Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

LDAP Authentication Examples

This topic provides examples of LDAP authentication configuration file syntax. The examples illustrate how you might:

  • Authenticate passwords (Bind or BindName).
  • Specify check list and return list attributes (list the attributes or name a profile entry in the Steel-Belted Radius Carrier database).

Bind Authentication with Default Profile

The following example is a simple LDAP authentication configuration file. Every user is authenticated using a Bind request to the LDAP database. The same Steel-Belted Radius Carrier attribute profile is applied to every Access-Request.

[Settings]MaxConcurrent=1Timeout=20ConnectTimeout=25QueryTimeout=10WaitReconnect=2MaxWaitReconnect=360Bind=uid=<User-Name>, ou=Special Users, o=bigco.comLogLevel = 2UpperCaseName = 0PasswordCase=originalSSL = 0[Server]s1=[Server/s1]Host=199.185.162.147Port = 389[Defaults]TheUserProfile = Sample[Request]%User-Name = User-Name[Response]%Profile = TheUserProfile[Search/DoLdapSearch]Base = ou=Special Users, o=bigco.comScope = 2Filter = uid=<dialup>Attributes = AttrListTimeout = 20%DN = dn[Attributes/AttrList]

If the [Response] section is empty, Steel-Belted Radius Carrier passes the Bind results (accept or reject) directly to its client; no additional RADIUS attributes are returned in the Access-Response.

BindName Authentication with Callback Number Returned

In the following example, requests are authenticated using Search. BindName and BindPassword values are supplied to permit a connection to the LDAP database. Return list attributes for authentication are listed in the [Response] section. In this example, the network access server needs a callback number to complete the connection. The value of the incoming DNIS attribute Calling-Station-ID is used to ensure that the callback number is the number from which the user's request originated.

Note: This example is incomplete; it omits the [Bootstrap] and [Settings] sections to save space.

[Server]s1=[Server/s1]Host = 67.186.4.3Port = 389BindName=uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRootBindPassword=ourlittlesecretSearch = DoLdapSearch[Defaults]SendThis = DidLDAPAuthSearch[Request]%UserName = dialupCalling-Station-ID = thenumbertocall[Search/DoLdapSearch]Base = ou=Special Users, o=bigco.comScope = 2Filter = uid=<dialup>Attributes = AttrListTimeout = 20%DN = dn[Attributes/AttrList]dialuppassword[Response]%Password = dialuppasswordReply-Message = SendThisAscend-Callback-No = thenumbertocall

LDAP Bind with Profile Based on Network Access Server

In the following example, requests are authenticated using Bind. Check list and return list attributes for authentication are provided by referencing a profile entry in the Steel-Belted Radius Carrier database. The profile to be used depends on the specific network access server from which the user’s request originates. Steel-Belted Radius Carrier retrieves the profile name by the LDAP database for an IP address that matches the address of the requesting NAS. If this search fails, a profile called limited is used. If a profile name is successfully retrieved from the LDAP database, but no profile by that name can be found in the Steel-Belted Radius Carrier database, authentication fails due to lack of resources and the user is rejected.

Note: This example is incomplete; it omits the [Bootstrap] section and many [Settings] entries to save space.

[Settings]Bind=uid=<loginID>, ou=Special Users, o=bigco.comSearch = DoLdapSearch[Server]s1=[Server/s1]Host = 67.186.4.3Port = 389[Request]%UserName = loginID%NASAddress = deviceIP[Defaults]%Profile = limited[Search/DoLdapSearch]Base = ou=CommServers, o=bigco.comScope = 1Filter = ipaddr=<deviceIP>Attributes = AttrListTimeout = 20%DN = dn[Attributes/AttrList]profile [Response]%Profile = profile

Modified: 2017-09-27