From 03e5b353359b151de80224327e7ddf837567730c Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Tue, 30 Aug 2011 09:59:12 +0000
Subject: [PATCH] A few more bones in the skeleton for this chapter on pass through authentication

---
 opendj3/src/main/docbkx/admin-guide/chap-pta.xml |   86 +++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/opendj3/src/main/docbkx/admin-guide/chap-pta.xml b/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
index 00261cd..d2e6030 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
@@ -29,13 +29,91 @@
  xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
  xmlns:xlink='http://www.w3.org/1999/xlink'
  xmlns:xinclude='http://www.w3.org/2001/XInclude'>
- <title>Configuring Pass-Through Authentication</title>
+ <title>Configuring Pass Through Authentication</title>
 
- <para>This chapter focuses on pass-through authentication, whereby you
+ <para>This chapter focuses on pass through authentication, whereby you
  configure another server to determine the response to an authentication
- request. A typical use case for pass-through authentication involves
+ request. A typical use case for pass through authentication involves
  passing authentication through to Active Directory for users coming
  from Microsoft Windows systems.</para>
-
+ 
+ <section xml:id="about-pta">
+  <title>About Pass Through Authentication</title>
+  
+  <para>You use <firstterm>LDAP pass through authentication</firstterm> when
+  the credentials for authenticating are stored not in OpenDJ, but instead
+  in a remote directory service. In effect OpenDJ redirects the bind operation
+  against a remote LDAP server.</para>
+  
+  <para>Exactly how OpenDJ redirects the bind depends on how the user entry
+  in OpenDJ maps to the corresponding user entry in the remote directory.</para>
+  
+  <itemizedlist>
+   <para>OpenDJ provides you several choices to set up the mapping.</para>
+   <listitem>
+    <para>When both the local entry in OpenDJ and the remote entry in the
+    other server have the same DN, you do not have to set up the mapping at
+    all. By default, OpenDJ redirects the bind with the original DN and
+    password from the client application.</para>
+   </listitem>
+   <listitem>
+    <para>When the local entry in OpenDJ has been provisioned with an attribute
+    holding the DN of the remote entry, you can specify which attribute holds
+    the DN, and OpenDJ redirects the bind on the remote server using the DN
+    value.</para>
+   </listitem>
+   <listitem>
+    <para>When you cannot get the remote bind DN directly, you need an
+    attribute and value on the OpenDJ entry that corresponds to an identical
+    attribute and value on the remote server in order to map the local entry
+    to the remote entry. In this case you also need the bind credentials for
+    a user who can search for the entry on the remote server. OpenDJ performs
+    a search for the entry using the matching attribute and value, and then
+    redirects the bind with the DN from the remote entry.</para>
+   </listitem>
+  </itemizedlist>
+  
+  <para>You configure pass through authentication as an authentication policy
+  that you associate with a user's entry in the same way that you associate
+  a password policy with a user's entry. Either a user has an authentication
+  policy for pass through authentication, or the user has a local password
+  policy.</para>
+ </section>
+ 
+ <section xml:id="configure-pta">
+  <title>Setting Up Pass Through Authentication</title>
+  
+  <para>When setting up pass through authentication, you need to know to which
+  remote server or servers to redirect binds, and you need to know how you map
+  user entries in OpenDJ to user entries in the remote directory.</para>
+  
+  <procedure xml:id="configure-pta-policy">
+   <title>To Configure an LDAP Pass Through Authentication Policy</title>
+   
+   <para>You configure authentication policies with the
+   <command>dsconfig</command> command. Notice that authentication policies
+   are part of the server configuration, and therefore not replicated.</para>
+   
+   <step>
+    <para>TODO</para>
+   </step>
+  </procedure>
+  
+  <procedure xml:id="assign-pta-to-user">
+  
+   <title>To Assign a Pass Through Authentication Policy To a User</title>
+   <step>
+    <para>TODO</para>
+   </step>
+  </procedure>
+  
+  <procedure xml:id="assign-pta-to-group">
+  
+   <title>To Assign a Pass Through Authentication Policy To a Group</title>
+   <step>
+    <para>TODO</para>
+   </step>
+  </procedure>
+ </section>
 </chapter>
 

--
Gitblit v1.10.0