The SIMPLE proxy user object is used to define associations between user authentication mechanisms and the identity a user assumes when connected to a permitted network resource. This association is loosely dubbed a role.
A SIMPLE proxy user object can indicate one of three types of authentication to be used: (1) none, (2) an authorized user object, or (3) an external authentication mechanism.
The relationship between SIMPLE proxy users and the authentication mechanism was shown in Figure 9-1.
A SIMPLE proxy user object also indicates the user identity string to be supplied when establishing the user identity on a network resource. This network resource is dubbed the backend server and, by derivation, the identity established on the backend server is defined by the backend_user_name item.
The backend_user_name is only used by the FTP proxy.
A GROUP proxy user object is a collection of one or more references to other proxy user objects, either SIMPLE or GROUP.
Any proxy user object, either SIMPLE or GROUP, contains the following items:
name - Name of the entity (1 to 255 characters).
enabled | disabled - The flag for the entire object. If disabled, authentication of the associated user is always denied. The default is enabled .
group | simple - The type designator of the object. You can usually omit this on input because it can be deduced from the presence of other type-specific items.
description="descstr" (Optional) - A demographic string that can be used to store notations about the role.
A SIMPLE proxy user object contains the following items:
radius | securid (optional) - Indicates that this object is a SPECIAL one, associated with unrestricted mapping of users from the RADIUS or SecurID system (an external authentication method). Only one SPECIAL indicator can be present in a given proxy user object. If present, the next ( auth_user_name= ) item should not be given.
auth_user_name="auser" (optional) - Indicates that the name of an authorized user object that is used to authenticate this user role. If it is absent, and if no SPECIAL item is present, then the proxy user object requires no authentication.
backend_user_name="beuser" - Gives the backend user name string to supply when establishing the user's identity on a backend server. If no SPECIAL item is present, then this item is required, otherwise; it is ignored.
A GROUP proxy user object contains zero or more of the following items:
member_name="memname" - Gives the name of another proxy user object that is a group member.
Although you can add a GROUP proxy user object, including a complete list of its members, the special commands addmember and deletemember are provided to edit the membership list of a GROUP.