Chapter 4 Deja -- Operations on RADIUS Entries

This chapter describes the RADIUS-specific search, create and modify panels. All other Deja functions are described in Chapter 2, Deja -- Standard Operations.

To view the RADIUS-specific search, create and modify panels you must change the Deja user profile to RADIUS. See "User Profile" for information.

The Deja.properties file on the directory server defines the RADIUS user profiles available in Deja. For information on adding or modifying RADIUS user profiles see "RADIUS Parameters".

---

Note -

The RADIUS profiles are defined in the radius.mapping file on the directory server. If the radius.mapping file has been changed, the changes should be copied into the Deja.properties file using the dejasync utility. See Appendix B, dejasync Command Reference for information.

---

Creating a New Entry

Use Create to add new entries to the RADIUS directory. Figure 4-1 shows the Deja Create panel for RADIUS users.

Figure 4-1 Deja Create Panel for RADIUS Users

1. Click on the Create icon or select Create Entry from the Entry menu.

   The Create panel is displayed.

   There are two steps to creating a RADIUS directory entry. You must complete each step before you can progress to the next one. Click on Next Step and Previous Step to navigate between the steps.

   • Name the entry. See "Naming an Entry".

   • Assign attributes to the entry and name them. See "Selecting Attributes".

2. When you have completed the entry, click Done.

Naming an Entry

1. Select the type of entry you want to add (Remote User or Remote Access Server).

2. If you are adding a Remote User, specify the profile of the new entry (Standard, PPP, SLIP, LOGIN).

   ---

   Note -

   The list of RADIUS profiles available in Deja is defined in the Deja.properties file on the directory server. See "RADIUS Profiles" for information on defining RADIUS user profiles.

   ---

3. Specify the parent of the entry:

   By default, the Parent text field holds the distinguished name of an entry specified in the Deja.properties file on the directory server. To select another parent entry:

   • Type the Distinguished Name of the Entry's parent in the Parent text field

   • Alternatively, click once on the parent in the browser window to select it and click the Get From Browser button next to the Parent text field.

   The Distinguished Name of the selected entry is imported into the Parent text field.

4. Select the naming attribute for the entry with the option button.

   The list of available naming attributes is defined in the Deja.properties file on the directory server. See "RADIUS General Parameters" for information on defining the list of available naming attributes.

5. Type the value for the naming attribute for the entry in the Entry Name text field.

6. When you are satisfied with the entry name and parent, click the Next Step button to assign values to the attributes.

   See "Selecting Attributes" for information on selecting attributes for the entry.

Check Data and Reply Data Attributes

The RADIUS add attributes window features four additional buttons:

• Chk Add -- Select an attribute and type a value for it in the text window. If you click the Chk Add button, the value is added to the entry definition, and the name of the attribute is added to the Radius Check Data optional attribute which matches the grpCheckInfo in the radius.mapping file.

  For example, if you select the User ID attribute from the Choose Attribute list and type the value charles in the text window, when you click on Chk Add, the value charles is added to the User ID attribute, and uid is added to the Radius Check Data attribute.

• Rpl Add -- Select an attribute and type a value for it in the text window. If you click the Rpl Add button, the value is added to the entry definition, and the name of the attribute is added to the Radius Reply Data optional attribute which matches the grpReplyInfo in the radius.mapping file.

• Chk Del -- Select the value of the attribute you want to delete from the entry definition. If you click the Chk Del button, the value is removed from the entry definition, and the name of the attribute is removed from the Radius Check Data optional attribute which matches the grpCheckInfo in the radius.mapping file.

• Rpl Del -- Select the value of the attribute you want to delete from the entry definition. If you click the Rpl Del button, the value is removed from the entry definition, and the name of the attribute is removed from the Radius Check Data optional attribute which matches the grpReplyInfo in the radius.mapping file.

The grpCheckInfo attribute, contains a list of attributes that must be checked by the RADIUS server against the information supplied by the remote user. If the grpCheckInfo attribute is not present, or if it does not contain any attributes, then all the attributes in the remote user's entry are checked before access is granted to the user.

The grpReplyInfo attribute, contains a list of attributes returned by the RADIUS server with an access-accept or access-reject response. It can contain connection parameters such as a PPP or SLIP profile.

Cancel

To cancel a create operation at any time, click Cancel.

The entry definition is cleared from the Create panel.

Modifying an Entry

Use Modify to change attributes and object classes in RADIUS directory entries. Figure 4-2 shows the Deja Modify panel for RADIUS users.

Figure 4-2 Deja Modify Panel for RADIUS Users

You must have write permission for the entry you want to modify. See "Logging In" for information.

1. In the browser, click on the entry you want to modify.

2. Click on the Modify icon or select Modify from the Entry menu.

   The Modify Attributes window is displayed.

   See "Selecting Attributes" for information on modifying attributes for the entry.

   If you want to change the name of the entry, use the Rename function. See "Renaming an Entry".

   The RADIUS modify attributes window features four additional buttons: Chk Add, Rpl Add, Chk Del, and Rpl Del. see "Check Data and Reply Data Attributes" for details.

3. When you have finished your modifications click Done.

Reset

To cancel a modify operation at any time, click Reset.

The entry definition is cleared from the Modify panel.

Searching for an Entry

Use Search when you want to find a RADIUS entry in the directory. This function provides search facilities for up to three criteria. Figure 4-3 shows the Deja Search panel for RADIUS users.

Figure 4-3 Deja Search Panel for RADIUS Users

Click on the Search icon, or select Search from the Entry menu.

The Search panel is displayed.

---

Note -

The types of searches available, and the categories of search results are defined in the Deja.properties file on the directory server. See "RADIUS Search Panel Definitions" for information on defining searches.

---

The default search types are:

• Remote User search -- See "Remote User Searches".

• Remote Access Server (RAS) search -- See "Remote Access Server Search".

• Complex Searches -- See "Complex Searches".

  You can combine Remote User searches with Remote Access Server searches using and or or operators. You cannot combine both operators in the same search. Up to three search criteria can be defined.

Remote User Searches

There are seven searches pre-defined for remote user entries:

• Search by login name -- where Deja searches for entries that have the remoteuser objectclass, and whose user id matches the text field. See "Using the Remote User Login Name Search".

• Search by user name -- where Deja searches for entries that have the remoteuser objectclass, and whose user name matches the text field. See "Using the Remote User User Name Search".

• List blocked accounts -- where Deja searches for entries that have the remoteuser object class, and that have one or more failed authorization accesses. See "Using the Remote User Blocked Accounts Search".

• List PPP users -- where Deja searches for entries that have the remoteuser object class, that have a PPP profile, and have a PPP password set. See "Using the Remote User List PPP Users Search".

• List SLIP users -- where Deja searches for entries that have the remoteuser object class, that have a SLIP profile, and have a SLIP password set. See "Using the Remote User List SLIP Users Search".

• List LOGIN users -- where Deja searches for entries that have the remoteuser object class, that have a LOGIN profile, and have a LOGIN password set. See "Using the Remote User List LOGIN Users Search".

• Search by name and mail -- where Deja searches for entries that have the remoteuser object class, and whose name and email address match the text fields. See "Using the Remote User Name and Mail Search".

To define a new type of search, see "RADIUS Search Panel Definitions".

The default search root for remote user searches is o=xyz_remote_users,c=us. This is defined in the Deja.properties file on the directory server and cannot be changed from within Deja. See "RADIUS General Parameters" for information.

Using the Remote User Login Name Search

1. Select Remote User from the Type of Search option button.

2. Select Search by Login Name from the Defined Searches option button.

3. Type the User ID of the entry you want to find in the search text field.

   The search can include the wildcard character *.

4. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with RAS object class searches or further remote user object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

6. Click the Clear button to clear the search text field.

Using the Remote User User Name Search

1. Select Remote User from the Type of Search option button.

2. Select Search by User Name from the Defined Searches option button.

3. Type the user name of the entry you want to find in the search text field.

   The search can include the wildcard character *.

4. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with RAS object class searches or further remote user object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

6. Click the Clear button to clear the search text field.

Using the Remote User Blocked Accounts Search

1. Select Remote User from the Type of Search option button.

2. Select List Blocked Accounts from the Defined Searches option button.

   There are no user input fields for this search. Deja searches for entries with the following parameters:

   objectclass = remoteuser radiusAuthFailedAccess >= RADIUS_MAX_FAIL

   where RADIUS_MAX_FAIL is defined in the Deja.properties file on the directory server. The default value for RADIUS_MAX_FAIL is 4. See "RADIUS General Parameters" for information.

3. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with RAS object class searches or further remoteuser object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

Using the Remote User List PPP Users Search

1. Select Remote User from the Type of Search option button.

2. Select List PPP Users from the Defined Searches option button.

   There are no user input fields for this search. Deja searches for entries with the following parameters:

   objectclass = remoteuser radiusPppProfile = * radiusPppPasswd = *

3. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with RAS object class searches or further remoteuser object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

Using the Remote User List SLIP Users Search

1. Select Remote User from the Type of Search option button.

2. Select List SLIP Users from the Defined Searches option button.

   There are no user input fields for this search. Deja searches for entries with the following parameters:

   objectclass = remoteuser radiusSlipProfile = * radiusSlipPasswd = *

3. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with RAS object class searches or further remoteuser object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

Using the Remote User List LOGIN Users Search

1. Select Remote User from the Type of Search option button.

2. Select List LOGIN Users from the Defined Searches option button.

   There are no user input fields for this search. Deja searches for entries with the following parameters:

   objectclass = remoteuser radiusLoginProfile = * radiusLoginPasswd = *

3. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with RAS object class searches or further remoteuser object class searches. See "Complex Searches".

4. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

Using the Remote User Name and Mail Search

1. Select Remote User from the Type of Search option button.

2. Select Search by Name / Mail from the Defined Searches option button.

3. Type the username and email address of the entry you want to find in the search text fields.

   The search can include the wildcard character *.

4. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with RAS object class searches or further remoteuser object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

6. Click the Clear button to clear the search text fields.

Remote Access Server Search

There are two searches pre-defined for RAS entries:

• Search by RAS Name -- where Deja searches for all entries that have the objectclass RAS, and whose RAS name matches the text field. See "Using the RAS Name Search".

• Search by RAS IP Address -- where Deja searches for all entries that have the objectclass RAS, and whose RAS network address matches the text field. See "Using the RAS IP Address Search".

To define a new type of search, see "RADIUS Search Panel Definitions".

The default search root for remote access server searches is o=xyz_ras,c=us. This is defined in the Deja.properties file on the directory server and cannot be changed from within Deja. See "RADIUS General Parameters" for information.

Using the RAS Name Search

1. Select Remote Access Server from the Type of Search option button.

2. Select Search by RAS Name from the Defined Searches option button.

3. Type the name you want to find in the search text field.

   The search can include the wildcard character *.

4. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with remote user object class searches or further RAS object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

6. Click the Clear button to clear the search text fields.

Using the RAS IP Address Search

1. Select Remote Access Server from the Type of Search option button.

2. Select Search by RAS IP Address from the Defined Searches option button.

3. Type the IP address you want to find in the search text field.

4. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

   You can refine your search by combining it with remote user object class searches or further RAS object class searches. See "Complex Searches".

5. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

6. Click the Clear button to clear the search text fields.

Complex Searches

You can combine three types of search with the complex searches option:

• Remote User searches

• Remote Access Server searches

• Specify Filter -- See "Search Filters" for a description of acceptable filters.

Searches can be combined with and or or operators. You cannot combine both operators in the same search. Up to three search criteria can be defined.

1. Select Complex Searches from the Type of Search option button.

2. Select the first search criterion from the Remote User option button and type the search string or filter definition in the text field.

3. Click on the And or Or buttons to select the logical operator.

4. Select the second search criterion from the Remote User option button and type the search string or filter definition in the text field.

5. If you want to add a third search criterion, click the And or Or button again.

6. To remove a search criterion, click the Back button.

7. Type the Distinguished Name (DN) of the root of the tree you want to search, or select the root you want to search in the browser window and click Get from Browser.

8. Click Search to start the search.

   The search results are displayed in the search results list and the number of entries found is displayed in the status bar. If there are no matches, the search results list is empty and the status bar indicates that no entries were found.

9. To stop the search at any time, click the Stop button.

   The search is stopped and no results are returned.

10. Click the Clear button to clear all the search parameters.

Search Results List

Search results are displayed in a list below the search criteria.

The headings of the search results table depend on the search. The types of searches, and the headings for search results are defined in the Deja.properties file on the directory server. All the headings can be modified except those for complex searches. See "RADIUS Search Panel Definitions" for information on defining searches.

The attributes returned for the default searches are:

Search Type	Attributes
remoteuser login name	cn, uid, framedProtocol
remoteuser user name	cn, uid
remoteuser blocked accounts	cn, uid, radiusFailedAccess
remoteuser all PPP users	cn, uid
remoteuser all SLIP users	cn, uid
remoteuser all LOGIN users	cn, uid
remoteuser user name/email address	cn, uid
RAS name	cn, iphostnumber
RAS IP Address	cn, iphostnumber
Complex searches	cn, iphostnumber, uid, radiusFailedAccess

To view an entry from the search results list, double-click on the entry's name.

The View window is displayed, and the entry is highlighted in the browser window.