuring the optional parameters
Additional parameters the control the PTA connection can be set with the LDAP URL.
308 Managing User Authentication