Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Choosing the Return Code

 

When a script finishes running, it sends a return value back to the LDAP plug-in. Depending on the return value and the state of the request, the plug-in can do one of several things:

  • It can make an authentication decision and send that result directly to Steel-Belted Radius Carrier, ending the processing of that request by the plug-in.

  • It can re-execute the script against a different LDAP server and process the new return value when the script is finished.

  • It can perform failure processing and return a result to Steel-Belted Radius Carrier based on the [Failure] section in ldapauth.aut.

For information about configuring other LDAP authentication plug-in settings, see the section on the LDAP Authentication File in the SBR Carrier Reference Guide.

An LDAP script may execute several times while handling a single authentication request but eventually the LDAP plug-in must make an authentication decision and send it back to the Steel-Belted Radius Carrier server. It is important for the script programmer to understand exactly how the script return code affects the LDAP plug-in and the authentication decision.

Script Return Codes

Script Return Codes

You specify the script return code as an argument to the JavaScript return statement. The return code must be one of the global constants.

Note

The Steel-Belted Radius Carrier pre-6.0 release SBR_RET_xxx codes have been deprecated and replaced with the new SCRIPT_RET_xxx codes. The SBR_RET_xxx codes are supported for backward compatibility.

SCRIPT_RET_SUCCESS

SCRIPT_RET_SUCCESS

The SCRIPT_RET_SUCCESS code indicates to the LDAP plug-in that the user has been authenticated and should be accepted. The plug-in finishes processing the request and sends an accept decision to the Steel-Belted Radius Carrier core.

SCRIPT_RET_DO_NOT_AUTHENTICATE

SCRIPT_RET_DO_NOT_AUTHENTICATE

The SCRIPT_RET_DO_NOT_AUTHENTICATE code indicates to the LDAP plug-in that a hard reject should be performed by the server. The plug-in finishes processing the request and sends a reject decision to the Steel-Belted Radius Carrier core.

SCRIPT_RET_TRY_NEXT_AUTH_METHOD

SCRIPT_RET_TRY_NEXT_AUTH_METHOD

The SCRIPT_RET_TRY_NEXT_AUTH_METHOD code indicates that the LDAP plug-in should stop processing the request and ask Steel-Belted Radius Carrier to try the next authentication method without immediately rejecting the user. Last resort processing is not performed.

SCRIPT_RET_NOT_AUTHENTICATED

SCRIPT_RET_NOT_AUTHENTICATED

The SCRIPT_RET_NOT_AUTHENTICATED code indicates to the LDAP plug-in that the script could not authenticate the user. If a last resort server is defined, the LDAP plug-in re-executes the script against that server. If there is no last resort server, this return code has the same effect as SCRIPT_RET_TRY_NEXT_AUTH_METHOD.

SCRIPT_RET_FAILURE

SCRIPT_RET_FAILURE

The SCRIPT_RET_FAILURE code indicates to the LDAP plug-in that a communication failure with the LDAP server occurred. The plug-in should re-execute the script against the next LDAP server in the configuration, if defined. If only one server is defined or the last server has already been tried, the LDAP plug-in should process the [Failure] section to determine the final result. If there is no [Failure] section, this return code has the same effect as SCRIPT_RET_TRY_NEXT_AUTH_METHOD.

SCRIPT_RET_INVALID_CODE

SCRIPT_RET_INVALID_CODE

The SCRIPT_RET_INVALID_CODE code indicates to the LDAP plug-in that a script execution failure has occurred due to an invalid operation. The plug-in should re-execute the script against the next LDAP server in the configuration, if defined. If only one server is defined or the last server has already been tried, the LDAP plug-in should process the [Failure] section to determine the final result. If there is no [Failure] section, this return code has the same effect as SCRIPT_RET_TRY_NEXT_AUTH_METHOD.