LDAP Authentication Sequence
The sequence of an LDAP authentication transaction is controlled by the LDAP authentication configuration file as follows:
The Variable Table is initialized to default values as specified in the [Defaults] section. All variables that are not listed in the [Defaults] section are initialized to null values.
The values of RADIUS attributes in the Access-Request are copied to the Variable Table, as specified in the [Request] section.
If a Bind entry was specified in the [Settings] section, authentication via LDAP Bind is now performed. The Bind entry is used as a template to construct a bind string, using replacement values from the Variable Table. An LDAP Bind is then performed to authenticate the user.
An LDAP Search request is performed for each [Search/name] section specified. You may specify zero or more separate Search requests.
For each Search request, LDAP Base and Filter strings are constructed from templates, using replacement values from the Variable Table. These Base and Filter strings are then transmitted to the LDAP server in a Search request.
Each attribute/value pair returned by the LDAP Search is used to set the value of the corresponding entry in the Variable Table. Also, the DN returned by the search may be used to set a variable.
If a %Password entry appears in the [Response] section, authentication is now performed. The password entered by the user is validated against the value that appears in the %Password variable, and the user is rejected if the passwords do not match.
If a %Profile entry appears in the [Response] section, the value of the %Profile variable is used to look up a Profile entry in the Steel-Belted Radius Carrier database. The check list and return list attributes in that Profile are used to validate the request and return an appropriate response.
If a %Alias entry appears in the [Response] section, the value of the %Alias variable is used to look up a Native User entry in the Steel-Belted Radius Carrier database. The current transaction is treated as if it came from the “alias” user; that is, the check list and return list attributes of the alias user are used to validate the request and return an appropriate response.
If neither a %Profile nor a %Alias entry appears in the [Response] section, then RADIUS attributes for the response packet are created from the Variable Table, based on attribute entries in the [Response] section.