[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

LDAP Rules and Limitations

While the LDAP virtual schema diagram shows as much of the detail of the LDAP virtual schema as possible, take these rules and limitations into consideration.

where AdminName is the administrative account name and AdminPassword is its password.

Address ranges in IP address pool objects are specified in the form IPaddress:NumberOfAddresses. An example of a valid range is

White space in a password is treated as follows:

Steel-Belted Radius Carrier permits user and profile check lists to include default values for attributes. Configuring a default value for an attribute means that, if a RADIUS request does not include this attribute, the request is not rejected. Instead, the value supplied as the default is used as if it were received as part of the request. To specify that a check list attribute is to be considered a default attribute, preface the attribute value with the string %default%.

Steel-Belted Radius Carrier permits user and profile return lists to include attributes whose values are set by copying the contents of received attributes. This feature is referred to as attribute echoing. To specify that a return list attribute is to be treated as an echo attribute, enter %echo% for the attribute value.

Using the LCI to Define Structured Attributes in Check Lists and Return Lists

The LCI (LDAP Control Interface) has been extended to facilitate structured attributes in check lists and return lists. Subject to certain restrictions, a structured attribute must be defined as a whole (as opposed to defining individual sub-attributes) using either the raw hexidecimal representation of the entire structured attribute's binary payload, or an XML representation of the structured attribute hierarchy using the format outlined in this section.

When the response packet is formatted, the hexidecimal or XML data is formatted into the packet. For XML data, it is parsed into a structured attribute hierarchy and then formatted as normal.

If the hexidecimal representation is used, then the entire RADIUS attribute must be specified. If the XML representation is used, then it is not necessary to specify sub-attributes for which default values are defined.

The LCI assumes the data is in the hexidecimal representation unless the following conditions are met for the XML representation:

The LCI does not validate the contents of either hexidecimal or XML values. The LCI accepts hexidecimal and XML representations with flawed contents. It is the user's responsibility to ensure that the content is legal and, if XML representation is used, that the XML obeys the schema described in LCI XML Format and shown in Figure 136.

NOTE: Structured attributes (VSAs with sub-attributes) defined in return lists are treated as whole units. They are added to the reply message as a whole unit, rather than their sub-attributes being added individually to any existing response VSAs. In this way they are treated just as unstructured VSAs.

For example:

  • Attribute "ParentAttr" is defined as being a multivalue return list attribute, with possible sub-attributes "ChildAttrA" and "ChildAttrB".
  • A response already has a copy of "ParentAttr" with sub-attribute "ChildAttrA", for example from an authentication process.
  • A profile specifies that "ParentAttr" must be added with sub-attribute "ChildAttrB".

The result is a response with two ParentAttr structured attributes:





The result will not be a response with a single ParentAttr:




LCI XML Format

Make the XML hierarchy reflect the hierarchy defined in the .jdict sub-attribute dictionary file in a nested set of <attribute> elements. All <attribute> elements must have a name attribute. Ensure that groups and sequences (the parent attribute, and sub-attribute types) are represented by <attribute> nodes without a value attribute, and will further <attribute> elements as children.

The proper format is shown in Figure 136.

Figure 136: LCI XML Format

See "Structured Attribute Dictionary Definitions" in Chapter 4, Attribute Processing Files of the Steel-Belted Radius Carrier Reference Guide for more information on sub-attributes and an example of the proper XML format you need to use with the LCI.

NOTE: When using the LCI command line utilities such as ldapquery, XML values for structured attributes are displayed encoded in a non-readable format. This encoding is base64 encoding which can be decoded with many command line or web-based utilities.

Alternatively, the problem can be avoided by using a graphical LDAP client.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]