This is an OpenDJ authentication policy plugin for users whose credentials are managed by an external Kerberos realm.
- Java sdk 11 or above
- maven 3.0
- Access to ForgeRock protected Maven repositories1
-
enable ForgeRock Maven repositories1
-
build and install the extention
$ mvn clean package
- add opendj-kpa to your OpenDJ installation
$ cd <opendj-install directory>
$ unzip opendj-kpa-xxx.zip
- restart the server
$ bin/stop-ds --restart
- configure the pass-through for kerberos
$ bin/dsconfig -X create-password-policy \
--type kerberos-pass-through \
--policy-name "Krb5 Pass Through" \
--set krb5-realm:EXAMPLE.COM \
--set mapped-attribute:uid
- assign pass-through authentication to users
You assign authentication policies in the same way as you assign password policies, by using the ds-pwp-password-policy-dn attribute:
ds-pwp-password-policy-dn: cn=Krb5 Pass Through,cn=Password Policies,cn=config
Users depending on pass through authentication no longer need a local password policy, as they no longer authenticate locally.
Configuring Pass Through Authentication
License under CDDL-1.0