Netscape DIRECTORY SERVER 6.2 - ADMINISTRATOR Administrator's Manual page 495

When users authenticate to a Directory Server running on Windows 2000,
Directory Server first attempts to confirm the user's identity using the normal
Directory Server authentication mechanisms. If this authentication fails,
Directory Server attempts to confirm authentication with the appropriate
Windows 2000 primary domain controller if all the following conditions are
true:
• Directory Server is running in the Windows security domain where the
authentication must occur, or Directory Server is running in a Windows
security domain that shares a trust relationship with the Windows security
domain where the authentication must occur.
• The user's bind attempt provides a distinguished name that is known to the
directory. This is the bind DN, and it is used to retrieve the user's bind
entry.
• The password that the user provides matches the password stored on the
user's bind entry. This condition can also be met if the user's bind entry
does not have a
userPassword
• The user's bind entry includes the
see Netscape Directory Server Schema Reference.
In the event that the previous conditions are met, Directory Server asks
Windows to verify that the user ID and password are valid within the Windows
security domain. If the Windows pass-through authentication succeeds, then
the user is granted access to the Directory Server. Access is granted based on the
permissions granted to the user's bind entry.
Using Directory Server for Windows Pass-through Authentication
attribute value.
NTUserDomainId
Chapter 16 Using the Pass-Through Authentication Plug-In
attribute. For details,
495