Directed Authentication
Directed authentication is used when the service provider manages retailer ISPs. This means that the service provider holds the ISP's end-customer information in its LDAP server, but is not responsible for the data. This data is stored in a separate subtree within the LDAP server.
It is possible that unique identifiers exist in the retailer ISP realm, which might already exist in the service provider realm, or in some other retailer ISP realm. This authentication method allows you to set a different search base, based on the realm name, which is submitted at login time.
Configuration Example
Consider an example where the ISP "Virneo" is handled within the service provider's LDAP directory. The service provider and the ISP agreed to use the realm name virneo.com.
To configure directed authentication for this example, you would perform the following steps:
[Configuration] ExtendedProxy = 1
|[Directed] virneo.com
|
[AuthMethods] VIRNEO.COM
|
[Auth] Enable = 1 StripRealm = 1
[Acct] Enable = 1
- Define the LDAP configuration interface for directed authentication (creating authentication file virneo.com.aut):
This step is identical to a step mentioned in the Configuring LDAP Authentication section. The initialization string in the bootstrap section must be identical to the authentication method, which is specified in virneo.com.dir. For example:
[Bootstrap] LibraryName=ldapauth.so Enable=1 InitializationString=VIRNEO.COM
Further details about the proxy configuration and directed realm configurations can be found in the Steel-Belted Radius/SPE manuals.