Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

LDAP Configuration Interface Overview

The LCI provided by Steel-Belted Radius Carrier consists of an LDAP interface in the Steel-Belted Radius Carrier server and an LDAP virtual schema. The LDAP virtual schema presents the structure of the Steel-Belted Radius Carrier database in a manner that can be understood by the LDAP client utilities. The LCI uses the virtual schema to retrieve, modify, and delete entries in the database.

Note: The LDAP-SQL bridge, previously shipped as part of SBR HA 5.5, has been replaced by SBRC's LDAP Configuration Interface (LCI).

To use, enter a search query such as:

ldapsearch -V2 -h localhost -p667 -D "cn=admin, o=radius" -w radius -s
sub -b "framed-ip-address=10.1.105.122,radiusstatus=sessions_by_ipaddress,
o=radius" framed-ip-address="*"

This search produces the following output:

dn:acct-session-id=f9248bc54c60230c003d9fbd00000000,
client=10.13.101.201,framed-ip-address=10.1.105.122,
radiusstatus=sessions_by_ipaddress,o=radius
objectclass: top
objectclass: radiusstatus
radiusstatus: sessions_by_ipaddress
client: 10.13.101.201
acct-session-id: 13
nas-ip-address: 192.168.1.16
nas-port: 0
framed-ip-address: 10.1.105.122
session-start-time: 1281473604
fullname: TEST
elapsed: 616

Note: The LCI query limits only to 100 records when you search for current sessions using the ldapsearch utility. This avoids any LCI query from destabilizing either the SBRC on which it is running, or the SSR itself by holding record locks while reading.

Figure 193 illustrates the relationship between LDAP components, the Administrator, and the configuration database.

Figure 193: LDAP Components

LDAP Components

LDAP Utilities

Freeware LDAP utilities, such as ldapsearch, ldapdelete, and ldapmodify, act as clients of the LDAP interface. LDAP utilities let you read and modify an LDAP database.

  • ldapsearch—The ldapsearch utility locates and retrieves LDAP directory entries. The ldapsearch utility opens a connection to an LDAP interface using the specified distinguished name and password, binds, and locates entries based on the specified search filter. A search can return a single entry, an entry's immediate subentries, or an entire tree or subtree. Search results are returned in LDAP Data Interchange Format (LDIF) format.
  • ldapdelete—The ldapdelete utility deletes entries from an existing LDAP directory. ldapdelete opens a connection to the specified server using the distinguished name and password you provide, binds, and deletes the entry or entries.
  • ldapmodify—The ldapmodify utility adds or modifies entries in an existing LDAP directory. ldapmodify opens a connection to an LDAP interface using the distinguished name and password you supply, binds, and adds or modifies the entries based on the LDIF update statements contained in a specified file.

LDAP Requests

LDAP requests are submitted in two ways:

  • By specifying options on the LDAP configuration interface command line.
  • By placing instructions and data into an LDIF file, which you then process by invoking an LDAP command line utility using the -f option.

Because communication between the LDAP client and server is unencrypted, the LDAP utilities should be run on the same computer as Steel-Belted Radius Carrier.

Downloading the LDAP Utilities

To use the LCI, you need the ldapsearch, ldapmodify, and ldapdelete utilities. You can download the ldapsearch utility as follows:

  1. Use a browser to navigate to http://www.oracle.com/technetwork/indexes/downloads/index.html.
  2. When the Sun ONE Directory SDK (software development kit) download page appears, click the Download link at the bottom of the page.
  3. If you are prompted to register, complete the registration form.
  4. When you are prompted to accept the license agreement, click the Accept button and then click Continue.
  5. Download the SDK by clicking the link for the version of the SDK that is appropriate for your computer.
  6. When the download is completed, extract the files from the compressed image to a directory on your computer.

To run the LDAP utilities, execute them from this directory. If you set the path environment variable to point to this directory, you can run them from any location on the system.

Note: The examples that follow assume you are using the LDAP utilities provided as part of the Sun ONE Directory SDK. If you are using LDAP utilities from another source, the command options you use may be different. Consult the documentation for your LDAP utilities for more information.

LDAP Version Compliance

The LDAP interface in Steel-Belted Radius Carrier complies with version 2 of the LDAP specification. You should use the -V 2 command option to direct the utilities to use version 2 features. For example:

ldapmodify -c -V 2 -p 354 -D “cn=admin,o=radius” -w radius -f filename

Configuring the LDAP TCP Port

To avoid conflicts with LDAP services that may already be installed, the default port number for communication between Steel-Belted Radius Carrier and the LDAP client is 667. You can configure Steel-Belted Radius Carrier to use a different TCP port to communicate with an LDAP client. For example, you can change this port number to 389, the standard LDAP TCP port, if you are certain doing so will not create port number conflicts with other applications.

The following example configures Steel-Belted Radius Carrier to use TCP port 354.

  1. In the radius.ini file, uncomment the [LDAP] section, set Enable to 1, and set the TCPPort field to the port number you want to use. For example:
    [LDAP]Enable = 1TCPPort = 354
  2. If you want to specify the interfaces on which Steel-Belted Radius Carrier listens for LCI requests, add a [LDAPAddresses] section to the radius.ini file. This section should contain a list of IP addresses, one per line. For example:
    [LDAPAddresses]192.168.12.4510.10.10.25

    If the [LDAPAddresses] section is omitted or empty, Steel-Belted Radius Carrier listens for LCI requests on all bound IP interfaces.

You must specify the port number (by means of the -p option) when you run the LDAP utilities. For example:

ldapsearch -V 2 -p 354 -D “cn=admin,o=radius” -w radius -s sub -T -b “radiusclass=Client,o=radius” radiusname=*

Example

The Steel-Belted Radius Carrier server at the Good Times Clock Company has two network interfaces. The first interface (192.168.10.40) connects to the corporate network. The second interface (192.168.20.50) connects to a dedicated administrative VLAN accessible only from the local subnet. To limit access to the LCI to network administrators, the [LDAPAddresses] section of radius.ini specifies that LCI requests must come through the administrative interface (192.168.20.50). LCI requests coming through the corporate network interface (192.168.10.40) are ignored.

Configuring the LCI Password

After you enable the LCI, change the default LCI password to prevent unauthorized LDAP clients from accessing your database. After you install the LDAP utilities and verify that they work, perform the following steps:

  1. Create a text file called temp.ldif with the following contents:
    dn: radiusclass=server,o=radiuschangetype: modifyreplace: server-passwordserver-password: new-password

    Where new-password is the LCI password you want to use.

  2. Change the radius.ini [LDAP] setting to Enable=1.
  3. Restart Steel-Belted Radius Carrier.
  4. Execute the following command:
    ldapmodify -V 2 -h ip-address -p port -D “cn=admin,o=radius” -w oldpassword -f temp.ldif

    Where:

    -h ip-address specifies the IP address of the Steel-Belted Radius Carrier server.

    -p port specifies the port number specified in the [LDAP] section of the radius.ini file.

    -w oldpassword specifies the current password (which is radius by default).

  5. Verify that the password change was successful by executing the following command:
    ldapsearch -V 2 -h ip-address -p port -D “cn=admin,o=radius” -w newpassword -s sub -T -b “o=radius” radiusclass=server

    Where:

    -h ip-address specifies the IP address of the Steel-Belted Radius Carrier server.

    -p port specifies the port number specified in the [LDAP] section of theradius.ini file.

    -w newpassword specifies the password configured in the temp.ldif file.

After you verify that the password change has been successful, delete the temp.ldif file and any other file that contains a clear-text copy of the modified LCI password.

Note: The LDAP Configuration Interface does not support Secure Sockets Layer (SSL).

Modified: 2017-09-27