LDAP Authentication Examples
This topic provides examples of LDAP authentication configuration file syntax. The examples illustrate how you might:
- Authenticate passwords (Bind or BindName).
- Specify check list and return list attributes (list the attributes or name a profile entry in the Steel-Belted Radius Carrier database).
Bind Authentication with Default Profile
The following example is a simple LDAP authentication configuration file. Every user is authenticated using a Bind request to the LDAP database. The same Steel-Belted Radius Carrier attribute profile is applied to every Access-Request.
[Settings]
MaxConcurrent=1
Timeout=20
ConnectTimeout=25
QueryTimeout=10
WaitReconnect=2
MaxWaitReconnect=360
Bind=uid=<User-Name>, ou=Special Users, o=bigco.com
LogLevel = 2
UpperCaseName = 0
PasswordCase=original
SSL = 0
[Server]
s1=
[Server/s1]
Host=199.185.162.147
Port = 389
[Defaults]
TheUserProfile = Sample
[Request]
%User-Name = User-Name
[Response]
%Profile = TheUserProfile
[Search/DoLdapSearch]
Base = ou=Special Users, o=bigco.com
Scope = 2
Filter = uid=<dialup>
Attributes = AttrList
Timeout = 20
%DN = dn
[Attributes/AttrList]
If the [Response] section is empty, Steel-Belted Radius Carrier passes the Bind results (accept or reject) directly to its client; no additional RADIUS attributes are returned in the Access-Response.
BindName Authentication with Callback Number Returned
In the following example, requests are authenticated using Search. BindName and BindPassword values are supplied to permit a connection to the LDAP database. Return list attributes for authentication are listed in the [Response] section. In this example, the network access device needs a callback number to complete the connection. The value of the incoming DNIS attribute Calling-Station-ID is used to ensure that the callback number is the number from which the user's request originated.
 |
NOTE: This example is incomplete; it omits the [Bootstrap] and [Settings] sections to save space. |
[Server]
s1=
[Server/s1]
Host = 67.186.4.3
Port = 389
BindName=uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
BindPassword=ourlittlesecret
Search = DoLdapSearch
[Defaults]
SendThis = DidLDAPAuthSearch
[Request]
%UserName = dialup
Calling-Station-ID = thenumbertocall
[Search/DoLdapSearch]
Base = ou=Special Users, o=bigco.com
Scope = 2
Filter = uid=<dialup>
Attributes = AttrList
Timeout = 20
%DN = dn
[Attributes/AttrList]
dialuppassword
[Response]
%Password = dialuppassword
Reply-Message = SendThis
Ascend-Callback-No = thenumbertocall
LDAP Bind with Profile Based on Network Access Device
In the following example, requests are authenticated using Bind. Check list and return list attributes for authentication are provided by referencing a profile entry in the Steel-Belted Radius Carrier database. The profile to be used depends on the specific network access device from which the user's request originates. Steel-Belted Radius Carrier retrieves the profile name by the LDAP database for an IP address that matches the address of the requesting NAD. If this search fails, a profile called limited is used. If a profile name is successfully retrieved from the LDAP database, but no profile by that name can be found in the Steel-Belted Radius Carrier database, authentication fails due to lack of resources and the user is rejected.
|
NOTE: This example is incomplete; it omits the [Bootstrap] section and many [Settings] entries to save space. |
[Settings]
Bind=uid=<loginID>, ou=Special Users, o=bigco.com
Search = DoLdapSearch
[Server]
s1=
[Server/s1]
Host = 67.186.4.3
Port = 389
[Request]
%UserName = loginID
%NASAddress = deviceIP
[Defaults]
%Profile = limited
[Search/DoLdapSearch]
Base = ou=CommServers, o=bigco.com
Scope = 1
Filter = ipaddr=<deviceIP>
Attributes = AttrList
Timeout = 20
%DN = dn
[Attributes/AttrList]
profile
[Response]
%Profile = profile
