Appendix A The Deja.properties File

Many of Deja's characteristics can be configured by the directory administrator. The characteristics are defined in the /opt/SUNWconn/ldap/html/Deja.properties file on the directory server. You must be authenticated as superuser or root to modify the Deja.properties file. After making changes to the Deja.properties file, close Deja and restart it for the changes to take effect.

File Structure

The Deja.properties file consists of four sections:

• General Parameters, see "General Parameters".

• Standard LDAP parameters, see "Standard LDAP Parameters".

• NIS parameters, see "NIS Parameters".

• RADIUS parameters, see "RADIUS Parameters".

In each section is a list of definitions, each of which is terminated with a carriage return. Separate elements in a definition are separated by commas. Related elements are separated by semi-colons.

For example, the code below defines the default attributes displayed for RADIUS searches. The two attribute definitions are separated by a comma. Each definition consists of an attribute whose value is to be displayed (cn and uid), and a label for the results table header row (RADIUS_RU_CN_ATTR_LABEL and RADIUS_RU_UID_ATTR_LABEL) separated by a semi-colon. The list is terminated with a carriage return.

RADIUS_RU_LIST.default= cn;RADIUS_RU_CN_ATTR_LABEL,
uid;RADIUS_RU_UID_ATTR_LABEL

The character sequence {0} is used in the Deja.properties file to indicate user input. The character sequence {0} is replaced by the text typed by the user. For example, in a search filter, the definition (cn=*{0}*) specifies that the search will result in entries for which cn contains the search string typed by the user in the text field.

Labels

Standard Deja labels and identifiers (parameters ending in _LABEL, _IDENTIFIER or _CHOICE) are defined in the localized resource bundle. You cannot change these definitions. You can, however, create your own labels and replace the default ones. For example, if you wanted to replace the Mail label in the Standard Search results table with Email, substitute the word Email for STANDARD_SEARCH_TABLE_MAIL_LABEL in the STANDARD_SEARCH_TABLE_LABELS definition. The definition now reads:

STANDARD_SEARCH_TABLE_LABELS=
cn; STANDARD_SEARCH_TABLE_NAME_LABEL,
telephoneNumber; STANDARD_SEARCH_TABLE_PHONE_LABEL,
mail; Email

General Parameters

In this section the following parameters are defined:

SCHEMA_THREAD_TIME_LIMIT

Defines a time limit in milliseconds on the time it takes Deja to read the schema. The default value is no time limit.

REFERRALS_MANAGE_DSA

With this option set to true, entries with the object class referral are treated like normal entries. With this option set to false, Deja returns a search reference result. The default value is true.

BROWSER_ENTRY_LIMIT

Specifies the maximum number of entries that can be displayed in the browser. If a limit has been set, you must refresh some subtrees before opening more. The default value is no limit.

BROWSER_SUBENTRY_LIMIT

Defines the maximum number of immediate children of an entry that can be displayed in the browser. The default value is no limit.

BROWSER_LOAD_SUBNODES_TIME_LIMIT

Specifies the maximum amount of time allowed for Deja to load the children of a node when the node is opened in the browser. This is not the amount of time it then takes to display those children. The default value is 10000 milliseconds.

BROWSER_CHECK_NODE_TIME_LIMIT

This is the maximum time taken for Deja to verify if an entry is a leaf or a node. The default value is 2000 milliseconds.

STANDARD_SECURITY_AUTHENTICATION

Defines the standard authentication mechanism used in the login panel. This can have one of two values: simple or CRAM-MD5. The default value is CRAM-MD5.

Example A-1 General Parameters

# schema thread time limit in milliseconds (0 = no limit)
SCHEMA_THREAD_TIME_LIMIT=0
#
# manage referrals as entries (true or false)
REFERRALS_MANAGE_DSA=true
#
# max. number of nodes in browser tree (0 = no limit)
BROWSER_ENTRY_LIMIT=0
# max number of subnodes of a node in the browser tree (0 = no limit)
BROWSER_SUBENTRY_LIMIT=0
# time limit to load subnodes (in ms, 0 = no limit)
BROWSER_LOAD_SUBNODES_TIME_LIMIT=10000
# time limit to verify if entry is a leaf or an inner node (in ms, 0 = no limit)
BROWSER_CHECK_NODE_TIME_LIMIT=2000
#
# authentication mechanism
# supported values : CRAM-MD5, simple (cleartext password)
STANDARD_SECURITY_AUTHENTICATION=CRAM-MD5
# STANDARD_SECURITY_AUTHENTICATION=simple

Standard LDAP Parameters

In this section of the Deja.properties file you can:

• specify which attribute values are hidden in Deja

• specify parameters for the login panel

• define standard searches

Hiding Attributes

STANDARD_ATTRIBUTES_CRYPTED

In the view, modify and create windows of Deja, some attribute values are replaced by a localized text string. Specify the attributes you want to be hidden by adding their names to the STANDARD_ATTRIBUTES_CRYPTED list. Attribute names are separated by commas. By default the values for radiusppppasswd, radiusloginpasswd, chappassword, radiusslippasswd, userpassword are hidden.

Example A-2 Standard Encrypted Attributes

#
# Standard Add/Modify/View
#
STANDARD_ATTRIBUTES_CRYPTED=radiusppppasswd, radiusloginpasswd, chappassword,
radiusslippasswd, userpassword 

Login Parameters

STANDARD_LOGIN_SEARCH_FILTER

The search feature of the login panel operates using the filter defined with this label. By default it is (|(cn=*{0}*)(uid=*{0}*)). This is defined as either cn or uid contains the search string typed by the user in the search text field.

STANDARD_LOGIN_MAX_SEARCH_RESULT

Specifies the maximum number of search results per naming context returned by a login search. The default value is 55.

STANDARD_LOGIN_ALIASES

Defines standard login aliases for Deja. To add an alias, remove the # from the start of the line and see "Adding a Login Alias" for information. The syntax is:

STANDARD_LOGIN_ALIASES= alias; DN; alias; DN; ...

Adding a Login Alias

For example, if the user cn=Robert Travis, ou=sales,o=xyz,c=us wants to login frequently, instead of typing the DN of the user, you can create an alias for him called, for instance, rob. To create the alias:

Remove the # from the start of the line and add the alias name and the DN for the entry to the STANDARD_LOGIN_ALIASES definition:

STANDARD_LOGIN_ALIASES= rob; cn=Robert Travis,ou=sales,o=xyz,c=us

When Deja is restarted the alias is available in the Login panel.

Example A-3 Login Parameters

#
# Standard Login
#
STANDARD_LOGIN_SEARCH_FILTER= (|(cn=*{0}*)(uid=*{0}*))
STANDARD_LOGIN_MAX_SEARCH_RESULT= 55
# STANDARD_LOGIN_ALIASES= UserA_alias; userA_dn; UserB_alias; UserB_dn

Standard Search Parameters

To add a standard search to Deja, define it in the Standard Search section of the Deja.properties file. Each type of search is declared in the STANDARD_SEARCH_FILTERS definition. Each search is then defined on a separate line. A search definition consists of the search name (for example, STANDARD_SEARCH_FILTER_PERSON), the label that appears in the Search Type option button (for example, STANDARD_SEARCH_FILTER_PERSON_IDENTIFIER), and the search definition (for example, (&(objectclass=person)(cn=*{0}*)) ).

STANDARD_SEARCH_TABLE_LABELS

Contains a list of the attributes and header labels for the search results table. By default the cn, telephoneNumber and mail attributes are listed.

Example A-4 Standard Search Parameters

#
# Standard Search
#
STANDARD_SEARCH_FILTERS= STANDARD_SEARCH_FILTER_PERSON,
STANDARD_SEARCH_FILTER_LOCALITY, STANDARD_SEARCH_FILTER_ORGANIZATION,
STANDARD_SEARCH_FILTER_WILDCARD
STANDARD_SEARCH_FILTER_PERSON= STANDARD_SEARCH_FILTER_PERSON_IDENTIFIER,
(&(objectclass=person)(cn=*{0}*))
STANDARD_SEARCH_FILTER_LOCALITY= STANDARD_SEARCH_FILTER_LOCALITY_IDENTIFIER,
(l=*{0}*)
STANDARD_SEARCH_FILTER_ORGANIZATION=
STANDARD_SEARCH_FILTER_ORGANIZATION_IDENTIFIER, (|(o=*{0}*)(ou=*{0}*))
STANDARD_SEARCH_FILTER_WILDCARD= STANDARD_SEARCH_FILTER_WILDCARD_IDENTIFIER,
{0}
STANDARD_SEARCH_TABLE_LABELS= cn; STANDARD_SEARCH_TABLE_NAME_LABEL,
telephoneNumber; STANDARD_SEARCH_TABLE_PHONE_LABEL, mail;
STANDARD_SEARCH_TABLE_MAIL_LABEL

Adding a New Standard Search

To add a standard search for the uid attribute.

1. Declare the search definition in the STANDARD_SEARCH_FILTERS line:

   STANDARD_SEARCH_FILTERS= STANDARD_SEARCH_FILTER_PERSON, STANDARD_SEARCH_FILTER_LOCALITY, STANDARD_SEARCH_FILTER_ORGANIZATION, STANDARD_SEARCH_FILTER_WILDCARD, NEW_SEARCH_FILTER_UID

   The label for the new search is NEW_SEARCH_FILTER_UID.

2. Define the search:

   NEW_SEARCH_FILTER_UID= User ID, (&(objectclass=*)(uid=*{0}*))

   The label to appear in the Search Type option button is User ID, and Deja searches for entries containing the specified value for the attribute uid.

3. Add additional search results table labels:

   STANDARD_SEARCH_TABLE_LABELS= cn; STANDARD_SEARCH_TABLE_NAME_LABEL, telephoneNumber; STANDARD_SEARCH_TABLE_PHONE_LABEL, mail; STANDARD_SEARCH_TABLE_MAIL_LABEL, uid;User ID

   User ID is added to the search results table headings.

4. Close Deja and restart it.

   You search type is added to the Standard Search panel.

Standard Create Parameters

When you paste an entry to the Create panel (see "Pasting an Entry to the Create Panel"), the paste works in one of two ways:

• The paste action can remove information from the Create panel before pasting the entry

• The paste action does not clear data from the Create panel before pasting. This is useful when you want to create an entry that contains the characteristics of two or more entries.

STANDARD_CREATE_PASTE_CLEAR_DATA

Specifies the type of paste. true indicates that data is cleared from the entry before pasting. By default this is set to false.

STANDARD_CREATE_ALTERNATIVE_NAMING_ATTRIBUTES

If the naming attributes cannot be retrieved from the schema for the Standard Create panel, the list of available naming attributes is taken from this definition. By default the naming attributes are cn, o, ou, l, c, and dc.

Example A-5 Standard Create Parameters

# 
# Standard Create 
# 
STANDARD_CREATE_PASTE_CLEAR_DATA=FALSE 
#STANDARD_CREATE_PASTE_CLEAR_DATA=TRUE 
# 
# Alternate way to specify naming attributes if cannot be retrieved from schema
STANDARD_CREATE_ALTERNATIVE_NAMING_ATTRIBUTES=cn; o; ou; l; c; dc

NIS Parameters

The NIS_MAPS definition contains a list of all the NIS maps displayed in Deja. The parameters for each map are specified in a number of definitions. Map definitions can be created by hand, or by using the dejasync command line utility. See "Adding a NIS Map to Deja using dejasync" for information. See also Appendix B, dejasync Command Reference, or the dejasync(1M) manpage. For each map listed in the in the NIS_MAPS definition in the Deja.properties file, dejasync gets the NIS_FILTER, NIS_DOMAIN, NIS_ROOT, NIS_NAMINGATTR and NIS_OCLASS tokens from the nis.mapping(4) file, and copies them to the map definition in the Deja.properties file. If the tokens already exist in the Deja.properties file they are updated by dejasync.

NIS_MAPS

Specifies the list of maps available in Deja. Each map name is followed by a semicolon and the label that appears in the Map Name option button of the NIS Search, Create or Modify panels. You can create a new map that is not present in the nis.mapping file. The syntax is:

NIS_MAPS= map.name;map_label, map.name;map_label, ...

NIS_FILTER.map.name

Specifies the filter that is used in the NIS Search panel. This definition is automatically generated if you use the dejasync utility.

NIS_DOMAIN.map.name

Specifies the label that appears in the NIS Create, Modify and Search panels. It shows to which domain the NIS map applies. This definition is automatically generated if you use the dejasync utility.

NIS_NAMINGATTR.map.name

Specifies the naming attributes that are available in the NIS Create panel. This is a comma delimited list. This definition is automatically generated if you use the dejasync utility.

NIS_ROOT.map.name

Specifies the DN of the root entry used for NIS searches. It is also the default parent entry displayed in the NIS Create panel. This definition is automatically generated if you use the dejasync utility.

NIS_OCLASS.map.name

Specifies the default object classes that are added to an entry definition in the NIS Create Panel. This is a comma delimited list. This definition is automatically generated if you use the dejasync utility.

NIS_LIST.map.name

Contains names of the attributes and header labels for the NIS search results table. The syntax is:

NIS_LIST.map.name= attribute;header_label, attribute;header_label, ...

NIS_ADD.map.name

Specifies labels and syntax for attributes in the NIS Create panel. The syntax is:

NIS_ADD.map.name= attribute;label;syntax, attribute;label;syntax, ...

Where syntax is one of the four basic input types (int, string, crypt and ipaddr). If a syntax isn't specified, the default value, string, is used. Specifying a syntax is useful to constrain user input:

• crypt is a text field where each typed character is replaced with *.

• string is a text field that accepts any character.

• int is a text field that accepts only integer numbers.

• ipaddr consists of four int fields, in the format int.int.int.int.

NIS_LIST.default

Contains the names of the attributes listed in NIS search results table if NIS_LIST is not defined for a map.

Adding a NIS Map to Deja using dejasync

For information about dejasync, see Appendix B, dejasync Command Reference, or the dejasync(1M) manpage. To add a NIS map to Deja from the nis.mapping file using dejasync:

1. Login as root or become superuser on the directory server.

2. Add the name of the map, and the label you want to be used in the NIS Maps option button, to the NIS_MAPS definition.

   The map must be defined in the nis.mapping file. For example to add the ethers.byname map to Deja using the label Ethers, the NIS_MAPS definition will look like this:

   NIS_MAPS= ethers.byname;Ethers, passwd.byname;NIS_MAP_USERS_CHOICE, mail.aliases;NIS_MAP_ALIASES_CHOICE, hosts.byname;NIS_MAP_HOSTS_CHOICE, group.byname;NIS_MAP_GROUPS_CHOICE

3. Run dejasync by typing:

   prompt# /opt/SUNWconn/ldap/sbin/dejasync -d Deja_properties_directory -n NIS_mapping_file

   Where:

   Deja_properties_directory specifies the directory containing the Deja.properties file. By default this is /opt/SUNWconn/ldap/html.

   NIS_mapping_file specifies the filename of the NIS mapping file. By default this is /etc/opt/SUNWconn/ldap/current/mapping/nis.mapping.

   The dejasync utility reads the map declarations in NIS_MAPS, reads the definitions from the nis.mapping file, and updates or adds the corresponding map definitions to the Deja.properties file.

   For the example, the following map definition is added at the end of the Deja.properties file:

   NIS_OCLASS.ethers.byname= ieee802Device NIS_FILTER.ethers.byname= (&(objectClass=ieee802Device)(cn=$NIS_KEY)) NIS_NAMINGATTR.ethers.byname=cn NIS_ROOT.ethers.byname=dc=xyz,dc=com NIS_DOMAIN.ethers.byname=xyz.com

4. Optionally add NIS_LIST and NIS_ADD definitions for the new map.

   Exit from Deja and restart it to use the new map.

   For the example, the following definitions are added for NIS_LIST and NIS_ADD:

   NIS_LIST.ethers.byname=cn;Host Name, macAddress;Ethernet Address, description;Comments NIS_ADD.ethers.byname=cn;Host Name, macAddress;Ethernet Address, description;Comments

   ---

   Example A-6 Default NIS Map Definitions

   
   

   # # list of supported maps # NIS_MAPS=passwd.byname;NIS_MAP_USERS_CHOICE, mail.aliases;NIS_MAP_ALIASES_CHOICE, hosts.byname;NIS_MAP_HOSTS_CHOICE, group.byname;NIS_MAP_GROUPS_CHOICE # # passwd map # NIS_FILTER.passwd.byname= (&(objectclass=posixAccount)(uid=$NIS_KEY)) NIS_DOMAIN.passwd.byname= xyz_users.com NIS_NAMINGATTR.passwd.byname=cn NIS_ROOT.passwd.byname= dc=xyz_users,dc=com NIS_OCLASS.passwd.byname= posixaccount,person NIS_LIST.passwd.byname=cn;NIS_USER_CN_ATTR_LABEL, uid;NIS_UID_ATTR_LABEL, uidNumber;NIS_UIDNUMBER_ATTR_LABEL, gidNumber;NIS_GIDNUMBER_ATTR_LABEL, homeDirectory;NIS_HOMEDIRECTORY_ATTR_LABEL NIS_ADD.passwd.byname=cn;NIS_USER_CN_ATTR_LABEL, sn;NIS_SN_ATTR_LABEL, uid;NIS_UID_ATTR_LABEL, uidNumber;NIS_UIDNUMBER_ATTR_LABEL;int, gidNumber;NIS_GIDNUMBER_ATTR_LABEL;int, homeDirectory;NIS_HOMEDIRECTORY_ATTR_LABEL, userPassword;NIS_USERPASSWORD_ATTR_LABEL;crypt, loginShell;NIS_LOGINSHELL_ATTR_LABEL, description;NIS_DESCRIPTION_ATTR_LABEL # # alias map # NIS_FILTER.mail.aliases= (&(objectclass=nisMailAlias)(cn=$NIS_KEY)) NIS_DOMAIN.mail.aliases= xyz_aliases.com NIS_NAMINGATTR.mail.aliases=cn NIS_ROOT.mail.aliases= dc=xyz_aliases,dc=com NIS_OCLASS.mail.aliases= nismailalias NIS_LIST.mail.aliases= cn;NIS_ALIAS_CN_ATTR_LABEL, rfc822mailMember;NIS_RFC822MAILMEMBER_ATTR_LABEL NIS_ADD.mail.aliases= cn;NIS_ALIAS_CN_ATTR_LABEL, rfc822mailMember;NIS_RFC822MAILMEMBER_ATTR_LABEL # # host map # NIS_FILTER.hosts.byname= (&(objectclass=ipHost)(cn=$NIS_KEY)) NIS_DOMAIN.hosts.byname= xyz_hosts.com NIS_NAMINGATTR.hosts.byname=cn NIS_ROOT.hosts.byname= dc=xyz_hosts,dc=com NIS_OCLASS.hosts.byname= ipHost NIS_LIST.hosts.byname= cn;NIS_HOST_CN_ATTR_LABEL, ipHostNumber;NIS_IPHOSTNUMBER_ATTR_LABEL, macaddress;NIS_MACADDRESS_ATTR_LABEL NIS_ADD.hosts.byname= cn;NIS_HOST_CN_ATTR_LABEL, ipHostNumber;NIS_IPHOSTNUMBER_ATTR_LABEL;ipaddr, macaddress;NIS_MACADDRESS_ATTR_LABEL, l;NIS_L_ATTR_LABEL # # group map # NIS_FILTER.group.byname= (&(objectclass=posixGroup)(cn=$NIS_KEY)) NIS_DOMAIN.group.byname= xyz_groups.com NIS_NAMINGATTR.group.byname=cn NIS_ROOT.group.byname= dc=xyz_groups,dc=com NIS_OCLASS.group.byname= posixGroup NIS_LIST.group.byname= cn;NIS_GROUP_CN_ATTR_LABEL, gidNumber;NIS_GIDNUMBER_ATTR_LABEL, memberUid;NIS_MEMBERUID_ATTR_LABEL NIS_ADD.group.byname= cn;NIS_GROUP_CN_ATTR_LABEL, gidNumber;NIS_GIDNUMBER_ATTR_LABEL;int, memberUid;NIS_MEMBERUID_ATTR_LABEL NIS_LIST.default= cn;NIS_CN_ATTR_LABEL

   ---

RADIUS Parameters

RADIUS Search Panel Definitions

To add a RADIUS search to Deja, define it in the Radius Search Panel section of the Deja.properties file. Remote User searches are declared in the RADIUS_RU_SEARCH definition, and Remote Access Server searches are defined in the RADIUS_RAS_SEARCH definition. Each search is then defined on a separate line. A search definition consists of the search name (for example, s_user), the label that appears in the Search Type option button (for example, RADIUS_RU_SEARCH_USER_LABEL), and the search definition (for example, (& (objectclass=remoteuser)(uid={$uid;RADIUS_RU_UID_ATTR_LABEL$})) ).

RADIUS_COMPLEX_SEARCH_LIST

Contains a list of the attributes and header labels for the complex search results table. By default the cn, iphostnumber and uid attributes are listed.

Adding a RADIUS Remote Access Server Search

To add a RADIUS Remote Access Server search for the mail attribute.

1. Declare the search definition in the RADIUS_RAS_SEARCH line:

   RADIUS_RAS_SEARCH=s_name;RADIUS_RAS_SEARCH_NAME_LABEL, s_addr;RADIUS_RAS_SEARCH_IPADDR_LABEL, s_mail;Search by Email

   The name for the new search is s_mail, and the label that appears in the Search Type option button is Search by Email.

2. Define the search:

   RADIUS_RAS_FILTER.s_mail= (& (objectclass=nas) (uid={$uid;Email;string$}) )

   The expression {$uid;Email;string$} tells Deja that for this search, the user input is a text string (string), the label to appear by the text field is Email (Email), and that the search text string is a user id (uid).

3. Define the headings for the search results table:

   RADIUS_RAS_LIST.s_mail= cn;RADIUS_RAS_CN_ATTR_LABEL, uid;Email

   If you do not specify a RADIUS_RAS_LIST for the search, the default headings are used (RADIUS_RAS_LIST.default).

4. Close Deja and restart it.

   You search type is added to the RADIUS Remote Access Server Search panel.

   ---

   Example A-7 RADIUS Search Definitions

   
   

   # # Radius SEARCH PANEL # # Searches defined for Remote Users RADIUS_RU_SEARCH=s_user;RADIUS_RU_SEARCH_USER_LABEL, s_name;RADIUS_RU_SEARCH_NAME_LABEL, l_bl_acc;RADIUS_RU_LIST_BLOCKED_ACCOUNTS_LABEL , l_ppp;RADIUS_RU_LIST_PPP_USER_LABEL, l_slip;RADIUS_RU_LIST_SLIP_USER_LABEL, l_login;RADIUS_RU_LIST_LOGIN_USER_LABEL, s_n_u;RADIUS_RU_SEARCH_NAME_UID_LABEL # Associated filters pour Remote Users searches RADIUS_RU_FILTER.s_user= (& (objectclass=remoteuser)(uid={$uid;RADIUS_RU_UID_ATTR_LABEL$})) RADIUS_RU_FILTER.s_name= (& (objectclass=remoteuser)(cn={$cn;RADIUS_RU_CN_ATTR_LABEL$})) RADIUS_RU_FILTER.l_bl_acc= (& (objectclass=remoteuser)(radiusAuthFailedAccess>=$RADIUS_MAX_FAIL)) RADIUS_RU_FILTER.l_ppp= (& (objectclass=remoteuser)(radiusPppProfile=*)(radiusPppPasswd=*)) RADIUS_RU_FILTER.l_slip= (& (objectclass=remoteuser)(radiusSlipProfile=*)(radiusSlipPasswd=*)) RADIUS_RU_FILTER.l_login= (& (objectclass=remoteuser)(radiusLoginProfile=*)(radiusLoginPasswd=*)) RADIUS_RU_FILTER.s_n_u= (& (objectclass=remoteuser)(cn={$cn;RADIUS_RU_CN_ATTR_LABEL$})(uid={$uid;RADIUS_R U_UID_ATTR_LABEL$})) # Attributes to be included (listed) in the searches' results RADIUS_RU_LIST.s_user= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL, framedProtocol;RADIUS_RU_FRAMEDPROTOCOL_ATTR_LABEL RADIUS_RU_LIST.l_bl_acc= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL, radiusAuthFailedAccess;RADIUS_RU_RADIUSAUTHFAILEDACCESS_ATTR_LABEL RADIUS_RU_LIST.default= cn;RADIUS_RU_CN_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL # Searches defined for RASes (Remote Access Servers) RADIUS_RAS_SEARCH=s_name;RADIUS_RAS_SEARCH_NAME_LABEL, s_addr;RADIUS_RAS_SEARCH_IPADDR_LABEL # Associated filters pour NAS searches RADIUS_RAS_FILTER.s_name= (& (objectclass=NAS)(cn={$cn;RADIUS_RAS_CN_ATTR_LABEL$})) RADIUS_RAS_FILTER.s_addr= (& (objectclass=NAS)(iphostnumber={$iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LAB EL;ipaddr$})) # Attributes to be included (listed) in the searches' results RADIUS_RAS_LIST.default= cn;RADIUS_RAS_CN_ATTR_LABEL, iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL # Attributes to be listed in case of a complex search RADIUS_COMPLEX_SEARCH_LIST=cn;RADIUS_CN_ATTR_LABEL, iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL

   ---

RADIUS Create Panel Definitions

You can define alternate names for attributes that are displayed in the Choose Attributes list of the RADIUS Create panel. You can also restrict user input to one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

RADIUS_RU_ADD_COMMON defines attributes for Remote User Entries that are common to all remote user profiles, and RADIUS_RAS_ADD_COMMON defines attributes for Remote Access Server entries that are common to all remote user profiles. The syntax of an attribtue definition is:

RADIUS_RAS_ADD_COMMON= attribute_name;label;input_type, ... 

where:

attribute_name is the name of an attribute

label is the name you want to appear in the Choose Attributes list instead of the attribute name, and

input_type is one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

Example A-8 RADIUS Create Panel Definitions

# Radius ADD PANEL

RADIUS_RU_ADD_COMMON= uid;RADIUS_RU_UID_ATTR_LABEL,
grpCheckInfo;RADIUS_RU_GRPCHECKINFO_ATTR_LABEL,
grpReplyInfo;RADIUS_RU_GRPREPLYINFO_ATTR_LABEL,
framedIPAddress;RADIUS_RU_FRAMEDIPADDRESS_LABEL;ipaddr,
userPassword;RADIUS_RU_USERPASSWORD_LABEL;crypt
RADIUS_RAS_ADD_COMMON=    
iphostNumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL;ipaddr,
sharedKey;RADIUS_RAS_SHAREDKEY_LABEL;crypt

RADIUS Profiles

Three RADIUS Remote User profiles are supplied in the default Deja.properties file. There are no Remote Access Server profiles defined in the default Deja.properties file. You can add more profiles, or add attributes to the existing profiles, but you should not remove default attributes in the existing profiles.

RADIUS_RU_PROFILE / RADIUS_RAS_PROFILE

Specifies the RADIUS profiles available to Deja. The default profiles are SLIP, PPP and LOGIN. The syntax is:

RADIUS_RU_PROFILE= profile_name;label, profile_name;label ... RADIUS_RAS_PROFILE= profile_name;label, profile_name;label ...

Where profile_name is the name of the profile, and label is the label that appears in the Create or Modify panels.

RADIUS_RU_ADD.profile_name / RADIUS_RAS_ADD.profile_name

Defines the default attributes that are added to the entry automatically. The syntax is:

RADIUS_RU_ADD.profile_name= attribute;label;input_type, ... RADIUS_RAS_ADD.profile_name= attribute;label;input_type, ...

Where attribute is the attribute you want automatically added to the entry definition, label is the name to appear in the entry definition, and input_type is one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

Example A-9 RADIUS Profile Definitions

# Profiles defined for Remote Users (RU)
RADIUS_RU_PROFILE= ppp_p;RADIUS_RU_PPP_PROFILE_LABEL,
slip_p;RADIUS_RU_SLIP_PROFILE_LABEL, login_p;RADIUS_RU_LOGIN_PROFILE_LABEL

# Mandatory RU profile attributes (you can edit the next line by ADDING
attributes, but
# NEVER erase the attributes that are given by default)
RADIUS_RU_ADD.ppp_p=      
radiuspppprofile;RADIUS_RU_RADIUSPPPPROFILE_ATTR_LABEL;int,
radiusPppPasswd;RADIUS_RU_RADIUSPPPPASSWD_ATTR_LABEL;crypt
RADIUS_RU_ADD.slip_p=     
radiusSlipprofile;RADIUS_RU_RADIUSSLIPPROFILE_ATTR_LABEL;int,
radiusSlipPasswd;RADIUS_RU_RADIUSSLIPPASSWD_ATTR_LABEL;crypt
RADIUS_RU_ADD.login_p=    
radiusLoginprofile;RADIUS_RU_RADIUSLOGINPROFILE_ATTR_LABEL;int,
radiusLoginPasswd;RADIUS_RU_RADIUSLOGINPASSWD_ATTR_LABEL;crypt


# Profiles defined for Remote Access Servers (RAS)
#RADIUS_RAS_PROFILE= no defined profiles

# Mandatory RAS profile attributes
#RADIUS_RAS_ADD.??= no defined profiles

RADIUS General Parameters

The following general parameters are defined for RADIUS. The RADIUS_RU_OCLASS, RADIUS_RAS_OCLASS, RADIUS_RU_ROOT, RADIUS_RU_ROOT and RADIUS_MAX_FAIL definitions can be automatically generated from the radius.mapping(4) file by the dejasync utility. See Appendix B, dejasync Command Reference, or the dejasync(1M) manpage for information.

RADIUS_RU_OCLASS

Specifies the object class associated with the RADIUS Remote User entry type. A single object class is required for each type. This definition is automatically generated if you use the dejasync utility. The default object class is remoteuser.

RADIUS_RAS_OCLASS

Specifies the object class associated with the RADIUS Remote Access Server entry type. A single object class is required for each type. This definition is automatically generated if you use the dejasync utility. The default object class is nas.

RADIUS_RU_ROOT

Specifies the DN of the root entry used for RADIUS Remote User searches. It is also the default parent entry displayed in the RADIUS Create panel. This definition is automatically generated if you use the dejasync utility. The default value is o=xyz_remote_users,c=us.

RADIUS_RAS_ROOT

Specifies the DN of the root entry used for RADIUS Remote Access Server searches. It is also the default parent entry displayed in the RADIUS Create panel. This definition is automatically generated if you use the dejasync utility. The default value is o=xyz_ras,c=us.

RADIUS_RU_NAMINGATTR

Specifies the naming attributes that are available in the RADIUS Create panel for Remote User entries. This is a comma delimited list. The default naming attributes are cn and uid.

RADIUS_RAS_NAMINGATTR

Specifies the naming attributes that are available in the RADIUS Create panel for Remote Access Server entries. This is a comma delimited list. The default naming attribute is cn.

RADIUS_MAX_FAIL

Specifies search limit for the RADIUS Remote User blocked accounts search. The blocked accounts search returns entries that have a value for the attribute radiusAuthFailedAccess greater than or equal to the value of RADIUS_MAX_FAIL. The default value is 4. This definition is automatically generated if you use the dejasync utility.

Example A-10 RADIUS General Parameters

# Add object classes (a single objectclass is accepted for every type)
RADIUS_RU_OCLASS=          remoteuser
RADIUS_RAS_OCLASS=         nas

# Radius COMMON to ADD and SEARCH Panels
# Root DN: a single RootDN is accepted for every type
RADIUS_RU_ROOT=            o=xyz_remote_users,c=us
RADIUS_RAS_ROOT=           o=xyz_ras,c=us

# Naming attributes: a comma (,) separated list is accepted for every type
RADIUS_RU_NAMINGATTR=      cn, uid
RADIUS_RAS_NAMINGATTR=     cn
RADIUS_MAX_FAIL=           4