Directory Server and PAM passthrough is not working as expected

Issue

In our Directory Server environment we have:

suffix: dc=fooinc,dc=com
subtree: ou=people,dc=fooinc,dc=com
users ou: cn=bla,ou=people,dc=fooinc,dc=com

We can use these users correctly for the usual bind attempts like ldapsearch -D cn=bla,ou=people,dc=fooinc,dc=com -w password ...

Now we would like to have a second set of users for authenticated binds. But these users should have their passwords checked with Active Directory and not with Directory Server. For this we configured pass-through authentication as documented here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/pam-pta.html

To distinguish between authentication methods for different users we use the pamfilter system. We defined a second tree with other users to accomplish this: cn=aduser,ou=peopleAD,dc=fooinc,dc=com

The issue is that whatever we set pamfilter to all bind authentication attempts go straight to AD. We would like only the users within cn=aduser,ou=peopleAD,dc=fooinc,dc=com to be authenticated against Active Directory.

Environment

Red Hat Directory Server 8.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories