access.ini File
The access.ini file maps operating system user or group account names to levels of administrative privilege. The user account name and password used by an administrator when interacting with the Steel-Belted Radius Carrier server is granted access privileges according to the settings in this file.
[Settings] Section
[Settings] Section
The [Settings] section of access.ini contains overall configuration parameters; do not edit this section.
Table 7: access.ini [Settings] Syntax
Parameter | Function |
---|---|
Method | This parameter controls the database against which the user is authenticated for access. If set to OS, authentication is done against the local operating system database such as /etc/password. If set to PAM, authentication is done against the PamService such as LDAP database. The default value is OS. The PamService setting is used to specify the service name, which is mapped to an entry in /etc/pam.conf on Solaris or /etc/pam.d/<name> on Linux. Note: To perform PAM authentication on a Linux device, you must install 32-bit binaries of pam_ldap—for example, pam_ldap-185-11.el6.i686—on the Steel-Belted Radius Carrier server. Steel-Belted Radius Carrier does not support pam_ldap.x86_64 binaries. |
[Users] and [Groups] Sections
[Users] and [Groups] Sections
The syntax for the [Users] and [Groups] sections (Table 8) of the access.ini file is:
[Users] UserName = AccessLevel _system.localhost = SnmpAgent [Groups] GroupName = AccessLevel GroupName = AccessLevel
If you use SNMP to monitor your Steel-Belted Radius Carrier
server, the [Users] section of your access.ini file must contain this entry:
_system.localhost = SnmpAgent
If you are not using SNMP, comment out or delete the _system.localhost = SnmpAgent entry as a security precaution.
Table 8: access.ini Syntax
Parameter | Function |
---|---|
UserName GroupName | Each UserName or GroupName is the name of an authorized administrator account on the server. UserName and GroupName refer to Solaris /etc/passwduser/group. You must list user accounts in the [Users] section and group accounts in the [Groups] section. List groups in priority order; rights are granted based on the first group found of which the user is a member. |
AccessLevel | The AccessLevel in each access.ini entry is the access level that you want to assign to that account. Each AccessLevel string must match the name of an [AccessLevel] section in admin.ini. You can define as many [AccessLevel] sections as you require. After an [AccessLevel] section is defined in admin.ini, you can use access.ini to assign the access privileges associated with that level to users and group accounts. |
Adding a user as an administrator using the Web GUI overrides any access settings specified for that user in the access.ini configuration file.
A special access level called SuperAdmin grants read/write access to all types of administrative data. This access level is always defined, and can be assigned to a user or group account in access.ini without appearing in admin.ini.