Steel Belted Radius Carrier 7.0 Reference Guide > LDAP Authentication File > ldapauth Extensions

ldapauth Extensions

This plug-in adds the ability to use two new LDAP attributes:

• ProfileData: Stores multiple RADIUS attribute value pairs within a single LDAP container, removing the need for multiple entries in a LDAP user object.
• GlobalProfile: Configures users based on a global profile, which can be specified as any username concatenated with the company name (such as Profile1@Company).

GlobalProfile Attribute

The GlobalProfile attribute takes the value from an LDAP attribute and parses it to match a profile. The format of the data is that of a DN attribute. Store it as:

cn=profile-name, {optional ou's}, o=name, 

   {optional dc's \o's \c's}

profile-name and name are concatenated to build profilename@name. Make sure this value matches a profile stored in Steel-Belted Radius Carrier.

For example:

cn=Global1, ou=Profile, ou=Radius, ou=IP Services,

o=acme, o=directoryroot

This value is parsed to form a new string: Global1@acme. This new string is then passed back as the profile by making the following entry in the response section:

[Response]

%profile= LDAP attribute that contains the global profile

This value is ignored if:

• There is no o keyword value
• The string does not begin with the cn keyword
• %profile is not set to the name of the attribute that contains the Globalprofile data

An incorrect profile name results if the name parameter is not the first value of the organization name (o).

ProfileData Attribute

This feature allows an administrator to store multiple RADIUS attribute-value pairs within a single LDAP container, removing the need for multiple entries in a LDAP user object.

For example, the values for framed-ip-address, service-type, and framed-protocol can be stored in one attribute called stdDialin. Combining them saves space on the LDAP server.

Make the attribute a string data-type (directory string or string case insensitive). The format for the data stored in this attribute is:

<r|R>;attribute-name;type;value&

• r or R — Specifies that the attribute may be single or multi-valued.
• attribute-name — Specifies the name of the attribute that is being added.
• value& — The value to be returned with this attribute, terminated with &.

NOTE: The type field is ignored; the values are interpreted according to the RADIUS dictionary.

For example:

stdDialin: r; service-type; integer; 1&;r; framed-protocol; integer; 2&; r; 
framed-ip-address; string;192.168.2.2&

The Profiledata attribute is retrieved from the LDAP server in the same way that other attributes are retrieved; they might be specified from the [Attributes\] section referenced in the relevant search.

Have the [Response] section of the ldapauth.aut file list each attribute contained in the profiledata attribute.

Configure the [Response] section for stdDialin to operate:

[Response]

service-type=

framed-protocol=

framed-ip-address=

 NOTE: If the ProfileData attribute stores multiple attribute-value pairs and one or more of those attributes appears in the applicable dictionary, then that attribute and its value are returned to the RADIUS client even if the attribute is not enumerated in the [Response] section of the file.



 

Modifying ldapauth.aut

To modify ldapauth.aut to support the extensions:

1. Add the following field:

[Settings]

UpdateResponse = 1

2. Add a [GroupedAttributes] section to specify the GlobalProfile and/or ProfileData attributes.

[GroupedAttributes]

GlobalProfile = GlobalProfileLDAPAttribute

ProfileData = ProfileDataLDAPAttribute

3. In the appropriate [Attributes/name] section, add the actual LDAP attributes as specified previously.

[Attributes/name]

GlobalProfileLDAPAttribute

ProfileDataLDAPAttribute

any other attributes

4. In the [Response] section, set %Profile to the GlobalProfile and list any attributes that are contained in the ProfileData attribute:

[Response]

%Profile = GlobalProfileLDAPAttribute

radiusattribute1=

radiusattribute2=