Chapter 5 Command & File Reference

This chapter describes the daemons, commands and files that provide RADIUS service.

This chapter contains the following sections:

• "acctattr"
• "Deja.properties"


• "dejasync"


• "dictionary"


• "dsnmpcfg"


• "dsnmprad"


• "dsradius"


• "dsradiusd"


• "dsradiusd.conf"


• "radius.at.conf"


• "radius.mapping"


• "radius.oc.conf"


• "setup_rad"

The location of the acctattr file is:

/etc/opt/SUNWconn/ldap/current/acctattr

Description

The acctattr file contains a list of RADIUS attributes that are recorded for each remote connection when dynamic accounting is enabled. The attributes listed in this file are recorded in the directory entry of the remote user.

The RADIUS attributes listed in the acctattr file must belong to the dictionary file supported by the NAS.

Other accounting parameters that are automatically recorded when dynamic accounting is enabled are:

• dynamicIPaddress
• dynamicSessionId


• dynamicSessionCounter


• dynamicIPaddressBinding

See Also

See "dictionary", "radius.mapping"

The location of the Deja.properties file is:

/opt/SUNWconn/ldap/html/Deja.properties

Description

The Deja.properties file determines the display characteristics of Deja. It also defines the templates that are used to create and modify certain directory entries, such as NIS and RADIUS entries.

You must be authenticated as superuser or root to modify the Deja.properties file. When you have made modifications to this file, you must restart Deja for the modifications to take effect.

File Structure

The Deja.properties file consists of four sections:

• "General Properties"
• "Standard LDAP Properties"
• "NIS Properties"
• "RADIUS Properties"

Each section in the Deja.properties file contains a list of definitions. Each definitition ends with a carriage return. The different elements in a definition are separated by commas. Related elements are separated by semi-colons.

For example, the attributes returned in RADIUS searches are defined as follows:

RADIUS_RU_LIST.default= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL

In this example, the definition is composed of two elements, separated by a comma. Each element consists of an attribute type (cn and uid in this example), and a label that is displayed in Deja, in the results table header row.

This example does not show the actual labels that appear in Deja's menus. These are defined separately, in the localized resource bundle. The localized resource bundle contains translations in every supported locale for the user interface of Deja.

Labels

Standard Deja labels and identifiers (parameters ending in _LABEL, _IDENTIFIER or _CHOICE) are defined in the localized resource bundle. You cannot change these definitions. You can, however, create your own labels.

For example, if you want the ipHostNumber attribute type to be in the list returned by default in a search on RADIUS remote users, you might modify the RADIUS_RU_LIST.default definition as follows:

RADIUS_RU_LIST.default= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL, ipHostNumber;Host Number

This definition is local to your Deja.properties file. It is not part of the localized resource bundle.

User Input

In the Deja.properties file, user input is represented using the character sequence {0}. For example, in a search filter, the definition (cn=*{0}*) specifies that the search will result in entries for which cn contains the search string.

The character sequence {$definition$} is used by Deja to define a user input field in searches. The expression definition, can consist of the following elements:

• Attribute name - the type of attribute you are searching for
• Label - a text string to appear by the input field
• Field type - the type of input field required. The field type can have one of the following values: crypt, string, int or ipaddr. crypt is a text field where each typed character is replaced with *. string is a text field that accepts any character. int is a text field that accepts only integer numbers. ipaddr consists of four int fields.

General Properties

SCHEMA_THREAD_TIME_LIMIT

Defines a time limit in milliseconds on the time it takes Deja to read the schema. The default value is no time limit.

BROWSER_ENTRY_LIMIT

Specifies the maximum number of entries that can be displayed in the browser. If a limit has been set, you must refresh certain subtrees before opening more. The default value is no limit.

BROWSER_SUBENTRY_LIMIT

Defines the maximum number of immediate children of an entry that can be displayed in the browser. The default value is no limit.

BROWSER_LOAD_SUBNODES_TIME_LIMIT

Specifies the maximum amount of time allowed for Deja to load the children of a node when the node is opened in the browser. This is not the amount of time it then takes to display those children. The default value is 10,000 milliseconds.

BROWSER_CHECK_NODE_TIME_LIMIT

This is the maximum time taken for Deja to verify whether an entry is a leaf or a node. The default value is 2,000 milliseconds.

STANDARD_SECURITY_AUTHENTICATION

Defines the standard authentication mechanism used in the login panel. The only possible value for this parameter is simple.

Standard LDAP Properties

In this section the following tokens are defined:

STANDARD_ATTRIBUTES_CRYPTED

In the View, Modify and Create windows of Deja, some attribute values are not displayed, or replaced by a localized text string. You can specify the attributes you want to be hidden by adding them to the STANDARD_ATTRIBUTES_CRYPTED list. Attribute names are separated by commas. By default the values for userpassword, radiusppppasswd, radiusloginpasswd, chappassword, and radiusslippasswd are hidden.

STANDARD_LOGIN_SEARCH_FILTER

The search feature of the login panel operates using the filter defined with this label. By default it is (|(cn=*{0}*)(uid=*{0}*)). This search filter means that either the cn attribute or the uid attribute should contain the search string typed by the user in the search text field.

STANDARD_LOGIN_MAX_SEARCH_RESULT

Specifies the maximum number of search results per naming context returned by a login search. The default value is 55.

STANDARD_LOGIN_ALIASES

Defines an alias for the user DN you use to login to Deja. By default, there are no aliases defined, and the STANDARD_LOGIN_ALIASES parameter is commented out. The definition in the Deja.properties file reads as follows:

# STANDARD_LOGIN_ALIASES= userA_alias; userA_dn; userB_alias; userB_dn

To add a login alias, you must uncomment the line, add an alias name and a user DN for login. For example, if the user cn=Robert Travis,ou=sales,o=sun,c=us wants to login frequently, you can create an alias for him, for example, rob. To add this alias, you would edit the STANDARD_LOGIN_ALIASES definition in the Deja.properties file to read as follows:

STANDARD_LOGIN_ALIASES= rob; cn=Robert Travis,ou=sales,o=sun,c=us

Note. If you create several aliases, you must use a semi-colon to separate them, and not a comma, which is the standard syntax, because the comma is used to separate the different elements in the DN. The semi-colon separates the elements of a DN from a new alias definition.

For example, if you also wanted to add an alias for the NIS administrator whose DN is cn=NIS Manager, o=sun, c=us, the STANDARD_LOGIN_ALIASES definition in the Deja.properties file would read as follows:

STANDARD_LOGIN_ALIASES= rob ; cn=Robert Travis,ou=sales,o=sun,c=us ; NIS admin; cn=NIS Manager, o=sun, c=us

When Deja is restarted the aliases are available in the Login panel. This parameter is case-sensitive.

STANDARD_SEARCH_FILTERS

Specifies the standard searches available in Deja. Each entry in this list is defined on a separate line.

STANDARD_SEARCH_FILTER_name

Defines each search available, where name is the name of the search specified in STANDARD_SEARCH_FILTERS. A search definition consists of the search name (for example, STANDARD_SEARCH_FILTER_PERSON), the label that appears in the Search Type option button (for example, STANDARD_SEARCH_FILTER_PERSON_IDENTIFIER), and the search definition (for example, (&(objectclass=*)(cn=*{0}*)) ).

STANDARD_SEARCH_TABLE_LABELS

Contains a list of the attributes and header labels for the search results table. By default the cn, telephoneNumber and mail attributes are listed.

STANDARD_CREATE_PASTE_CLEAR_DATA

When you paste an entry to the Create panel, the paste works in one of two ways:

• The paste action can remove information from the Create panel before pasting the entry.
• The paste action does not clear data from the Create panel before pasting. This is useful when you want to create an entry that contains the characteristics of two or more entries.
This property specifies the type of paste. It can be set to true or false. true indicates that data is cleared from the entry before pasting. By default this parameter is set to false. The lines in the Deja.properties file that define this property are as follows by default:

# Standard Create

STANDARD_CREATE_PASTE_CLEAR_DATA=FALSE

#STANDARD_CREATE_PASTE_CLEAR_DATA=TRUE

To change the setting, uncomment the line you want, and comment out the other.

NIS_MAPS

Specifies the list of maps available in Deja. Each map name is followed by a semicolon and the label that appears in the Map Name option button of the NIS Search, Create or Modify panels. If you create a new map in the nis.mapping file, you must declare the map name in the NIS_MAPS token in the Deja.properties file. The syntax is:

NIS_MAPS= map.name;map_label, map.name;map_label, ...

NIS_FILTER.map.name

Specifies the filter that is used in the NIS Search panel. This definition is automatically generated by running dejasync.

NIS_DOMAIN.map.name

Specifies the label that appears in the NIS Create, Modify and Search panels. It shows to which domain the NIS map applies. This definition is automatically generated by running dejasync.

NIS_NAMINGATTR.map.name

Specifies the naming attributes that are available in the NIS Create panel. This is a comma separated list. This definition is automatically generated by running dejasync.

NIS_ROOT.map.name

Specifies the DN of the root entry used for NIS searches. It is also the default parent entry displayed in the NIS Create panel. This definition is automatically generated by running dejasync.

NIS_OCLASS.map.name

Specifies the default object classes that are added to an entry definition in the NIS Create Panel. This is a comma separated list. This definition is automatically generated by running dejasync.

NIS_LIST.map.name

Contains names of the attributes and header labels for the NIS search results table. The syntax is:

NIS_LIST.map.name= attribute;header_label, attribute;header_label, ...

NIS_ADD.map.name

Specifies labels and syntax for attributes in the NIS Create panel. The syntax is:

NIS_ADD.map.name= attribute;label;syntax, attribute;label;syntax, ...

Where syntax is one of the four basic input types (int, string, crypt and ipaddr). If a syntax isn't specified, the default value, string, is used. Specifying a syntax is useful to constrain user input:

• crypt is a text field where each character typed in is replaced with *.
• string is a text field that accepts any character.


• int is a text field that accepts only integer numbers.


• ipaddr consists of four int fields, in the format int.int.int.int.

Contains the names of the attributes listed in the NIS search results table if NIS_LIST is not defined for a map.

RADIUS Properties

RADIUS_RU_SEARCH, RADIUS_RAS_SEARCH

Specifies the standard searches available in Deja for remote users (RU) and remote access servers (RAS). Each entry in this list is defined on a separate line. The syntax is:

RADIUS_RU_SEARCH= Name;label, Name;label, ...

Where Name is the name of the search, and label is the text that appears in the Search Type option button.

RADIUS_RU_FILTER.Name, RADIUS_RAS_FILTER.Name

Defines the search filter used in the search, where Name is the name of the search specified in RADIUS_RU_SEARCH or RADIUS_RAS_SEARCH.

RADIUS_RU_LIST.Name, RADIUS_RAS_LIST.Name

Contains a list of the attributes and header labels for the search results table.

RADIUS_RU_LIST.default, RADIUS_RAS_LIST.default

Contains the default list of the attributes and header labels for the search results table if a RADIUS_RU_LIST.Name or RADIUS_RAS_LIST.Name definition does not exist for the search.

RADIUS_COMPLEX_SEARCH_LIST

Contains a list of the attributes and header labels for the complex searches results table.

RADIUS_RU_ADD_COMMON, RADIUS_RAS_ADD_COMMON

Specifies alternative names for attributes that are displayed in the Choose Attributes list of the RADIUS Create panel. The syntax is:

RADIUS_RU_ADD_COMMON= attribute;label;type

Where attribute is the name of an attribute, label is the name you want to appear in the Choose Attributes list, and type is the input type. You can restrict user input to one of the four basic input types (int, string, crypt or ipaddr). The default type is string.

RADIUS_RU_PROFILE, RADIUS_RAS_PROFILE

Three RADIUS Remote User profiles are defined in the default Deja.properties file. You can add more profiles, or add attributes to the existing profiles, but you should not remove default attributes in the existing profiles.

RADIUS_RU_PROFILE and RADIUS_RAS_PROFILE specify the RADIUS profiles available to Deja. The default profiles are SLIP, PPP and LOGIN. The syntax is:

RADIUS_RU_PROFILE= profile_name;label, profile_name;label ...

Where profile_name is the name of the profile, and label is the label that appears in the Create or Modify panels.

RADIUS_RU_ADD.Name, RADIUS_RAS_ADD.Name

Defines the default attributes that are added to the entry automatically. The syntax is:

RADIUS_RU_ADD.profile_name= attribute;label;input_type, ...

Where attribute is the attribute you want automatically added to the entry definition, label is the name to appear in the entry definition, and input_type is one of the four basic input types (int, string, crypt or ipaddr). The default input_type is string.

RADIUS_RU_OCLASS

Specifies the object class associated with the RADIUS remote user entry type. A single object class is required for each type. This definition is automatically updated if you use the dejasync utility. The default object class is remoteUser.

RADIUS_RAS_OCLASS

Specifies the object class associated with the RADIUS remote access server entry type. A single object class is required for each type. This definition is automatically updated if you use the dejasync utility. The default object class is nas.

RADIUS_RU_ROOT

Specifies the DN of the root entry used for RADIUS remote user searches. It is also the default parent entry displayed in the RADIUS Create panel. This definition is automatically updated if you use the dejasync utility. The default value is o=airius_remote_users,c=us.

RADIUS_RAS_ROOT

Specifies the DN of the root entry used for RADIUS remote access server searches. It is also the default parent entry displayed in the RADIUS Create panel. This definition is automatically updated if you use the dejasync utility. The default value is o=airius_ras,c=us.

RADIUS_RU_NAMINGATTR

Specifies the naming attributes that are available in the RADIUS Create panel for remote user entries. This is a comma separated list. The default naming attributes are cn and uid.

RADIUS_RAS_NAMINGATTR

Specifies the naming attributes that are available in the RADIUS Create panel for remote access server entries. This is a comma separated list. The default naming attribute is cn.

RADIUS_MAX_FAIL

Specifies the search limit for the RADIUS remote user blocked accounts search. The blocked accounts search returns entries that have a value for the attribute radiusAuthFailedAccess that is greater than or equal to the value of RADIUS_MAX_FAIL. The default value is 1. This definition is automatically updated if you use the dejasync utility.

See Also

See "dejasync", "radius.mapping"

The command syntax for dejasync is:

/opt/SUNWconn/ldap/sbin/dejasync [-v] [-d Deja_properties_directory] [-n NIS_mapping_file] [-r RADIUS_mapping_file]

Description

dejasync is a command line utility that synchronizes the Deja.properties files with the NIS and RADIUS mapping files (nis.mapping and radius.mapping) on the directory server. Use it when you have made modifications to the mapping files and you want the changes to be carried over into Deja.

It creates or updates tokens in the Deja.properties file and also backs up the Deja.properties file.

You must be logged in as root or superuser to run dejasync.

nis.mapping File

The dejasync command gets the list of NIS maps managed by Deja from the Deja.properties file. These are lines that start with the NIS_MAPS token.

For each map in the Deja.properties file, dejasync creates a new map definition by copying the following tokens from the nis.mapping file into the Deja.properties file:

• NIS_FILTER
• NIS_DOMAIN


• NIS_ROOT


• NIS_NAMINGATTR


• NIS_OCLASS

radius.mapping File

When synchronizing Deja.properties with the radius.mapping file, dejasync copies the Max_allowed_failures, base-DN and FILTER tokens from the radius.mapping file to the Deja.properties file:

• RADIUS_RU_OCLASS
• RADIUS_RAS_OCLASS


• RADIUS_RU_ROOT


• RADIUS_RAS_ROOT


• RADIUS_MAX_FAIL

Options

-v

Enables verbose mode.

-d Deja_properties_directory

Specifies the directory containing the Deja.properties file. By default this is /opt/SUNWconn/ldap/html.

-n NIS_mapping_file

Specifies the filename of the NIS mapping file. By default this is /etc/opt/SUNWconn/ldap/current/mapping/nis.mapping.

-r RADIUS_mapping_file

Specifies the filename of the RADIUS mapping file. By default this is /etc/opt/SUNWconn/ldap/current/mapping/radius.mapping.

See Also

See "radius.mapping", and "Deja.properties"

The location of the dictionary file is:

/etc/opt/SUNWconn/ldap/current/dictionary

Description

The dictionary file is used for communication between the RADIUS server and the NAS. A RADIUS dictionary file contains RADIUS attribute and value pairs. A number of these attributes are defined in RFC 2138 Remote Authentication Dial In User Service (RADIUS), and RFC 2139 RADIUS Accounting. However, NAS vendors have also defined proprietary attributes.

The dictionary file contains standard RADIUS attribute definitions and non-protocol attributes that are used internally by the RADIUS server. Internal attributes are listed in Table  2.1.

Dictionary files are often provided by NAS vendors such as Ascend, Cisco, Shiva or Bay Networks. Solaris Extensions for Netscape Directory Server 4.11 can be also be used with these vendor-supplied dictionaries.

The syntax of the dsnmpcfg command is:

/opt/SUNWconn/ldap/sbin/dsnmpcfg {  install  |  configure  |  remove  }

Description

The dsnmpcfg script is used by the pkgadd utility to initialize the dsnmprad daemon provided with Solaris Extensions for Netscape Directory Server 4.11. It is also used by the pkgrm utility to stop the daemon. The dsnmprad daemon is an SNMP agent that collects statistics on RADIUS traffic.

The dsnmpcfg script is also used by to declare the hosts to which the SNMP agent must send SNMP traps. It does this by modifying the trap-recipients variable in the dsnmprad.conf file.

Options

install

Called by pkgadd when the SUNWsds package is installed to generate the initial SNMP configuration. It creates the configuration file dsnmprad.conf if it does not already exist. It then starts the RADIUS SNMP daemon, dsnmprad.

configure

Used by the administrator to configure the SNMP configuration file, dsnmprad.conf. The administrator is prompted to provide the names of the hosts to which the SNMP daemon must send SNMP events (traps). when the configuration is complete, the dsnmpcfg script restarts the SNMP daemon dsnmprad.

remove

Called by pkgrm when the SUNWsds package is removed to remove the SNMP configuration. It stops dsnmprad, then removes the dsnmprad.conf file and the log files.

See Also

See "dsnmprad"

The syntax of the dsnmprad daemon is:

/opt/SUNWconn/ldap/lib/dsnmprad [-h] [-a target-agent-host] [-b boots-file] [-c config-file] [-i poll-interval] [-l log-file] [-p port] [-s log-size] [-t timeout] [-T trace-level] [-y internal-auth-port] [-z internal-acc-port]

Description

The dsnmprad daemon is an SNMP agent that implements RFC 2619 RADIUS Authentication Server MIB and RFC 2621 RADIUS Accounting Server MIB.

The dsnmprad daemon implements the SNMP GET and GET-NEXT commands. It does not implement the SNMP SET command.

The dsnmprad configuration files, dsnmprad.conf and dsnmprad.boots are located by default in the /etc/opt/SUNWconn/ldap/current directory. If you move them to a new location, you must specify it on the command line (options -b and -c) when you start dsnmprad.

The dsnmprad daemon gets the list of manager hosts (recipients of SNMP traps) from the dsnmprad.conf file.

Options

-h

Online help (usage).

-a target-agent-host

Default is localhost.

-b boots-file

The default boots file is /etc/opt/SUNWconn/ldap/current/dsnmprad.boots.

-c config-file

Specifies the configuration file containing the list of hosts that are recipients of SNMP traps. The default file is /etc/opt/SUNWconn/ldap/current/dsnmprad.conf.

-i poll-interval

Default poll interval is 10 seconds.

-l log-file

Default log file is /tmp/radiusd.log.

-p port

Indicates the UDP port number on which the SNMP agent listens for traps. The default port number is 161.

-s log-size

Indicates the maximum size of the log file. The default value is 100,000 bytes.

-t timeout

Default timeout is 4000000 microseconds.

-T trace-level

The trace level parameter is in the range 0 to 4. The default value is 0.

-y internal-auth-port

Default is 34654.

-z internal-acc-port

Default is 34754.

See Also

See "dsnmpcfg"

The syntax of the dsradius script is:

/opt/SUNWconn/ldap/sbin/dsradius {  start  |  stop |  refresh  }

Description

The dsradius script can be used to start and stop the dsradiusd daemon. It is also used to force the dsradiusd daemon to re-read the configuration without stopping and restarting. You must perform a restart or a refresh of the dsradius daemon whenever you change the RADIUS configuration, or when you add, delete or modify NAS entries in the directory.

Options

start | stop | refresh

Use the appropriate keyword to start or stop the dsradiusd daemon. The refresh keyword forces dsradiusd to re-read the dsradiusd.conf configuration file, or to the NAS branch of the directory tree.

See Also

See "dsradiusd", "dsradiusd.conf"

The syntax of the dsradiusd daemon is:

/opt/SUNWconn/ldap/lib/dsradiusd [-a acct_dir] [-c conf_file] [-d config_dir] [-f failed_password_blocking_number] [-h] [-i ip_address] [-I] [-l log_file] [-m mapping_file] [-o] [-p authentication_udp_port] [-P accounting_udp_port] [-q max_outstanding_requests] [-s] [-t max_seconds_in_queue] [-v] [-x trace-level] [-y min_threads] [-z max_threads]

Description

The dsradiusd daemon is the RADIUS server daemon. It is an authentication server for remote users connecting to a network through a Network Access Server (NAS), also called Remote Access Server (RAS), that uses Netscape Directory Server to store information about remote users and NAS'. The NAS communicates with dsradiusd to check the information provided in the connection request against the information stored in the directory.

RADIUS (Remote Access Dialup User Service) is the protocol used by the dsradiusd daemon to authenticate remote users who connect to the network.

The dsradiusd daemon also provides accounting information on remote user connections. When the daemon is started, it forks two processes, one to handle authentication, to other to handle accounting.

The dsradiusd daemon can be started with the dsradius script. The startup parameters are saved in the radius.mapping file.

Options

-a acct_dir

Specifies the directory where accounting information is stored. The default is /var/opt/SUNWconn/ldap/radacct. This directory contains one subdirectory per NAS, named after the NAS hostname, or the NAS IP host number.

-c conf_file

Specifies the name of the configuration file. The default is dsradiusd.conf.

-d config_dir

Specifies the directory where the configuration file is stored. The default is /etc/opt/SUNWconn/ldap/current.

-f failed_password_blocking_limit

Specifies the number of times a wrong password can be supplied before the user account is blocked. By default, the user account is blocked after four unsuccessful attempts.

-h

Displays the usage message.

-i ip_address

Specifies the IP address of the RADIUS server. Use this option if the IP address of the host machine and of the RADIUS server are different, for example if the RADIUS server runs on a machine that has multiple network interfaces.

-I

Automatically adds dynamic connection attributes to the entry of the user when an accounting-start signal is received. These attributes are removed when an accounting-stop signal is received. The dynamic connection attributes are the assigned IP address, accounting session ID, session counter (number of simultaneous sessions opened by the same remote user), and all attributes listed in acctattr. For this option to work, RADIUS accounting must be activated. This means that the Network Access Server (NAS) must be configured to send accounting packets to the RADIUS server.

-l log_file

Specifies the file where logging information is saved. The default is /var/opt/SUNWconn/ldap/log/radius.log.

-m mapping_file

Specifies the radius.mapping file used by the dsradiusd daemon.

-o

Specifies that the server will accept all zeros in the authenticator that is passed between the NAS and the RADIUS server. This allows compatibility with NAS devices that support older versions of the RADIUS protocol.

-p authentication_udp_port

Specifies the UDP port on which the authentication process of the dsradiusd daemon is started. The default port number for the authentication process is 1645. Due to later standardization, the standard port number is 1812.

-P accounting_udp_port

Specifies the UDP port on which the accounting process of the dsradiusd daemon is started. The default port number for the accounting process is 1646. Due to later standardization, the standard port number is 1813.

-q max_outstanding_requests

Indicates the maximum number of connection requests that can be queued. The default is 5000.

-s

Starts the dsradiusd daemon in single process mode for debugging.

-t max_seconds_in_queue

Sets the timeout on a connection request in seconds. The default value is 30.

-v

Starts the dsradiusd daemon in verbose mode. The output is displayed on screen.

-x trace-level

Specifies a trace level for the dsradiusd daemon. When the daemon is running with this option, it does not fork or dissociate from the terminal. The trace level can be the sum of:

• 1=trace (the default)
• 2=args


• 4=config


• 8=mapping


• 64=memory

Specifies the minimum number of threads used by the dsradiusd daemon to process connection requests. The default value is 3.

-z max_threads

Specifies the maximum number of threads used by the dsradiusd daemon to process connection requests. The default value is 1024.

See Also

See "dsradiusd.conf"

The location of the dsradiusd.conf file is:

/etc/opt/SUNWconn/ldap/default/dsradiusd.conf

Description

The dsradiusd.conf file contains configuration parameters for the RADIUS service. The configuration parameters held in this file are different from those defined in the mapping file, radius.mapping.

The dsradiusd.conf file contains the following configuration parameters:

• LDAP_Server
Specifies the hostname of the LDAP server. The default value is localhost.
• LDAP_Port
Specifies the TCP port number that the LDAP server runs on. The default value is 389.
• LDAP_Bind_dn
Specifies the DN used to bind to the LDAP directory for performing searches and modifying the LDAP database. The example value provided as a placeholder in dsradiusd.conf is cn=radiusadmin.
• LDAP_Password
Specifies the password used to bind to the LDAP directory for performing searches and modifying the LDAP database. The example value provided as a placeholder in dsradiusd.conf is secret.
• LogLevel
Specifies the log level. You can select one of the following log levels:

• 0 = none
• 1 = trace


• 2 = trace and translation


• 3 = trace, translation, and other debug information

The default is 0.

• LogSize
Specifies the number of kilobytes before the log file automatically changes over to the next log file. The default value is 1000.
• LogDir
Specifies the log directory where dsradius.log is located. The default value is /etc/opt/SUNWconn/ldap/default/dsradiusd.conf .

See "radius.mapping", "dsradiusd"

The location of the radius.at.conf file is:

/opt/SUNWconn/ldap/default/schema/radius.at.conf

Description

The radius.at.conf file contains schema information used for storing RADIUS authentication and accounting information in the Netscape Directory Server. It contains a list of LDAP attributes required to use the Netscape Directory Server to store RADIUS information.

Attribute definitions in the radius.oc.conf file contain:

• The name of the attribute
• The OID of the attribute
• The attribute syntax
• If the attribute is single valued, the keyword single

attribute dictionaryFile 1.3.6.1.4.1.42.2.27.1.1.74 ces single

For information on the possible attribute syntaxes, refer to "RADIUS Attributes".

See Also

See "radius.oc.conf".

The location of the radius.mapping file is:

/opt/SUNWconn/ldap/default/mapping/radius.mapping

Description

The radius.mapping file contains:

• Configuration parameters for the RADIUS service
• RADIUS-to-LDAP mapping information

The configuration information stored in the radius.mapping file is at the beginning of the file, under the section entitled Common.

The following configuration variables are defined:

• Max_allowed_failures
This parameter determines blocking mode. It defines the number of permitted consecutive failures to authenticate a user based on the password provided. Any further attempt is systematically blocked, even if the connection parameters supplied are correct. The count is reset on first success. The default value for this parameter is 4. To disable blocking mode, set this parameter to 0.

When an account is blocked, you must manually reset the authFailedAccess attribute in the remote user's entry to 0.

• Dynamic
This parameter determines whether dynamic accounting data is recorded in the LDAP directory (see "Configuring Dynamic Accounting"). It can have one of two values on or off. By default, dynamic accounting is off.
• Authentication_Port
The authentication port number for RADIUS processes. The default port number is 1645. Due to later standardization, the standard port number is 1812. This port number is defined in the radius.mapping file but is commented out.
• Accounting_Port
The accounting port number for RADIUS processes. The default port number is 1646. Due to later standardization, the standard port number is 1813. This port number is defined in the radius.mapping file but is commented out.
• Acounting_dir
The directory where accounting information is stored. The default directory is /var/opt/SUNWconn/ldap/radacct. Note that there is a typographical error in this variable in the radius.mapping file. Do not correct it because the RADIUS server would be unable to read it.
• Max_wait_b4_reject
This parameter defines a client timeout on a RADIUS request. It determines the maximum time a client will wait for a response from the RADIUS server. By default it is 58 seconds.
• Time_limit
This parameter defines a RADIUS server timeout on LDAP search operations. It must be strictly less than the value of the Max_wait_b4_reject parameter. By default it is 50 seconds.

Mapping Information

The radius.mapping file defines the mapping of attributes in the RADIUS dictionary file to LDAP attributes. There is a one-to-one mapping between RADIUS attributes and LDAP attributes. This mapping is shown in detail in Table  4.1.

This mapping information is used by the RADIUS server when it performs LDAP searches in the directory to check authentication information provided in remote user connection requests. It is also used by the RADIUS server to write accounting information into the remote user entries in the directory.

The syntax and semantics of the mapping information in the radius.mapping file is described in Appendix  A, "Mapping Syntax and Semantics."

See Also

See "dsradiusd.conf".

The location of the radius.oc.conf file is:

/opt/SUNWconn/ldap/default/schema/radius.oc.conf

Description

The radius.oc.conf file contains schema information used for storing RADIUS authentication and accounting information in the Netscape Directory Server. It contains a list of LDAP object classes required to use the Netscape Directory Server to store RADIUS information.

Object class definitions in the radius.oc.conf file contain:

• The name of the superior object class, introduced by the keyword superior
• A list of mandatory attributes, introduced by the keyword requires
• A list of optional attributes, introduced by the keyword allows

objectclass radiusServer

superior applicationProcess

requires

host,

sharedKey

allows

dictionaryFile,

acctattrFile,

authHostPortNumber,

acctHostPortNumber

See Also

See "radius.at.conf".

The syntax of the setup_rad script is:

/opt/SUNWconn/ldap/sbin/setup_rad -d

Description

The setup_rad script initializes the RADIUS server. It registers the RADIUS console with the Netscape Console and prompts you for all the information required by the directory server to allow connections from the RADIUS server.

Options

-d

Undoes the setup. This option removes the RADIUS console icon from the Netscape Console, and disables the RADIUS configuration.