LDAP Authentication Header (.aut) File

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

Steel Belted Radius Carrier 7.0 Reference Guide > LDAP Authentication File > LDAP Authentication Header (.aut) File
LDAP Authentication Header (.aut) File

The LDAP authentication header file is located in the same directory that contains the Steel-Belted Radius Carrier daemon. The header file must have the extension .aut and is usually called ldapauth.aut.

An LDAP authentication header file consists of several sections, where each section may contain multiple entries. Section names are enclosed in square brackets, for example [Bootstrap]. Each entry in the section appears on one line, and is of the form parameter = value. A section ends at the next section, or at the end of the file. Everything to the right of a semicolon (;) is ignored until the end of that line.

LDAP Authentication Variable Names

When Steel-Belted Radius Carrier extracts RADIUS attribute values from the incoming Access-Request and adds them to the Variable Table, the name that it gives to each variable is the same as the name of the corresponding attribute, for example User-Name or Calling-Station-ID. You may refer to the variable by this name in any subsequent entry in the .aut header file. This convention means that RADIUS attribute names are treated as reserved keywords. However, the .aut header file syntax also permits you to assign the value of an incoming RADIUS attribute to any variable.

When the LDAP Search request returns LDAP attribute values, they are added to the Variable Table. Steel-Belted Radius Carrier gives each variable the name of the corresponding LDAP attribute. In the schema illustrated above, this would produce variable names such as User-Secret and Last-Name. For the names to use in your own .aut header file, consult your LDAP database schema. Like RADIUS attribute names, LDAP attribute names are treated as reserved keywords. However, the .aut header file syntax permits you to assign the value of a returned LDAP attribute to any variable.

[Bootstrap] Section

The [Bootstrap] section (Table 132) of the LDAP authentication header file specifies information that Steel-Belted Radius Carrier uses to load and start the LDAP Authentication plug-in.

After you edit ldapauth.aut and restart Steel-Belted Radius Carrier, the InitializationString value that you entered in the [Bootstrap] section of ldapauth.aut appears in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator. You can then enable, disable, or prioritize this method like any other entry in the list.

You can configure more than one LDAP authentication method. Each requires its own .aut file in the same directory as ldapauth.aut. The [Bootstrap] section of each .aut file must provide a LibraryName of ldapauth.so. The InitializationString in each .aut file must be unique, so that you can distinguish between authentication methods in the Authentication Policies panel.

Table 132: *.aut [Bootstrap] Syntax

Parameter

Function

LibraryName

Specifies the name of the LDAP authentication module.

Value must be ldapauth.so for Solaris.

Enable

If set to 1, the LDAP authentication module is enabled.

If set to 0, the LDAP authentication module is disabled, and the authentication method is unavailable and does not appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator.

Default value is 0.

InitializationString

Specifies the identifier for the authentication method, which appears in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator.

The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, be sure that each .aut file has a unique InitializationString value.

Default value is LDAP.

[Attributes/name] Sections

LDAP database entries may have many attributes, many of which may be irrelevant to the authentication process. An LDAP Search returns all of the attributes associated with an LDAP entry. Therefore, when specifying an LDAP Search for authentication purposes, you may want to provide a list of specific LDAP attributes relevant to Steel-Belted Radius Carrier. Only these attributes are placed in the Variable Table.

Each [Attributes/name] section in the LDAP authentication header file lists LDAP attributes relevant to a specific LDAP Search request. The syntax is:
[Attributes/name]
attribute 
attribute 
M
.where attribute is the name of an LDAP attribute and name is an arbitrary name for the section. You must type the attribute names exactly as they appear in your LDAP database schema. Use one line per attribute. For example:
[Attributes/InterestingAttributes]
User-Secret
RADIUS-Profile
Inactivity-Timeout
An [Attributes/name] section is associated with a Search request by referencing it from within a [Search/name] section using the Attributes parameter. For example:
[Search/DoLdapSearch]
Attributes = InterestingAttributes
If the Attributes parameter is omitted from a [Search/name] section, Steel-Belted Radius Carrier retains all of the attributes associated with the LDAP entry. Of these attributes, Steel-Belted Radius Carrier uses only those referenced in the .aut header file; all others stay in the Variable Table until the authentication transaction is complete and the table is discarded.

For BindName authentication, you must ensure that the [Attributes/name] section lists the attribute in which the user's password is stored and that your [Response] section assigns the value of this attribute to the outgoing %Password parameter. Steel-Belted Radius Carrier completes authentication by comparing the returned %Password value with the password that arrived in the Access-Request. For example:
[Attributes/InterestingAttributes]
User-Secret
RADIUS-Profile
Inactivity-Timeout
[Response]
%Password = User-Secret
%Profile = RADIUS-Profile
Vendor-Specific-NAS-Attribute = Inactivity-Timeout
[Response] Section

During an authentication transaction, the [Response] section is the last section in the LDAP authentication header file to be processed. At this point in processing, all Bind and Search requests to the LDAP database have been completed.

The [Response] section tells Steel-Belted Radius Carrier what to do with the information that it has retrieved from the incoming Access-Request and from the LDAP database. The goal at this point is for Steel-Belted Radius Carrier to complete authentication and issue an Access-Response to the RADIUS client.

The [Response] section syntax (Table 133) is:
[Response]
attribute = variable
attribute = variable
M
where attribute is the name of a RADIUS attribute or other special item needed to complete authentication, and variable is the name of a variable in the Variable Table. The end result of the [Response] syntax is that the value in the variable is assigned to the attribute.

An IP pool can be returned for any attribute of the appropriate type. If the returned string appears to be an IP address (that is, in the format, a.b.c.d), it is considered an IP address; otherwise, it is considered a address pool, from which an IP address is allocated.

attribute may be the name of a RADIUS attribute, or it may be one of the following keywords, which identify various special items associated with Steel-Belted Radius Carrier. Each of these keywords begins with the percent sign (%) to distinguish it clearly from the RADIUS attributes.

Table 133: *.aut [Response] Syntax
Item

Function

%LoginLimit

The name of the variable specifying the Maximum Concurrent Connection limits.

%Password

For BindName authentication, you must provide a %Password entry in the [Response] section and you must assign it the value of the password attribute retrieved from the LDAP database. Steel-Belted Radius Carrier validates the password received in the Access-Request by comparing it with the value assigned to %Password. If the passwords do not match, the request is rejected.

NOTE: The user's password may be in clear-text, or encrypted with UNIXcrypt or a SHA1+Base64 hash.

For Bind authentication, omit %Password. Once processing reaches the [Response] section, the password has already been validated.
%Profile
The name of a Profile entry in the Steel-Belted Radius Carrier database.

If the password has been validated (by BindName or Bind), with %Profile listed in the [Response] section, %Profile may be set to any variable, for example:
%Profile = userpolicy
When the search filter is set to find a user or object in the LDAP database that includes the userpolicy LDAP attribute, this value is retrieved and returned to the Steel-Belted Radius Carrier database so that it may be matched with an existing Profile entry of the same name. If the userpolicy LDAP attribute is multi-valued, the first value of userpolicy is used and subsequent values are ignored.

If the value of userpolicy is "prof1" and a Profile called prof1 exists in the Steel-Belted Radius Carrier database, any return list or check list attributes in prof1 are applied to the user's connection.

If the value returned from LDAP cannot be matched with an existing Profile in the Steel-Belted Radius Carrier database, the user is rejected due to "Insufficient Resources."

%ProxyRealm

The realm to which the authentication must be proxied. If ProxyRealm is not set, Routed Proxy does not occur.

%ProxyUserName

The User-Name attribute, which must be sent in the proxy request. If ProxyUserName is not set, the User-Name from the original request packet is used.

NOTE: Enter the value for %ProxyUserName in capital letters

%Alias

The name of a Native User entry in the Steel-Belted Radius Carrier database.

If the password has been validated (by BindName or Bind), with %Alias listed in the [Response] section, %Alias may be set to any variable, for example:

%Alias = userpolicy

Important: You are strongly recommended to use %Profile, as use of %Alias has been deprecated.

The %LoginLimit value lets you implement the concurrent connection limits previously available through %Alias.

NOTE: Native User entries without passwords automatically cannot be authenticated. This is a safety feature built into Steel-Belted Radius Carrier. Therefore, setting up Native User entries in preparation for using the Alias parameter with LDAP authentication does not pose a "back door" security risk.

Generally, even if a very large number of users reside in the LDAP database, you need to add only one or two Native User entries to the Steel-Belted Radius Carrier database. The concurrent connection limit associated with a single Native User entry may be applied to any number of users in the LDAP database. Often a Native User entry with a connection limit of 1, and a second Native User entry with a connection limit of 2, is sufficient for the entire LDAP database.

For example, analog users may be allowed a connection limit of 1, while ISDN users are allowed a connection limit of 2.

NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the Alias feature to work.

%FullName

The fully distinguished name of the User, for Steel-Belted Radius Carrier accounting purposes. This is the exact name against which authentication was performed. Depending on what may have occurred during Steel-Belted Radius Carrier name parsing, this name may or may not be different from the value of the User-Name attribute as it originally arrived in the Access-Request.
[Search/name] Sections

Each [Search/name] section (Table 134) in the LDAP authentication header file specifies the complete details of one LDAP Search request. You can use the same Search request on various databases, because the details of the database connection are specified separately.

For BindName authentication, you must ensure that each [Search/name] section searches for a database entry that matches the incoming username and retrieves from it an attribute containing that user's password. Steel-Belted Radius Carrier must compare this password to the one it received in the incoming Access-Request packet.

A [Search/name] section may retrieve other LDAP attributes as well; however, if you are authenticating with BindName, the user's password is a minimum requirement. Use the Attributes parameter to specify the list of items you want returned.

For example:
[Search/DoLDAPSearch]
Base = ou=Special Users, o=bigco.com
Scope = 1
Filter = uid=<User-Name>
Attributes = InterestingAttributes
Timeout = 20
%DN = dn
[Attributes/InterestingAttributes]
User-Secret
RADIUS-Profile
Inactivity-Timeout
[Response]
%Password = User-Secret
%Profile = RADIUS-Profile
Vendor-Specific-NAS-Attribute = Inactivity-Timeout
Table 134: *.aut [Search/name] Syntax

Parameter

Function

%DN

Specifies a variable into which the distinguished name that results from the Search is placed.

Attributes

Specifies the LDAP attributes relevant to Steel-Belted Radius Carrier, by referencing an [Attributes/name] section elsewhere in the same .aut file.

Base

Specifies the distinguished name (DN) of the entry that serves as the starting point for the search. This filter is a template for an LDAP distinguished name string. The filter follows conventional LDAP syntax and may be as simple or as complex as LDAP syntax permits. It may also include replacement variables from the Variable Table.

Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Search request, the value of the variable replaces the variable name.

OnFound

Specifies the next request section when data is found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation succeeds. This can be overridden using the $reject keyword, which causes the operation to fail when data is found.

OnNotFound

Specifies the next request section when data is not found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation fails. This can be overridden using the $accept keyword, which causes the operation to succeed when data is not found.

Search

(Optional) Specifies specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. Steel-Belted Radius Carrier tries this Search request next, if the current Search yields no result. Each [Search/name] section may contain at most one Search parameter.

Filter

Specifies the filter to apply to the search. This filter is a template for an LDAP Search string. The filter follows conventional LDAP syntax and may be as simple or as complex as LDAP syntax permits, with multiple attribute/value assertions in boolean combination. It may also include replacement variables from the Variable Table.

Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Search request, the value of the variable replaces the variable name.

For example, a Search template that uses the User-Name and Service-Type attributes from the RADIUS request might look like this:

(&(uid = <User-Name>)(type = <Service-Type>))

Scope

Specifies the scope of the search; 0 (search the base), 1 (search all entries one level beneath the base), or 2 (search the base and all entries beneath the base at any level).

The Search parameter can be used in one [Search/name] section after another to create a serial chain of Search requests. Every Search in the chain is tried. If any Search fails to return data, the Access-Request is rejected.

An example of a two-part chained Search follows:
[Settings]
Search = DoLdapSearch
[Search/DoLdapSearch]
Base = ...
Filter = ...
Search = GetMoreLdapInfo
[Search/GetMoreLdapInfo]
Base = ...
Scope = ...
Filter = ...
Search sequencing is flexible. You can proceed to a new search even if the current search returns no data by using the OnNotFound parameter. You can override search results using the $reject and $accept keywords. The following is an example of flexible searching:
[Search/DoSearch2]
Base = o=xyz.com
Scope = 2
Filter = uid=<User-Name>
Attributes = AttrList
Timeout = 20
%DN = dn
OnFound = DoSearch8
OnNotFound = DoSearch9
[Search/DoSearch8]
Base = o=xyz.com
Scope = 2
Filter = uid=<User-Name>
Attributes = AttrList
Timeout = 20
%DN = dn
OnFound = DoSearch9
OnNotFound = DoSearch9
[Search/DoSearch9]
Base = o=xyz.com
Scope = 2
Filter = uid=<User-Name>
Attributes = AttrList
Timeout = 20
%DN = dn
OnNotFound = $accept
[Request] Section

The [Request] section (Table 135) of the LDAP authentication header file indicates which RADIUS attribute values Steel-Belted Radius Carrier extracts from the incoming Access-Request. Steel-Belted Radius Carrier places these values in the Variable Table before moving on to the LDAP Bind and Search requests indicated in the file.

The syntax is:
[Request]
attribute = variable
attribute = variable
M
where attribute is the name of a RADIUS attribute or other special item associated with the incoming Access-Request, and variable is the name of a variable in the Variable Table. The end result of the [Request] syntax is that the value in the incoming attribute is assigned to this variable.

attribute may be the name of a RADIUS attribute, or it may be one of the following keywords, which identify various special items also associated with the connection request. Each of these keywords begins with the percent sign (%) to strongly distinguish it from the RADIUS attributes.

Table 135: *.aut [Request] Syntax

Item

Function

%OriginalUserName

The original full identification of the user, prior to any processing (that is, user@realm).

%User

The user portion of OriginalUserName (the section before @).

%UserName

The full user identification (user and realm strings) after all stripping and processing has been performed.

%Name

Synonym for UserName.

%EffectiveUser

The name of the user (the section before @) as presented to the authentication method. This may be a modified version of the original user name.

%Realm

The realm portion of the original user identification (the section after @) as presented to the authentication method. This may be a modified version of the original realm name.

%EffectiveRealm

The realm portion of the user identification as presented to the method. This may be a modified version of the original realm name.

%NASName

The name of the network access device that originated the request. This may be the name of the RADIUS Clients entry in the database or the value of the NAS-Identifier or NAS-IP-Address attribute.

%NASAddress

The address of the NAD, in dotted notation.

%NASModel

The make/model of the NAD, as specified in the Steel-Belted Radius Carrier database.

%Password

The PAP password.

%AllowedAccessHours

The time periods in which the user is allowed to access the network.

%RADIUSClientName

The name of the network access device, as specified in a RADIUS Clients entry in the Steel-Belted Radius Carrier database.

variable may be omitted from any [Request] entry. If so, the value in the incoming attribute is assigned to a variable named attribute.
[Request]
attribute = 
In the following [Request] section example, the nasid variable receives the value of the NAS-Identifier attribute from the request packet, the Service-Type variable receives the value of the Service-Type attribute, and the %NASAddress variable receives the NAS address in dotted notation.
[Request]
NAS-Identifier = nasid
Service-Type = 
%NASAddress =
[Defaults] Section

The [Defaults] section of the LDAP authentication header file lets you add entries to the variable table before the request is processed. You can reference these variables in your query, even if they are not supplied in the request. Any variable not listed in the [Defaults] section is initialized to a null value.

The format of each [Defaults] entry is:
variable = value
where variable is the name of a variable and value is the value you want to assign to it. For example:
[Defaults]
Default-User=SStudent
[Search/Radius]
Base = ou=people,dc=funk,dc=com
Filter = uid=<Default-User>
Scope = 2
Attributes = RadiusAttrs
Timeout = 20
%DN = dn
In this example, the Default-User variable is not created during request processing by the LDAP plug-in. Instead, the Default-User variable is inserted into the variable table by the entry in the [Defaults] section, and then substituted into the Filter setting in the [Search/Radius] section.

You can use the [Defaults] section to specify values for any variable, including temporary variables and those that represent RADIUS attributes or LDAP attributes. This way, if the Access-Request packet and LDAP database do not provide Steel-Belted Radius Carrier with all of the values that it needs to respond to an Access-Request, in each case it has an acceptable alternative value that can be used instead.

You can store multiple values for any variable; if that variable is mapped to a RADIUS attribute, all values are returned in the RADIUS response. Multiple entries set within this section are considered multiple values of the same variable.

Variable values are not additive between this section and each search. Therefore, if a search returns one or more values, all current values are replaced.

NOTE: The [Defaults] section is the only section in the header file that lets you assign static values to variables.

[Server/name] Sections

Several sections of the LDAP authentication header file work together to configure the connection between the Steel-Belted Radius Carrier server and the LDAP database server(s) that are being used to provide external database authentication. The sections are [Server], [Server/name], and [Settings].

Each [Server/name] section of the LDAP authentication header file contains configuration information about a single LDAP server. You must provide a [Server/name] section for each server named in the [Server] section. For example:
[Server]
s1=
s2=
[Server/s1]
Host = ldap_1
Port = 389
M
[Server/s2]
Host = 130.4.67.1
LastResort = 1
M
Table 136 lists the settings that may be present in a [Server/name] section:

Table 136: *.aut [Server/name] Syntax

Parameter

Function

Bind

For Bind authentication, you must specify a Bind template in the [Settings] section of the LDAP authentication header file.

The Bind template must follow conventional LDAP syntax. It may be as simple or as complex as LDAP syntax permits, with multiple attribute/value assertions in boolean combination. It may also include replacement variables from the Variable Table.

Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Bind request, the value of the variable replaces the variable name.

For example, a Bind template that uses the User-Name attribute from the RADIUS request might look like this:

uid=<User-Name>, ou=Special Users, o=bigco.com

BindName

For BindName authentication, the BindName parameter specifies the distinguished name (DN) to be used in the Bind request that connects to the LDAP server. The [Server/name] section lets you specify a unique BindName for a specific server. Use the [Settings] section to specify a default BindName to use for all servers.

For Bind authentication, omit all Bind, BindName and BindPassword parameters and use the Bind parameter in the [Settings] section.

See [Settings] Section.

BindPassword

For BindName authentication, you must provide a BindPassword. The BindPassword specifies the password to be used in the Bind request that connects to the LDAP server. The [Server/name] section lets you specify a unique BindPassword for a specific server. Use the [Settings] section to specify a default BindPassword to use for all servers.

For Bind authentication, omit the BindName and BindPassword parameters. Use the Bind parameter instead.

Certificates

Specifies the path of the certificate database for use with SSL. This path must not end in a filename. The certificate database must be the cert7.db and key3.db files used by Netscape Communicator 4.x or later.

ConnectTimeout

Specifies the number of seconds to wait when attempting to establish the connection to the database before timing out. This value is passed to the client database engine, which may or may not implement the feature.

FlashReconnect

If the server is down when performing a Bind or a Search, setting this parameter to 1 triggers a reconnection attempt before rejecting the request. Therefore, requests are not rejected due to inactivity timeouts.

This setting applies to a particular server. To apply it for all servers, place it in the [Settings] section.

Host

The host name or IP address of the LDAP server.

LastResort

You may identify a "last resort" LDAP server by providing a LastResort parameter in one of these [Server/name] sections, and setting its value to 1. If an LDAP query against some other server results in "no record found," the authentication server tries the last resort server before accepting or rejecting the user.

You might use the LastResort parameter to identify your master accounts database. This enables Steel-Belted Radius Carrier to cover the case in which a user account is newly added but has not yet been propagated to all the LDAP databases.

LdapVersion

Specifies the version of LDAP protocol, if needed to override the default given in the [Settings] section.

MaxConcurrent

Specifies the maximum number of instances of a single LDAP request that may be executing at one time.

NOTE: A setting of MaxConcurrent = 1 is sufficient for all but the most demanding environments. Increase this value slowly and conservatively. For more information, see "Overlapped Execution of SQL Statements" in Chapter 18, Configuring SQL Authentication of the Steel-Belted Radius Carrier Administration and Configuration Guide.

MaxWaitReconnect

Specifies the maximum number of seconds to wait after successive failures to reconnect after a failure of the database connection.

WaitReconnect specifies the time to wait after failure of the database connection. This value is doubled on each failed attempt to reconnect, up to a maximum of MaxWaitReconnect.

Password

Specifies the password string, which can include variables, used to specify a Bind prior to any search within a request. If this parameter is not specified, the packet's password is used.

Port

The TCP port of the LDAP server, or 0 to use the standard port.

Default value is 0.

QueryTimeout

Specifies the number of seconds to wait for the execution of an LDAP request to complete before timing out. This value is passed to the database engine, which may or may not implement the feature.

Search

The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file.

SSL

If set to 0, SSL is not used over the LDAP connection.

If set to 1, SSL is used over the LDAP connection.

Default value is 0.

WaitReconnect

Specifies the number of seconds to wait after a failure of the database connection before trying to connect again.

[Server] Section

The [Server] section of the LDAP authentication header file lists the LDAP servers that may be used to perform authentication. You can specify more than one server in the [Server] section for load-balancing or backup. When more than one server is specified, Steel-Belted Radius Carrier authenticates against these databases in a round-robin fashion.

The syntax is:
[Server]
ServerName=TargetNumber
ServerName=TargetNumber
M
where ServerName is the name of a header file section that contains configuration information for that server, and TargetNumber is an activation target number, a number that controls when this server is activated for backup purposes. TargetNumber is optional and may be left blank. For example:
[Server]
s1 =
s2 =
[Server/s1]
.        
.    ;Connection details for server s1
.
[Server/s2]
.
.    ;Connection details for server s2
.
A Steel-Belted Radius Carrier server maintains connectivity with its LDAP servers according to the following rules:

The priority of the server by order. The first entry in the [Server] section has the highest priority.

By activation target number. The rule for the activation target is that if the number of LDAP servers that Steel-Belted Radius Carrier is connected to is less than the activation target, Steel-Belted Radius Carrier connects to the server and includes it in the round-robin list. While the number of active servers is equal to or greater that the activation target, Steel-Belted Radius Carrier does not use that server in the round-robin list. An activation target of 0 indicates that, in the current configuration, this machine is never used.

[Settings] Section

The [Settings] section (Table 137) of the LDAP authentication header file forms a basis for all Bind and Search requests to the LDAP database server(s).

Search sequencing is flexible. You can override search results using the $reject and $accept keywords.

You can proceed to a new search even if the current search returns no data by using the OnNotFound parameter.

For examples of using flexible searching, see [Server/name] Sections.

The parameters in the [Settings] section apply to all LDAP servers listed in the header file. The following parameters are usually present. If any of these parameters is not provided in the [Settings] section, the parameter assumes a system default value.

The values set in [Settings] for some parameters, such as ConnectTimeout, MaxConcurrent, or WaitReconnect, provide defaults that apply to all servers. These default values can be overridden for a particular server by entering the same parameter with a different value in a [Server/name] section.

Table 137: *.aut [Settings] Syntax

Parameter

Function

Bind

For Bind authentication, you must specify a Bind template in the [Settings] section of the LDAP authentication header file.

The Bind template must follow conventional LDAP syntax. It may be as simple or as complex as LDAP syntax permits, with multiple attribute/value assertions in boolean combination. It may also include replacement variables from the Variable Table.

Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Bind request, the value of the variable replaces the variable name.

For example, a Bind template that uses the User-Name attribute from the RADIUS request might look like this:

uid=<User-Name>, ou=Special Users, o=bigco.com

BindName

For BindName authentication, you must omit the Bind parameter from the LDAP authentication header file. Use the BindName and BindPassword parameters instead.

In the [Settings] section, BindName and BindPassword specify a default LDAP Bind template to use for all servers. You can also use BindName and BindPassword in [Server/name] sections to override this default for an individual server

See [Server/name] Sections.

ConnectTimeout

Specifies the number of seconds to wait when attempting to establish the connection to the database before timing out. This value is passed to the client database engine, which may or may not implement the feature.

Default value is 25 seconds.

NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.

FilterSpecial CharacterHandling

If set to 1, specifies that non-alphanumeric characters, such as ( or ), is converted to an ASCII hex value preceded by a backslash when they are encountered in a user name during authentication.

If set to 0, non-alphanumeric characters are not converted during authentication.

Default value is 0.

FlashReconnect

If a server is down when performing a Bind or a Search, setting this parameter to 1 triggers a reconnection attempt before rejecting the request. Therefore, requests are not rejected due to inactivity timeouts.

This setting applies to all servers. To apply it for a particular server, place it in the appropriate [Server/name] section.

LdapVersion

Specifies the version of LDAP protocol.

Default value is 2.

LogLevel

Activates logging for the LDAP authentication component and sets the rate at which it writes entries to the Steel-Belted Radius Carrier server log file (.LOG). This value may be the number 0, 1, or 2, where 0 is the lowest logging level, 1 is intermediate, and 2 is the most verbose.

If the LogLevel that you set in the .aut file is different than the LogLevel in radius.ini, the radius.ini setting determines the rate of logging.

MaxConcurrent

Specifies the maximum number of instances of a single LDAP request that may be executing at one time.

NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.

NOTE: A setting of MaxConcurrent = 1 is sufficient for all but the most demanding environments. Increase this value slowly and conservatively. For more information, see "Overlapped Execution of SQL Statements" in Chapter 18, Configuring SQL Authentication of the Steel-Belted Radius Carrier Administration and Configuration Guide.

MaxScriptSteps

Specifies the maximum number of statements that a script can execute before terminating. You can use the MaxScriptSteps parameter to make sure a script does not get caught in an infinite loop.

Default value is 10000.

MaxWaitReconnect

Specifies the maximum number of seconds to wait after successive failures to reconnect after a failure of the database connection.

WaitReconnect specifies the time to wait after failure of the database connection. This value is doubled on each failed attempt to reconnect, up to a maximum of MaxWaitReconnect.

NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.

OnFound

Specifies the next request section when data is found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation succeeds. This can be overridden using the $reject keyword, which causes the operation to fail when data is found.

OnNotFound

Specifies the next request section when data is not found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation fails. This can be overridden using the $accept keyword, which causes the operation to succeed when data is not found.

Password

Specifies the password string, which can include variables, used to specify a Bind prior to any search within a request. If this parameter is not specified, the packet's password is used.

PasswordCase

If set to U or Upper, the password returned from the LDAP database is converted to uppercase before authentication.

If set to L or Lower, the password is converted to lowercase.

If set to O or Original, the password is not altered before authentication.

Default value is Original.

PasswordFormat

By default, the PasswordFormat parameter is not listed in the [Settings] section of the LDAP authentication header file. With no listing, Steel-Belted Radius Carrier expects the user's password in the LDAP table to be in cleartext format.

If you want to configure Steel-Belted Radius Carrier to automatically handle password values correctly when it detects that they have been encrypted using UNIXcrypt or a SHA1+Base64 hash, set PasswordFormat to auto.

QueryTimeout

Specifies the timeout value in seconds for an individual search performed against the LDAP server.

Default value is 10 seconds.

ScriptTraceLevel

Specifies the level of detail for line-by-line script tracing in the log.

If set to 0, no traces are logged.

If set to 1, traces are only logged when the SbrTrace() function is executed by the script.

If set to 2, a trace is generated for every line executed by the script.

Default value is 0.

Search

Specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same *.aut file.

SSL

If set to 0, SSL is not used over the LDAP connection.

If set to 1, SSL is used over the LDAP connection.

Default value is 0.

NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.

Timeout

Specifies the maximum number of seconds for the overall timeout for each request, which includes the delay in acquiring resources, attempts against multiple LDAP servers, and so forth.

Default value is 20 seconds.

UpperCaseName

If set to 0, preserves the case of the username.

If set to 1, converts the username to uppercase.

Default value is 0.

UTC

If set to 0, time values are displayed using the local time.

If set to 1, time values are displayed using universal time coordinates (UTC).

WaitReconnect

Specifies the number of seconds to wait after a failure of the database connection before trying to connect again.

NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.

[Failure] Section

The [Failure] section of the LDAP authentication header file (Table 138) can be used to determine the result of the authentication process (accept or reject) when connectivity to all of the configured LDAP databases has failed. For example:
[Failure]
Accept = 1
Profile = XYZ
FullName = Mr Stanley Smith
 NOTE: The Profile option and the Alias option cannot be used together. Read the following descriptions and choose the one that suits your needs. 



 
Table 138: *.aut [Failure] Syntax

Parameter

Function

Accept

If set to 1, Steel-Belted Radius Carrier returns an Access-Accept packet with the Profile, FullName, and/or Alias attributes specified in the corresponding [Failure] section parameters.

If set to 0, the user is rejected.

Profile

This is the name of an existing Steel-Belted Radius Carrier Profile entry, whose check list and return list attributes are applied to the user's connection.

FullName

This string is the full user name, which is used in the Class attribute in the Access-Accept message.

Alias

As an alternative to using the Profile parameter, you can use the Alias parameter to name an existing Steel-Belted Radius Carrier Native User entry. Steel-Belted Radius Carrier then applies the check list and return list attributes of this User entry to the user's connection.

NOTE: The Alias feature permits the Maximum Concurrent Connection limit (settable in the Users panel) to be applied to the user's connection.

Important: You are strongly recommended to use Profile, as use of Alias has been deprecated. The LoginLimit value lets you implement the concurrent connection limits previously available through Alias.

If you want to apply concurrent connection limits to users who are being authenticated by means of LDAP, you must set up a Native User entry specifically for this purpose, with all of the appropriate check list and return list attributes, and with no password. You can set up as many such accounts as you require. These entries store a specific set of check list and return list attributes for LDAP authentication, for use only with the Alias parameter.

NOTE: Native User entries without passwords cannot be authenticated. This is a safety feature built into Steel-Belted Radius Carrier. Therefore, setting up User entries in preparation for using the Alias parameter with LDAP authentication does not pose a "back door" security risk.

NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the Alias feature to work.

Parameter	Function
LibraryName	Specifies the name of the LDAP authentication module. Value must be ldapauth.so for Solaris.
Enable	If set to 1, the LDAP authentication module is enabled. If set to 0, the LDAP authentication module is disabled, and the authentication method is unavailable and does not appear in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator. Default value is 0.
InitializationString	Specifies the identifier for the authentication method, which appears in the Authentication Methods list displayed in the Authentication Policies>Order of Methods panel in SBR Administrator. The name of each authentication method must be unique. If you create additional .aut files to implement authentication against multiple databases, be sure that each .aut file has a unique InitializationString value. Default value is LDAP.

Item	Function
%LoginLimit	The name of the variable specifying the Maximum Concurrent Connection limits.
%Password	For BindName authentication, you must provide a %Password entry in the `[Response]` section and you must assign it the value of the password attribute retrieved from the LDAP database. Steel-Belted Radius Carrier validates the password received in the Access-Request by comparing it with the value assigned to %Password. If the passwords do not match, the request is rejected. NOTE: The user's password may be in clear-text, or encrypted with UNIXcrypt or a SHA1+Base64 hash. For Bind authentication, omit %Password. Once processing reaches the `[Response]` section, the password has already been validated.
%Profile	The name of a Profile entry in the Steel-Belted Radius Carrier database. If the password has been validated (by BindName or Bind), with %Profile listed in the `[Response]` section, %Profile may be set to any variable, for example: %Profile = userpolicy
	When the search filter is set to find a user or object in the LDAP database that includes the userpolicy LDAP attribute, this value is retrieved and returned to the Steel-Belted Radius Carrier database so that it may be matched with an existing Profile entry of the same name. If the userpolicy LDAP attribute is multi-valued, the first value of userpolicy is used and subsequent values are ignored. If the value of userpolicy is "prof1" and a Profile called prof1 exists in the Steel-Belted Radius Carrier database, any return list or check list attributes in prof1 are applied to the user's connection. If the value returned from LDAP cannot be matched with an existing Profile in the Steel-Belted Radius Carrier database, the user is rejected due to "Insufficient Resources."
%ProxyRealm	The realm to which the authentication must be proxied. If ProxyRealm is not set, Routed Proxy does not occur.
%ProxyUserName	The User-Name attribute, which must be sent in the proxy request. If ProxyUserName is not set, the User-Name from the original request packet is used. NOTE: Enter the value for %ProxyUserName in capital letters
%Alias	The name of a Native User entry in the Steel-Belted Radius Carrier database. If the password has been validated (by BindName or Bind), with %Alias listed in the `[Response]` section, %Alias may be set to any variable, for example: %Alias = userpolicy Important: You are strongly recommended to use %Profile, as use of %Alias has been deprecated. The %LoginLimit value lets you implement the concurrent connection limits previously available through %Alias. NOTE: Native User entries without passwords automatically cannot be authenticated. This is a safety feature built into Steel-Belted Radius Carrier. Therefore, setting up Native User entries in preparation for using the Alias parameter with LDAP authentication does not pose a "back door" security risk. Generally, even if a very large number of users reside in the LDAP database, you need to add only one or two Native User entries to the Steel-Belted Radius Carrier database. The concurrent connection limit associated with a single Native User entry may be applied to any number of users in the LDAP database. Often a Native User entry with a connection limit of 1, and a second Native User entry with a connection limit of 2, is sufficient for the entire LDAP database. For example, analog users may be allowed a connection limit of 1, while ISDN users are allowed a connection limit of 2. NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the Alias feature to work.
%FullName	The fully distinguished name of the User, for Steel-Belted Radius Carrier accounting purposes. This is the exact name against which authentication was performed. Depending on what may have occurred during Steel-Belted Radius Carrier name parsing, this name may or may not be different from the value of the User-Name attribute as it originally arrived in the Access-Request.

Parameter	Function
%DN	Specifies a variable into which the distinguished name that results from the Search is placed.
Attributes	Specifies the LDAP attributes relevant to Steel-Belted Radius Carrier, by referencing an [Attributes/name] section elsewhere in the same .aut file.
Base	Specifies the distinguished name (DN) of the entry that serves as the starting point for the search. This filter is a template for an LDAP distinguished name string. The filter follows conventional LDAP syntax and may be as simple or as complex as LDAP syntax permits. It may also include replacement variables from the Variable Table. Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Search request, the value of the variable replaces the variable name.
OnFound	Specifies the next request section when data is found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation succeeds. This can be overridden using the $reject keyword, which causes the operation to fail when data is found.
OnNotFound	Specifies the next request section when data is not found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation fails. This can be overridden using the $accept keyword, which causes the operation to succeed when data is not found.
Search	(Optional) Specifies specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. Steel-Belted Radius Carrier tries this Search request next, if the current Search yields no result. Each [Search/name] section may contain at most one Search parameter.
Filter	Specifies the filter to apply to the search. This filter is a template for an LDAP Search string. The filter follows conventional LDAP syntax and may be as simple or as complex as LDAP syntax permits, with multiple attribute/value assertions in boolean combination. It may also include replacement variables from the Variable Table. Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Search request, the value of the variable replaces the variable name. For example, a Search template that uses the User-Name and Service-Type attributes from the RADIUS request might look like this: (&(uid = <User-Name>)(type = <Service-Type>))
Scope	Specifies the scope of the search; 0 (search the base), 1 (search all entries one level beneath the base), or 2 (search the base and all entries beneath the base at any level).

Item	Function
%OriginalUserName	The original full identification of the user, prior to any processing (that is, user@realm).
%User	The user portion of OriginalUserName (the section before @).
%UserName	The full user identification (user and realm strings) after all stripping and processing has been performed.
%Name	Synonym for UserName.
%EffectiveUser	The name of the user (the section before @) as presented to the authentication method. This may be a modified version of the original user name.
%Realm	The realm portion of the original user identification (the section after @) as presented to the authentication method. This may be a modified version of the original realm name.
%EffectiveRealm	The realm portion of the user identification as presented to the method. This may be a modified version of the original realm name.
%NASName	The name of the network access device that originated the request. This may be the name of the RADIUS Clients entry in the database or the value of the NAS-Identifier or NAS-IP-Address attribute.
%NASAddress	The address of the NAD, in dotted notation.
%NASModel	The make/model of the NAD, as specified in the Steel-Belted Radius Carrier database.
%Password	The PAP password.
%AllowedAccessHours	The time periods in which the user is allowed to access the network.
%RADIUSClientName	The name of the network access device, as specified in a RADIUS Clients entry in the Steel-Belted Radius Carrier database.

Parameter	Function
Bind	For Bind authentication, you must specify a Bind template in the `[Settings]` section of the LDAP authentication header file. The Bind template must follow conventional LDAP syntax. It may be as simple or as complex as LDAP syntax permits, with multiple attribute/value assertions in boolean combination. It may also include replacement variables from the Variable Table. Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Bind request, the value of the variable replaces the variable name. For example, a Bind template that uses the User-Name attribute from the RADIUS request might look like this: uid=<User-Name>, ou=Special Users, o=bigco.com
BindName	For BindName authentication, the BindName parameter specifies the distinguished name (DN) to be used in the Bind request that connects to the LDAP server. The [Server/`name`] section lets you specify a unique BindName for a specific server. Use the `[Settings]` section to specify a default BindName to use for all servers. For Bind authentication, omit all Bind, BindName and BindPassword parameters and use the Bind parameter in the `[Settings]` section. See [Settings] Section.
BindPassword	For BindName authentication, you must provide a BindPassword. The BindPassword specifies the password to be used in the Bind request that connects to the LDAP server. The [Server/`name`] section lets you specify a unique BindPassword for a specific server. Use the `[Settings]` section to specify a default BindPassword to use for all servers. For Bind authentication, omit the BindName and BindPassword parameters. Use the Bind parameter instead.
Certificates	Specifies the path of the certificate database for use with SSL. This path must not end in a filename. The certificate database must be the cert7.db and key3.db files used by Netscape Communicator 4.x or later.
ConnectTimeout	Specifies the number of seconds to wait when attempting to establish the connection to the database before timing out. This value is passed to the client database engine, which may or may not implement the feature.
FlashReconnect	If the server is down when performing a Bind or a Search, setting this parameter to 1 triggers a reconnection attempt before rejecting the request. Therefore, requests are not rejected due to inactivity timeouts. This setting applies to a particular server. To apply it for all servers, place it in the `[Settings]` section.
Host	The host name or IP address of the LDAP server.
LastResort	You may identify a "last resort" LDAP server by providing a LastResort parameter in one of these [Server/name] sections, and setting its value to 1. If an LDAP query against some other server results in "no record found," the authentication server tries the last resort server before accepting or rejecting the user. You might use the LastResort parameter to identify your master accounts database. This enables Steel-Belted Radius Carrier to cover the case in which a user account is newly added but has not yet been propagated to all the LDAP databases.
LdapVersion	Specifies the version of LDAP protocol, if needed to override the default given in the `[Settings]` section.
MaxConcurrent	Specifies the maximum number of instances of a single LDAP request that may be executing at one time. NOTE: A setting of MaxConcurrent = 1 is sufficient for all but the most demanding environments. Increase this value slowly and conservatively. For more information, see "Overlapped Execution of SQL Statements" in Chapter 18, Configuring SQL Authentication of the Steel-Belted Radius Carrier Administration and Configuration Guide.
MaxWaitReconnect	Specifies the maximum number of seconds to wait after successive failures to reconnect after a failure of the database connection. WaitReconnect specifies the time to wait after failure of the database connection. This value is doubled on each failed attempt to reconnect, up to a maximum of MaxWaitReconnect.
Password	Specifies the password string, which can include variables, used to specify a Bind prior to any search within a request. If this parameter is not specified, the packet's password is used.
Port	The TCP port of the LDAP server, or 0 to use the standard port. Default value is 0.
QueryTimeout	Specifies the number of seconds to wait for the execution of an LDAP request to complete before timing out. This value is passed to the database engine, which may or may not implement the feature.
Search	The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file.
SSL	If set to 0, SSL is not used over the LDAP connection. If set to 1, SSL is used over the LDAP connection. Default value is 0.
WaitReconnect	Specifies the number of seconds to wait after a failure of the database connection before trying to connect again.

Parameter	Function
Bind	For Bind authentication, you must specify a Bind template in the `[Settings]` section of the LDAP authentication header file. The Bind template must follow conventional LDAP syntax. It may be as simple or as complex as LDAP syntax permits, with multiple attribute/value assertions in boolean combination. It may also include replacement variables from the Variable Table. Each replacement variable consists of the variable name enclosed in angle brackets (<>). Upon execution of the LDAP Bind request, the value of the variable replaces the variable name. For example, a Bind template that uses the User-Name attribute from the RADIUS request might look like this: uid=<User-Name>, ou=Special Users, o=bigco.com
BindName	For BindName authentication, you must omit the Bind parameter from the LDAP authentication header file. Use the BindName and BindPassword parameters instead. In the `[Settings]` section, BindName and BindPassword specify a default LDAP Bind template to use for all servers. You can also use BindName and BindPassword in [Server/name] sections to override this default for an individual server See [Server/name] Sections.
ConnectTimeout	Specifies the number of seconds to wait when attempting to establish the connection to the database before timing out. This value is passed to the client database engine, which may or may not implement the feature. Default value is 25 seconds. NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.
FilterSpecial CharacterHandling	If set to 1, specifies that non-alphanumeric characters, such as ( or ), is converted to an ASCII hex value preceded by a backslash when they are encountered in a user name during authentication. If set to 0, non-alphanumeric characters are not converted during authentication. Default value is 0.
FlashReconnect	If a server is down when performing a Bind or a Search, setting this parameter to 1 triggers a reconnection attempt before rejecting the request. Therefore, requests are not rejected due to inactivity timeouts. This setting applies to all servers. To apply it for a particular server, place it in the appropriate [Server/name] section.
LdapVersion	Specifies the version of LDAP protocol. Default value is 2.
LogLevel	Activates logging for the LDAP authentication component and sets the rate at which it writes entries to the Steel-Belted Radius Carrier server log file (.LOG). This value may be the number 0, 1, or 2, where 0 is the lowest logging level, 1 is intermediate, and 2 is the most verbose. If the LogLevel that you set in the .aut file is different than the LogLevel in radius.ini, the radius.ini setting determines the rate of logging.
MaxConcurrent	Specifies the maximum number of instances of a single LDAP request that may be executing at one time. NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file. NOTE: A setting of MaxConcurrent = 1 is sufficient for all but the most demanding environments. Increase this value slowly and conservatively. For more information, see "Overlapped Execution of SQL Statements" in Chapter 18, Configuring SQL Authentication of the Steel-Belted Radius Carrier Administration and Configuration Guide.
MaxScriptSteps	Specifies the maximum number of statements that a script can execute before terminating. You can use the MaxScriptSteps parameter to make sure a script does not get caught in an infinite loop. Default value is 10000.
MaxWaitReconnect	Specifies the maximum number of seconds to wait after successive failures to reconnect after a failure of the database connection. WaitReconnect specifies the time to wait after failure of the database connection. This value is doubled on each failed attempt to reconnect, up to a maximum of MaxWaitReconnect. NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.
OnFound	Specifies the next request section when data is found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation succeeds. This can be overridden using the $reject keyword, which causes the operation to fail when data is found.
OnNotFound	Specifies the next request section when data is not found. The value of this parameter is a string, name. The name specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same .aut file. If there is no next request section, the overall operation fails. This can be overridden using the $accept keyword, which causes the operation to succeed when data is not found.
Password	Specifies the password string, which can include variables, used to specify a Bind prior to any search within a request. If this parameter is not specified, the packet's password is used.
PasswordCase	If set to U or Upper, the password returned from the LDAP database is converted to uppercase before authentication. If set to L or Lower, the password is converted to lowercase. If set to O or Original, the password is not altered before authentication. Default value is Original.
PasswordFormat	By default, the PasswordFormat parameter is not listed in the `[Settings]` section of the LDAP authentication header file. With no listing, Steel-Belted Radius Carrier expects the user's password in the LDAP table to be in cleartext format. If you want to configure Steel-Belted Radius Carrier to automatically handle password values correctly when it detects that they have been encrypted using UNIXcrypt or a SHA1+Base64 hash, set PasswordFormat to auto.
QueryTimeout	Specifies the timeout value in seconds for an individual search performed against the LDAP server. Default value is 10 seconds.
ScriptTraceLevel	Specifies the level of detail for line-by-line script tracing in the log. If set to 0, no traces are logged. If set to 1, traces are only logged when the SbrTrace() function is executed by the script. If set to 2, a trace is generated for every line executed by the script. Default value is 0.
Search	Specifies an LDAP Search request by referencing a [Search/name] section elsewhere in the same *.aut file.
SSL	If set to 0, SSL is not used over the LDAP connection. If set to 1, SSL is used over the LDAP connection. Default value is 0. NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.
Timeout	Specifies the maximum number of seconds for the overall timeout for each request, which includes the delay in acquiring resources, attempts against multiple LDAP servers, and so forth. Default value is 20 seconds.
UpperCaseName	If set to 0, preserves the case of the username. If set to 1, converts the username to uppercase. Default value is 0.
UTC	If set to 0, time values are displayed using the local time. If set to 1, time values are displayed using universal time coordinates (UTC).
WaitReconnect	Specifies the number of seconds to wait after a failure of the database connection before trying to connect again. NOTE: The value specified in this parameter can be overridden in individual [Server/name] sections of this file.

Parameter	Function
Accept	If set to 1, Steel-Belted Radius Carrier returns an Access-Accept packet with the Profile, FullName, and/or Alias attributes specified in the corresponding `[Failure]` section parameters. If set to 0, the user is rejected.
Profile	This is the name of an existing Steel-Belted Radius Carrier Profile entry, whose check list and return list attributes are applied to the user's connection.
FullName	This string is the full user name, which is used in the Class attribute in the Access-Accept message.
Alias	As an alternative to using the Profile parameter, you can use the Alias parameter to name an existing Steel-Belted Radius Carrier Native User entry. Steel-Belted Radius Carrier then applies the check list and return list attributes of this User entry to the user's connection. NOTE: The Alias feature permits the Maximum Concurrent Connection limit (settable in the Users panel) to be applied to the user's connection. Important: You are strongly recommended to use Profile, as use of Alias has been deprecated. The LoginLimit value lets you implement the concurrent connection limits previously available through Alias. If you want to apply concurrent connection limits to users who are being authenticated by means of LDAP, you must set up a Native User entry specifically for this purpose, with all of the appropriate check list and return list attributes, and with no password. You can set up as many such accounts as you require. These entries store a specific set of check list and return list attributes for LDAP authentication, for use only with the Alias parameter. NOTE: Native User entries without passwords cannot be authenticated. This is a safety feature built into Steel-Belted Radius Carrier. Therefore, setting up User entries in preparation for using the Alias parameter with LDAP authentication does not pose a "back door" security risk. NOTE: The Native User authentication method displayed in the Authentication Policies panel does not need to be activated for the Alias feature to work.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]