external-software/github_OpenIdentityPlatform_OpenDJ.git

			@@ -29,13 +29,91 @@
			xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
			xmlns:xlink='http://www.w3.org/1999/xlink'
			xmlns:xinclude='http://www.w3.org/2001/XInclude'>
			<title>Configuring Pass-Through Authentication</title>
			<title>Configuring Pass Through Authentication</title>

			<para>This chapter focuses on pass-through authentication, whereby you
			<para>This chapter focuses on pass through authentication, whereby you
			configure another server to determine the response to an authentication
			request. A typical use case for pass-through authentication involves
			request. A typical use case for pass through authentication involves
			passing authentication through to Active Directory for users coming
			from Microsoft Windows systems.</para>

			<section xml:id="about-pta">
			<title>About Pass Through Authentication</title>

			<para>You use <firstterm>LDAP pass through authentication</firstterm> when
			the credentials for authenticating are stored not in OpenDJ, but instead
			in a remote directory service. In effect OpenDJ redirects the bind operation
			against a remote LDAP server.</para>

			<para>Exactly how OpenDJ redirects the bind depends on how the user entry
			in OpenDJ maps to the corresponding user entry in the remote directory.</para>

			<itemizedlist>
			<para>OpenDJ provides you several choices to set up the mapping.</para>
			<listitem>
			<para>When both the local entry in OpenDJ and the remote entry in the
			other server have the same DN, you do not have to set up the mapping at
			all. By default, OpenDJ redirects the bind with the original DN and
			password from the client application.</para>
			</listitem>
			<listitem>
			<para>When the local entry in OpenDJ has been provisioned with an attribute
			holding the DN of the remote entry, you can specify which attribute holds
			the DN, and OpenDJ redirects the bind on the remote server using the DN
			value.</para>
			</listitem>
			<listitem>
			<para>When you cannot get the remote bind DN directly, you need an
			attribute and value on the OpenDJ entry that corresponds to an identical
			attribute and value on the remote server in order to map the local entry
			to the remote entry. In this case you also need the bind credentials for
			a user who can search for the entry on the remote server. OpenDJ performs
			a search for the entry using the matching attribute and value, and then
			redirects the bind with the DN from the remote entry.</para>
			</listitem>
			</itemizedlist>

			<para>You configure pass through authentication as an authentication policy
			that you associate with a user's entry in the same way that you associate
			a password policy with a user's entry. Either a user has an authentication
			policy for pass through authentication, or the user has a local password
			policy.</para>
			</section>

			<section xml:id="configure-pta">
			<title>Setting Up Pass Through Authentication</title>

			<para>When setting up pass through authentication, you need to know to which
			remote server or servers to redirect binds, and you need to know how you map
			user entries in OpenDJ to user entries in the remote directory.</para>

			<procedure xml:id="configure-pta-policy">
			<title>To Configure an LDAP Pass Through Authentication Policy</title>

			<para>You configure authentication policies with the
			<command>dsconfig</command> command. Notice that authentication policies
			are part of the server configuration, and therefore not replicated.</para>

			<step>
			<para>TODO</para>
			</step>
			</procedure>

			<procedure xml:id="assign-pta-to-user">

			<title>To Assign a Pass Through Authentication Policy To a User</title>
			<step>
			<para>TODO</para>
			</step>
			</procedure>

			<procedure xml:id="assign-pta-to-group">

			<title>To Assign a Pass Through Authentication Policy To a Group</title>
			<step>
			<para>TODO</para>
			</step>
			</procedure>
			</section>
			</chapter>