Chapter 3 Using Deja to Update RADIUS Information

This chapter explains how to use the Deja tool to add, delete and modify RADIUS information in the LDAP directory. Solaris Extensions for Netscape Directory Server 4.11 provides several graphical interfaces to view or modify information in the directory:

• The Directory Console
• The Directory Express web gateway


• Deja

The Directory Express web gateway is designed for viewing the contents of the directory quickly, searching for entries, and modifying some directory information. Its limited functionality makes it unsuitable for more complex operations.

Deja is a Java directory editor particularly suited for the day-to-day management of RADIUS information. With the tool you can search for and view entries, create and modify entries, delete entries, and copy and paste entries. Deja can be connected remotely or locally to a Netscape Directory Server.

This chapter includes the following sections:

• "Introduction to Deja"
• "General Operations"


• "Operations on RADIUS Entries"


• "Setting Deja Properties"

When you click on an icon in the toolbar or select an option from the Directory menu, the appropriate screen is displayed in the function window.

Figure 3.1 Deja Directory Editor

The toolbar offers quick access to the most commonly used functions. Refer to Table  3.1 for a description of the icons and their functions.

Table 3.1 Deja Toolbar Icons

For information on starting the Netscape Directory Server, see the Netscape Directory Server Administrator's Guide.

To display Deja:

1. Run the dejasync utility. As root type:
# /opt/SUNWconn/ldap/sbin/dejasync

For details on the options of the dejasync command, refer to "dejasync". You must run dejasync so that Deja will take into account all the configuration options you set during the setup_rad process.

2. On the machine running the directory server daemon, ns-slapd, set the JAVA_HOME environment variable to the installation directory of your Java Virtual Machine (JVM).
3. Type:
prompt% /opt/SUNWconn/bin/deja [ hostname [:port_number]]

where:

• hostname is the hostname of the directory server. The default is localhost.
• port_number is the port number of the directory server. The default is 389.

Logging In

Directory access rights are defined by a set of access control rules on the directory server. You must be the directory administrator to modify the access control rules. When you log in to the directory, your username and password are compared with those stored in the directory. If there is a match, the access rights defined in the access control rules are granted.

You can browse the directory content without logging in, but you must have write permission before you can modify directory entries. Figure  3.2 shows the Login panel.

Note. It may not be possible to browse the directory content without logging in. This depends on the access control rules defined in the directory server.

Figure 3.2 Deja Login Panel

To log in to Deja:

1. Click on the Login icon or select Login from the File menu.
2. Type the Distinguished Name (DN) of your entry in the User text field:
If you need to log in often, you can create a login alias in the Deja.properties file. See "Setting Deja Properties" for information on creating a login alias.

If you cannot remember your full DN, you can search for it in the directory:

3. Type your user name or a substring of your name in the User text field and click the Search button in the login panel. The search can include the wildcard character *.
4. Double-click on your name in the Matching Usernames window.
The DN is transferred to the User text field.
5. Type your password in the Password field.
6. Select the desired profile (Standard, NIS or RADIUS) from the Profile option button.
The default profile is Standard.
7. Click Login.
Your password is compared to the password stored in the directory. If there is no match the login fails.

Setting the Display Options

The Options menu is used to hide or show the toolbar, status bar, or directory browser. The default view has all of these elements.

To hide or show an element, select it from the Options menu to change its status.

Setting Deja Properties

The Deja Properties panel displays information about the selected user profile, and the connection to the directory server. To access the Properties panel, select Properties from the File menu.

The Properties panel is displayed, and shows the user properties and connection properties of Deja. See Figure  3.3.

Figure 3.3 Deja Properties Panel

User Properties

The User Properties pane displays the name of the connected user and the user profile for creating or modifying entries.

Name

If you are not logged into the directory server, Anonymous is displayed. If you have logged in, the login name is displayed.

User Profile

To set the user profile, select the profile (Standard, NIS or RADIUS) from the Profile option button in the User Properties pane.

The default profile is Standard.

Connection Properties

The Connection Properties pane displays the name of the directory server to which Deja is connected, and the connection port number.

Server and Port Number

Deja displays information about its connection to the directory server. The default port number that Deja uses to connect to the directory server is 389. The host name and port number can be specified when Deja is started.

When you start Deja, you can specify the host name and port number on the command line. See "Starting Deja".

To connect to a different directory server or change the port number from within Deja see "Connecting to Another Directory Server".

Opening a New Deja Window

To open a new window in Deja, from the File menu select New Window. The new window has its own connection to the directory server.

Closing a Deja Window

To close a Deja window, select Close from the File menu. The Deja window is closed.

To close all Deja windows, select Exit from the File menu. A confirmation window is displayed. Click Yes to close all Deja windows.

Reconnecting Deja to the Directory Server

If the directory server is disabled for some reason, Deja loses its connection to the directory. Deja does not automatically reconnect to the directory server when it is re-enabled.

To reconnect Deja to the directory server, select Connect from the File menu. Deja is reconnected.

Connecting to Another Directory Server

1. To connect Deja to a different directory server, select Connect To... from the File menu.
The Connect To... dialogue box is displayed.
2. Deja tries to connect to the new directory server. If it is unable to connect, an error message is displayed.

If directory operations are being performed on the same directory server by another user or by the administrator, the browser window is not automatically updated. To refresh the browser window:

1. In the browser window, click on the root entry of the branch you want to refresh.
You can choose to refresh all of the directory by selecting the directory root entry, or to refresh just a branch by clicking on the root entry of the branch.
2. From the File menu, select Refresh Subtree.
All the branches of the directory below the selected entry are collapsed in the browser window. When they are reopened, they are refreshed.

To view the RADIUS-specific panels you must change the Deja user profile to RADIUS, as explained in "User Properties".

Viewing an Entry

Use View to look at the attributes defined for an entry in the directory. Figure 3.4 shows the Deja View window with an example entry. You can only open one View window per entry. To refresh a View window after modifying an entry, view the entry again. The original View window is replaced with a new one.

Figure 3.4 Deja View Window

When an attribute has more than one value, an arrow is displayed next to the attribute name in the entry definition: a right arrow when the values are collapsed, and a down arrow when the values are expanded.

The View Window

There are three ways to display the View window:

• Double-click on an entry in the browser window
• Select an entry in the browser window and click on the View icon, or from the Entry menu, select View
• Double click on an entry in the search results list

To close a View window, select Close from the Window menu of the View window. Alternatively, you can double click on the Window menu button.

Copying an Entry From a View Window

To copy an entry from a View window, select Copy from the Edit menu of the View Window. The entry is copied to the clipboard.

Highlighting an Entry From a View Window

To highlight an entry in Deja's browser window from the View Window, select Highlight from the Edit menu.

Creating a New Entry

The Deja create panel can be used to add new entries to the directory.

Figure 3.5 shows the Deja Create panel for RADIUS users.

Figure 3.5 Deja Create Panel for RADIUS Users

1. Log in to Deja as a user that has write permissions to the directory.
2. Click on the Create icon or select Create from the Entry menu.
The Create panel is displayed.

There are two steps to creating a RADIUS directory entry. You must complete each step before you can progress to the next one. Click on Next Step and Previous Step to navigate between the steps.

• Name the entry. See "Naming an Entry".
• Assign attributes to the entry and name them. See "Selecting Attributes".
3. When you have completed the entry definition, click Done.

To assign a name to an entry:

1. Select the type of entry you want to add (Remote User or Remote Access Server).
2. If you are adding a Remote User, specify the profile of the new entry (Standard, PPP, SLIP, LOGIN).
The list of RADIUS profiles available in Deja is defined in the Deja.properties file on the directory server. See "RADIUS Profiles" for information on defining RADIUS user profiles.
3. Specify the parent of the entry.
By default, the Parent text field holds the distinguished name of an entry specified in the Deja.properties file on the directory server. To select another parent entry:

• Type the Distinguished Name of the Entry's parent in the Parent text field.
• Alternatively, click once on the parent in the browser window to select it and click the Get From Browser button next to the Parent text field. The Distinguished Name of the selected entry is imported to the Parent text field.
4. Name the entry by selecting a naming attribute with the option button next to the Entry's name field.
The list of available naming attributes is defined in the Deja.properties file on the directory server.
5. Type the value for the naming attribute of the entry in the Entry Name text field.
6. When you are satisfied with the entry name and parent, click the Next Step button to assign values to the attributes.
7. The list of attributes available for selection is different depending on the type of entry you selected in Step  1 and Step  2.
See "Selecting Attributes" for information on selecting attributes for the entry. The attributes available for selection are defined for each object class in the schema.

Each object class has a number of mandatory and optional attributes associated with it. An entry definition table, with the current list of attributes and values is displayed in the right pane. Mandatory attributes are marked with (M), optional attributes with (O).

The names of the mandatory attributes are already listed in the entry definition before you assign a value to them. To complete the entry, you must provide values for these attributes. If you try to add an entry to the directory without assigning values to all the mandatory attributes, an error message is displayed.

Some attributes accept multiple values, others can only have one value. By default, attributes are multi-valued. Single-valued attributes are identified in the schema by the SINGLE-VALUE keyword. If you try to add more than one value to a single-valued attribute, an error message is displayed.

Assigning a Value to an Attribute

To assign a value to an attribute:

1. From the Choose Attribute list, or from the entry definition, select the attribute for which you want to add a value.
2. Type the value for the attribute in the text field.
3. Click Add to add the value of the attribute to the entry definition.
The value appears in the entry definition next to the attribute. For information on the Chk Add, Rpl Add, Chk Delete and Rpl Delete buttons, see "Check Data and Reply Data Attributes".
4. To add another value for an attribute, repeat steps 1 to 3.
5. Click on Done to add the entry to the directory.
6. Double click on the entry in the browser to display all of its attributes.

To delete an attribute value:

1. Select the value or the attribute name in the entry definition.
2. Click Delete.

• If you delete the only value for an optional attribute, the attribute is removed from the entry definition.
• If you delete the only value for a mandatory attribute, the value is cleared from the entry definition. The attribute stays in the definition.

To modify an attribute value:

1. Select the value of the attribute you want to modify in the entry definition.
The attribute value appears in the text field.
2. Change the value and click Modify.
The modified value appears in the entry definition.

To cancel a create operation at any time, click Cancel in the Create panel. The entry definition is cleared.

Check Data and Reply Data Attributes

The RADIUS attribute selection window features four special buttons:

• Chk Add
Select an attribute and type a value for it in the text window. If you click the Chk Add button, the value is added to the entry definition, and the name of the attribute is added to the Radius Check Data optional attribute which matches the grpCheckInfo attribute in the directory schema for RADIUS.

For example, if you select the User ID attribute from the Choose Attribute list and type the value charles in the text window, when you click on Chk Add, the value charles is added to the User ID attribute, and the uid attribute is added to the Radius Check Data attribute.

• Rpl Add
Select an attribute and type a value for it in the text window. If you click the Rpl Add button, the value is added to the entry definition, and the name of the attribute is added to the Radius Reply Data optional attribute which matches the grpReplyInfo attribute in the directory schema for RADIUS.
• Chk Del
Select the value of the attribute you want to delete from the entry definition. If you click the Chk Del button, the value is removed from the entry definition, and the name of the attribute is removed from the Radius Check Data optional attribute which matches the grpCheckInfo in the radius.mapping file.
• Rpl Del
Select the value of the attribute you want to delete from the entry definition. If you click the Rpl Del button, the value is removed from the entry definition, and the name of the attribute is removed from the Radius Reply Data optional attribute which matches the grpReplyInfo attribute in the directory schema for RADIUS.

The grpReplyInfo attribute contains a list of attributes returned by the RADIUS server with an access-accept or access-reject response. It can contain connection parameters such as a PPP or SLIP profile. If the grpReplyInfo attribute is not present, the remote user can connect from any host or IP address, and through any connection protocol.

Deleting an Entry

The delete panel of Deja is used to delete entries from the directory. Figure  3.6 shows the Deja Delete panel.

Figure 3.6 Deja Delete Panel

You must have write permission for the entry you want to delete. See "Logging In" for information.

1. Select the entry you want to delete in the browser window.
You can only delete leaf entries. You cannot delete a root entry or a parent that still has children.
2. Click on the Delete icon, or select Delete from the Entry menu.
The Delete panel is displayed.
3. Click on Delete to remove the entry from the directory.
4. Click on Cancel to clear the delete panel.

Cut, Copy and Paste

This section explains how to perform cut, copy and paste operations on directory entries using Deja.

Cutting an Entry

Use Cut to remove an entry from the directory and keep a copy of it on the clipboard. The entry can be pasted from the clipboard into the directory in another location.

You must have write permission for the entry you want to cut. See "Logging In" for information.

To cut an entry from the directory:

1. In the browser, click on the entry you want to cut.
2. Click on the Cut icon. Alternatively, select Cut from the Edit menu, or press Ctrl-x on the keyboard.
The entry is cut from the directory to the clipboard. You can now paste the entry to a new location in the directory.
3. If you want to restore the entry to the directory, select Restore from the Edit menu.

Copying an Entry

Use Copy to copy an existing entry from the directory into the clipboard. The entry can then be pasted from the clipboard into the directory in another location.

To copy an entry in the directory:

1. In the browser, click on the entry you want to copy to select it.
2. Click on the Copy icon. Alternatively, select Copy from the Edit menu, or press Ctrl-c on the keyboard.
The entry is copied from the directory to the clipboard.

Pasting an Entry

After a Cut or Copy operation, use Paste to paste an entry from the clipboard into the directory. You can paste at different levels in the directory tree:

• At the same level as the entry you copied or cut into the clipboard
• At any level in the directory tree

1. To copy an entry and paste it at the same level in the subtree:
Immediately following the copy operation, click on the Paste icon. Alternatively, select Paste from the Edit menu, or press Ctrl-v on the keyboard.

In the browser window, the pasted entry is displayed. A sequence number is appended to its name to ensure naming remains unique at a given level in the directory tree.

2. To cut or copy an entry and paste it at a different level:
Select the new parent entry for the entry you want to paste, and click on the Paste icon. Alternatively, select Paste from the Edit menu, or press Ctrl-v on the keyboard.

To copy an entry, and paste it immediately below the copied entry, you must click elsewhere in the directory tree to deselect the copied entry, then click on it again to select it, then perform the paste. If you do not deselect then reselect, the entry in the clipboard is pasted at the same level, not one level below.

If you accidentally cut an entry from the directory, you can restore it, provided that you have not performed any subsequent cut or copy operations.

To restore an entry that you have just cut from the directory, select Restore from the Edit menu. The entry on the clipboard is returned to its original location.

Modifying an Entry

Use Modify to change attributes and object classes in RADIUS directory entries. The Deja Modify panel is very similar to the attribute selection panel that you use to create an entry. See Figure 3.5.

You must have write permission for the entry you want to modify. See "Logging In" for information.

1. In the browser, click on the entry you want to modify.
2. Click on the Modify icon or select Modify from the Entry menu.
The Modify Attributes window is displayed.

• To modify attributes of the entry, see "Selecting Attributes".
• To change the name of the entry, use the Rename function. See "Renaming an Entry".

The RADIUS modify attributes window features four special buttons: Chk Add, Rpl Add, Chk Del, and Rpl Del. See "Name" for details.

3. When you have finished the modifications, click Done.

To cancel a modify operation at any time, click Reset. The entry definition is cleared from the Modify panel.

Renaming an Entry

Use Rename to modify the Relative Distinguished Name (RDN) of an entry. Figure  3.7 shows the Deja Rename panel.

Figure 3.7 Deja Rename Panel

You must have write permission for the entry you want to rename. See "Logging In" for information.

1. Select the entry you want to rename in the browser window.
You can only rename leaf entries. You cannot rename parents that still have children, or the root entry.
2. Click on the Rename icon, or select Rename from the Entry menu.
The rename panel appears. The name of the parent and the Relative Distinguished Name (RDN) of the selected entry are displayed.
3. Type the new RDN of the entry in the To text field.
If you want the new RDN to replace the old RDN, check the Remove old RDN check box.

By default the new RDN replaces the old RDN. If the Remove old RDN check box is unchecked, the new RDN is added to the entry as an additional value.

4. Click the Rename button.

Use Search when you want to find a RADIUS entry in the directory. This function provides search facilities for up to three criteria. Figure 3.8 shows the Deja Search panel for RADIUS users.

Figure 3.8 Deja Search Panel for RADIUS Users

To search for a RADIUS entry, click on the Search icon, or select Search from the Entry menu. The Search panel is displayed.

Note. The types of searches available, and the categories of search results are defined in the Deja.properties file on the directory server. See "RADIUS Search Panel Definitions" for information on defining searches.

The default search types are:

• Remote User search; see "Remote User Searches"
• Remote Access Server (RAS) search; see "Remote Access Server Search"
• Complex Searches; see "Complex Searches"

Remote User Searches

There are seven searches pre-defined for remote user entries:

• Search by login name
Where Deja searches for entries that have the remoteuser objectclass and whose user id matches the text field. See "Login Name Search".
• Search by user name
Where Deja searches for entries that have the remoteuser objectclass and whose user name matches the text field. See "User Name Search".
• List blocked accounts
Where Deja searches for entries that have the remoteuser object class and that have one or more failed authorization accesses. See "Blocked Accounts Search".
• List PPP users
Where Deja searches for entries that have the remoteuser object class, a PPP profile, and a PPP password set. See "List PPP Users Search".
• List SLIP users
Where Deja searches for entries that have the remoteuser object class, a SLIP profile, and a SLIP password set. See "List SLIP Users Search".
• List LOGIN users
Where Deja searches for entries that have the remoteuser object class, a LOGIN profile, and a LOGIN password set. See "List LOGIN Users Search".
• Search by name and mail
Where Deja searches for entries that have the remoteuser object class and whose name and email address match the text fields. See "User Name and Mail Search".

The search root for remote user searches is stored in the radius.mapping file, in the BaseDN variable. It is also stored in the Deja.properties file.

Login Name Search

To perform a login name search:

1. Select Remote User from the Type of Search option button.
2. Select Search by Login Name from the Defined Searches option button.
3. Type the User ID of the entry you want to find in the search text field.
The search can include the wildcard character *.
4. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with RAS object class searches or other remote user object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
6. Click the Clear button to clear the search text field.

To perform a user name search:

1. Select Remote User from the Type of Search option button.
2. Select Search by User Name from the Defined Searches option button.
3. Type the user name of the entry you want to find in the search text field.
The search can include the wildcard character *.
4. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with RAS object class searches or other remote user object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
6. Click the Clear button to clear the search text field.

To perform a blocked accounts search:

1. Select Remote User from the Type of Search option button.
2. Select List Blocked Accounts from the Defined Searches option button.
There are no user input fields for this search. Deja searches for entries with the following parameters:

objectclass = remoteuser

radiusAuthFailedAccess > RADIUS_MAX_FAIL

Where RADIUS_MAX_FAIL is defined in the Deja.properties file on the directory server. The default value for RADIUS_MAX_FAIL is 4. See "RADIUS Properties" for information.

3. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with RAS object class searches or other remote user object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
5. Click the Clear button to clear the search text field.

To perform a PPP users search:

1. Select Remote User from the Type of Search option button.
2. Select List PPP Users from the Defined Searches option button.
There are no user input fields for this search. Deja searches for entries with the following parameters:

objectclass = remoteuser

radiusPppProfile = *

radiusPppPasswd = *

3. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with RAS object class searches or other remote user object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
5. Click the Clear button to clear the search text field.

To perform a SLIP users search:

1. Select Remote User from the Type of Search option button.
2. Select List SLIP Users from the Defined Searches option button.
There are no user input fields for this search. Deja searches for entries with the following parameters:

objectclass = remoteuser

radiusSlipProfile = *

radiusSlipPasswd = *

3. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with RAS object class searches or other remote user object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
5. Click the Clear button to clear the search text field.

To perform a LOGIN users search:

1. Select Remote User from the Type of Search option button.
2. Select List LOGIN Users from the Defined Searches option button.
There are no user input fields for this search. Deja searches for entries with the following parameters:

objectclass = remoteuser

radiusLoginProfile = *

radiusLoginPasswd = *

3. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with RAS object class searches or other remote user object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
5. Click the Clear button to clear the search text field.

To perform a user name and mail search:

1. Select Remote User from the Type of Search option button.
2. Select Search by Name / Mail from the Defined Searches option button.
3. Type the username and email address of the entry you want to find in the search text fields.
The search can include the wildcard character *.
4. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with RAS object class searches or other remote user object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
6. Click the Clear button to clear the search text field.

There are two searches pre-defined for RAS (NAS) entries:

• Search by RAS Name
Where Deja searches for all entries that have the objectclass RAS and whose RAS name matches the text field. See "RAS Name Search".
• Search by RAS IP Address
Where Deja searches for all entries that have the objectclass RAS and whose RAS network address matches the text field. See "RAS IP Address Search".

The default search root for RAS searches is stored in the radius.mapping file, in the BaseDN variable. It is also stored in the Deja.properties file.

RAS Name Search

To perform a RAS name search:

1. Select Remote Access Server from the Type of Search option button.
2. Select Search by RAS Name from the Defined Searches option button.
3. Type the name you want to find in the search text field.
The search can include the wildcard character *.
4. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with remote user object class searches or other RAS searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
6. Click the Clear button to clear the search text field.

To perform a RAS IP address search:

1. Select Remote Access Server from the Type of Search option button.
2. Select Search by RAS IP Address from the Defined Searches option button.
3. Type the IP address you want to find in the search text field.
4. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

You can refine your search by combining it with remote user object class searches or other RAS searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
6. Click the Clear button to clear the search text field.

You can combine three types of search with the complex searches option:

• Remote User searches
• Remote Access Server searches


• Specify Filter; see "Search Filters" for a description of acceptable filters

To perform a complex search:

1. Select Complex Searches from the Type of Search option button.
2. Select the first search criterion from the Remote User option button and type the search string or filter definition in the text field.
3. Click on the And or Or buttons to select the logical operator.
4. Select the second search criterion from the Remote User option button and type the search string or filter definition in the text field.
5. If you want to add a third search criterion, click the And or Or button again.
6. To remove a search criterion, click the Back button.
7. Type the Distinguished Name (DN) of the root of the tree you want to search, or select the root you want to search in the browser window and click Get from Browser.
8. Click Search to start the search.
The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.
9. To stop the search at any time, click the Stop button.
The search is stopped and no results are returned.
10. Click the Clear button to clear the search text field.

Using a search filter is a way of specifying a set of entries, based on the presence of a particular attribute or attribute value. You can combine AND or OR logical operators in the same search. Use & (ampersand) for AND and | (the pipe symbol) for OR. Table  3.2 gives some examples of filters.

Table 3.2 Search Filter Examples

Search results are displayed in a list below the search criteria.

The headings of the search results table depend on the search. The types of searches, and the headings for search results are defined in the Deja.properties file on the directory server. All the headings can be modified except those for complex searches. See "RADIUS Search Panel Definitions" for information on defining searches.

Table  3.3 shows the attributes returned for the default searches.

Table 3.3 RADIUS Search Results Lists

Many of Deja's characteristics can be configured by the directory administrator. The characteristics are defined in the Deja.properties file on the directory server.

File Structure

The Deja.properties file is located in the /opt/SUNWconn/ldap/html directory on the directory server. You must be authenticated as superuser or root to modify the Deja.properties file.

The Deja.properties file consists of four sections:

• "General Properties"
• "Standard LDAP Properties"
• NIS Properties
• "RADIUS Properties"

File Syntax

Each section in the Deja.properties file contains a list of definitions. Each definitition ends with a carriage return. The different elements in a definition are separated by commas. Related elements are separated by semi-colons.

For example, the attributes returned in RADIUS searches are defined as follows:

RADIUS_RU_LIST.default= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL

In this example, the definition is composed of two elements, separated by a comma. Each element consists of an attribute type (cn and uid in this example), and a label that is displayed in Deja, in the results table header row.

This example does not show the actual labels that appear in Deja's menus. These are defined separately, in the localized resource bundle. The localized resource bundle contains translations in every supported locale for the user interface of Deja.

Labels

Standard Deja labels and identifiers (parameters ending in _LABEL, _IDENTIFIER or _CHOICE) are defined in the localized resource bundle. You cannot change these definitions. You can, however, create your own labels.

For example, if you want to add the ipHostNumber attribute type to the list returned by default in a search on RADIUS remote users, you might modify the RADIUS_RU_LIST.default definition as follows:

RADIUS_RU_LIST.default= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL, ipHostNumber;Host Number

This definition is local to your Deja.properties file. It is not part of the localized resource bundle.

General Properties

In the General Properties section the following parameters are defined:

SCHEMA_THREAD_TIME_LIMIT

Defines a time limit in milliseconds on the time it takes Deja to read the schema. The default value is no time limit.

With this option set to true, entries with the referral object class are treated like normal entries, that is the entry itself is returned in the search results. With this option set to false, Deja returns a search reference result. The default value is true.

Specifies the maximum number of entries that can be displayed in the browser. If a limit has been set, you must refresh certain subtrees before opening more. The default value is no limit.

Defines the maximum number of immediate children of an entry that can be displayed in the browser. The default value is no limit.

Specifies the maximum amount of time allowed for Deja to load the children of a node when the node is opened in the browser. This is not the amount of time it then takes to display those children. The default value is 10,000 milliseconds.

This is the maximum time taken for Deja to verify whether an entry is a leaf or a node. The default value is 2,000 milliseconds.

Defines the standard authentication mechanism used in the login panel. The only possible value for this parameter is simple.

# schema thread time limit in milliseconds (0 = no limit)

SCHEMA_THREAD_TIME_LIMIT=0

#

# manage referrals as entries (true or false)

REFERRALS_MANAGE_DSA=true

#

# max. number of nodes in browser tree (0 = no limit)

BROWSER_ENTRY_LIMIT=0

# max number of subnodes of a node in the browser tree (0 = no limit)

BROWSER_SUBENTRY_LIMIT=0

# time limit to load subnodes (in ms, 0 = no limit)

BROWSER_LOAD_SUBNODES_TIME_LIMIT=10000

# time limit to verify if entry is a leaf or an inner node (in ms, 0 = no limit)

BROWSER_CHECK_NODE_TIME_LIMIT=2000

#

# authentication mechanism

# supported values : CRAM-MD5, simple (cleartext password)

# STANDARD_SECURITY_AUTHENTICATION=CRAM-MD5

STANDARD_SECURITY_AUTHENTICATION=simple

Standard LDAP Properties

In the Standard LDAP Properties section of the Deja.properties file you can:

• Specify which attribute values are hidden in Deja
• Specify parameters for the login panel
• Define new standard search filters

STANDARD_ATTRIBUTES_CRYPTED

In the View, Modify and Create windows of Deja, some attribute values are not displayed, or replaced by a localized text string. You can specify the attributes you want to be hidden by adding them to the STANDARD_ATTRIBUTES_CRYPTED list. Attribute names are separated by commas. By default the values for userpassword, radiusppppasswd, radiusloginpasswd, chappassword, and radiusslippasswd are hidden.

Login Parameters

STANDARD_LOGIN_SEARCH_FILTER

The search feature of the login panel operates using the filter defined with this label. By default it is (|(cn=*{0}*)(uid=*{0}*)). This search filter means that either the cn attribute or the uid attribute should contain the search string typed by the user in the search text field.

STANDARD_LOGIN_MAX_SEARCH_RESULT

Specifies the maximum number of search results per naming context returned by a login search. The default value is 55.

STANDARD_LOGIN_ALIASES

Defines an alias for the user DN you use to login to Deja. By default, there are no aliases defined, and the STANDARD_LOGIN_ALIASES parameter is commented out. The definition in the Deja.properties file reads as follows:

# STANDARD_LOGIN_ALIASES= userA_alias; userA_dn; userB_alias; userB_dn

To add a login alias, you must uncomment the line, add an alias name and a user DN for login. For example, if the user cn=Robert Travis, ou=sales,o=sun,c=us wants to login frequently, you can create an alias for him, for example, rob. To add this alias, you would edit the STANDARD_LOGIN_ALIASES definition in the Deja.properties file to read as follows:

STANDARD_LOGIN_ALIASES= rob; cn=Robert Travis, ou=sales,o=sun,c=us

Note. If you create several aliases, you must use a semi-colon to separate them, and not a comma, which is the standard syntax, because the comma is used to separate the different elements in the DN. The semi-colon separates the elements of a DN from a new alias definition.

For example, if you also wanted to add an alias for an administrator user whose DN is cn=Directory Manager, o=sun, c=us, the STANDARD_LOGIN_ALIASES definition in the Deja.properties file would read as follows:

STANDARD_LOGIN_ALIASES= rob ; cn=Robert Travis, ou=sales,o=sun,c=us ; Directory Manager ; cn=Directory Manager, o=sun, c=us

When Deja is restarted the aliases are available in the Login panel. This parameter is case-sensitive.

RADIUS Properties

You can use the RADIUS properties section of the Deja.properties file to define new templates for:

• Performing RADIUS searches
• Creating RADIUS entries


• Defining RADIUS profiles

To add a RADIUS search to Deja, define it in the Radius Search Panel section of the Deja.properties file. Remote User searches are declared in the RADIUS_RU_SEARCH definition, and Remote Access Server searches are defined in the RADIUS_RAS_SEARCH definition. Each search is then defined on a separate line.

A search definition consists of:

• The search name (for example, s_user)
• The label that appears in the Search Type option button (for example, RADIUS_RU_SEARCH_USER_LABEL)
• The search definition
For example:

(& (objectclass=remoteuser)(uid={$uid;RADIUS_RU_UID_ATTR_LABEL$}))

Contains a list of the attributes and header labels for the complex search results table. By default the cn, iphostnumber and uid attributes are listed.

Adding a RADIUS Remote Access Server Search

To add a RADIUS Remote Access Server search for the mail attribute:

1. Declare the search definition in the RADIUS_RAS_SEARCH line:
RADIUS_RAS_SEARCH=s_name;RADIUS_RAS_SEARCH_NAME_LABEL,

s_addr;RADIUS_RAS_SEARCH_IPADDR_LABEL, s_mail;Search by Email

The name for the new search is s_mail, and the label that appears in the Search Type option button is Search by Email.

2. Define the search:
RADIUS_RAS_FILTER.s_mail=(& (objectclass=nas) (uid={$uid;Email;string$}))

The expression {$uid;Email;string$} tells Deja that for this search, the user input is a text string (string), the label to appear by the text field is Email (Email), and that the search text string is a user id (uid).

3. Define the headings for the search results table:
RADIUS_RAS_LIST.s_mail= cn;RADIUS_RAS_CN_ATTR_LABEL, uid;Email

If you do not specify a RADIUS_RAS_LIST for the search, the default headings are used (RADIUS_RAS_LIST.default).

4. Close Deja and restart it.
Your search type is added to the RADIUS Remote Access Server Search panel.

# Radius SEARCH PANEL

# Searches defined for Remote Users

RADIUS_RU_SEARCH=s_user;RADIUS_RU_SEARCH_USER_LABEL, s_name;RADIUS_RU_SEARCH_NAME_LABEL, l_bl_acc;RADIUS_RU_LIST_BLOCKED_ACCOUNTS_LABEL , l_ppp;RADIUS_RU_LIST_PPP_USER_LABEL, l_slip;RADIUS_RU_LIST_SLIP_USER_LABEL, l_login;RADIUS_RU_LIST_LOGIN_USER_LABEL, s_n_u;RADIUS_RU_SEARCH_NAME_UID_LABEL

# Associated filters for Remote User searches

RADIUS_RU_FILTER.s_user= (& (objectclass=remoteuser)(uid={$uid;RADIUS_RU_UID_ATTR_LABEL$}))

RADIUS_RU_FILTER.s_name= (& (objectclass=remoteuser)(cn={$cn;RADIUS_RU_CN_ATTR_LABEL$}))

RADIUS_RU_FILTER.l_bl_acc= (& (objectclass=remoteuser)(radiusAuthFailedAccess>=$RADIUS_MAX_FAIL))

RADIUS_RU_FILTER.l_ppp= (& (objectclass=remoteuser)(radiusPppProfile=*)(radiusPppPasswd=*))

RADIUS_RU_FILTER.l_slip= (& (objectclass=remoteuser)(radiusSlipProfile=*)(radiusSlipPasswd=*))

RADIUS_RU_FILTER.l_login= (& (objectclass=remoteuser)(radiusLoginProfile=*)(radiusLoginPasswd=*))

RADIUS_RU_FILTER.s_n_u= (& (objectclass=remoteuser)(cn={$cn;RADIUS_RU_CN_ATTR_LABEL$})(uid={$uid;R ADIUS_RU_UID_ATTR_LABEL$}))

# Attributes to be included (listed) in the search results

RADIUS_RU_LIST.s_user= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL, framedProtocol;RADIUS_RU_FRAMEDPROTOCOL_ATTR_LABEL

RADIUS_RU_LIST.l_bl_acc= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL, radiusAuthFailedAccess;RADIUS_RU_RADIUSAUTHFAILEDACCESS_ATTR_LABEL

RADIUS_RU_LIST.default= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL

# Searches defined for RAS (Remote Access Servers)

RADIUS_RAS_SEARCH=s_name;RADIUS_RAS_SEARCH_NAME_LABEL, s_addr;RADIUS_RAS_SEARCH_IPADDR_LABEL

# Associated filters for NAS searches

RADIUS_RAS_FILTER.s_name= (& (objectclass=NAS)(cn={$cn;RADIUS_RAS_CN_ATTR_LABEL$}))

RADIUS_RAS_FILTER.s_addr= (& (objectclass=NAS)(iphostnumber={$iphostnumber;RADIUS_RAS_IPHOSTNUMBER_A TTR_LABEL;ipaddr$}))

# Attributes to be included (listed) in the search results

RADIUS_RAS_LIST.default= cn;RADIUS_RAS_CN_ATTR_LABEL, iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL

# Attributes to be listed in case of a complex search

RADIUS_COMPLEX_SEARCH_LIST=cn;RADIUS_CN_ATTR_LABEL, iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL

RADIUS Create Panel Definitions

You can define alternate names for attributes that are displayed in the Choose Attributes list of the RADIUS Create panel. You can also restrict user input to one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

RADIUS_RU_ADD_COMMON defines attributes for Remote User Entries that are common to all remote user profiles, and RADIUS_RAS_ADD_COMMON defines attributes for Remote Access Server entries that are common to all remote user profiles. The syntax of an attribute definition is:

RADIUS_RAS_ADD_COMMON= attribute_name;label;input_type, ...

Where:

attribute_name is the name of an attribute

label is the name you want to appear in the Choose Attributes list instead of the attribute name

input_type is one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

The following code example is an extract of the Deja.properties file showing the RADIUS create panel definitions:

# Radius ADD PANEL

RADIUS_RU_ADD_COMMON= uid;RADIUS_RU_UID_ATTR_LABEL, grpCheckInfo;RADIUS_RU_GRPCHECKINFO_ATTR_LABEL, grpReplyInfo;RADIUS_RU_GRPREPLYINFO_ATTR_LABEL, framedIPAddress;RADIUS_RU_FRAMEDIPADDRESS_LABEL;ipaddr, userPassword;RADIUS_RU_USERPASSWORD_LABEL;crypt

RADIUS_RAS_ADD_COMMON= iphostNumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL;ipaddr, sharedKey;RADIUS_RAS_SHAREDKEY_LABEL;crypt

RADIUS Profiles

Three RADIUS Remote User profiles are supplied in the default Deja.properties file. There are no Remote Access Server profiles defined in the default Deja.properties file. You can add more profiles, or add attributes to the existing profiles, but you should not remove default attributes in the existing profiles.

RADIUS_RU_PROFILE / RADIUS_RAS_PROFILE

Specifies the RADIUS profiles available in Deja. The default profiles are SLIP, PPP and LOGIN. The syntax is:

RADIUS_RU_PROFILE= profile_name;label, profile_name;label ...

RADIUS_RAS_PROFILE= profile_name;label, profile_name;label ...

Where:

profile_name is the name of the profile

label is the label that appears in the Create or Modify panels.

RADIUS_RU_ADD.profile_name / RADIUS_RAS_ADD.profile_name

Defines the default attributes that are added to the entry automatically. The syntax is:

RADIUS_RU_ADD.profile_name= attribute;label;input_type, ...

RADIUS_RAS_ADD.profile_name= attribute;label;input_type, ...

Where:

attribute is the attribute you want automatically added to the entry definition

label is the name to appear in the entry definition

input_type is one of the four basic input types int, string, crypt and ipaddr). The default input_type is string.

The following code example is an extract of the Deja.properties file showing the RADIUS Profile Definitions:

# Profiles defined for Remote Users (RU)

RADIUS_RU_PROFILE= ppp_p;RADIUS_RU_PPP_PROFILE_LABEL, slip_p;RADIUS_RU_SLIP_PROFILE_LABEL, login_p;RADIUS_RU_LOGIN_PROFILE_LABEL

# Mandatory RU profile attributes (you can edit the next line by ADDING attributes, but

# NEVER erase the attributes that are given by default)

RADIUS_RU_ADD.ppp_p= radiuspppprofile;RADIUS_RU_RADIUSPPPPROFILE_ATTR_LABEL;int, radiusPppPasswd;RADIUS_RU_RADIUSPPPPASSWD_ATTR_LABEL;crypt

RADIUS_RU_ADD.slip_p= radiusSlipprofile;RADIUS_RU_RADIUSSLIPPROFILE_ATTR_LABEL;int, radiusSlipPasswd;RADIUS_RU_RADIUSSLIPPASSWD_ATTR_LABEL;crypt

RADIUS_RU_ADD.login_p= radiusLoginprofile;RADIUS_RU_RADIUSLOGINPROFILE_ATTR_LABEL;int, radiusLoginPasswd;RADIUS_RU_RADIUSLOGINPASSWD_ATTR_LABEL;crypt

# Profiles defined for Remote Access Servers (RAS)

#RADIUS_RAS_PROFILE= no defined profiles

# Mandatory RAS profile attributes

#RADIUS_RAS_ADD.??= no defined profiles