Directory Server and PAM passthrough is not working as expected

Solution Verified - Updated -


In our Directory Server environment we have:

suffix: dc=fooinc,dc=com
subtree: ou=people,dc=fooinc,dc=com
users ou: cn=bla,ou=people,dc=fooinc,dc=com

We can use these users correctly for the usual bind attempts like ldapsearch -D cn=bla,ou=people,dc=fooinc,dc=com -w password ...

Now we would like to have a second set of users for authenticated binds. But these users should have their passwords checked with Active Directory and not with Directory Server. For this we configured pass-through authentication as documented here:

To distinguish between authentication methods for different users we use the pamfilter system. We defined a second tree with other users to accomplish this: cn=aduser,ou=peopleAD,dc=fooinc,dc=com

The issue is that whatever we set pamfilter to all bind authentication attempts go straight to AD. We would like only the users within cn=aduser,ou=peopleAD,dc=fooinc,dc=com to be authenticated against Active Directory.


  • Red Hat Directory Server 8.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content