test

Sun Directory Services 3.1 User's Guide

RADIUS Parameters

RADIUS Search Panel Definitions

To add a RADIUS search to Deja, define it in the Radius Search Panel section of the Deja.properties file. Remote User searches are declared in the RADIUS_RU_SEARCH definition, and Remote Access Server searches are defined in the RADIUS_RAS_SEARCH definition. Each search is then defined on a separate line. A search definition consists of the search name (for example, s_user), the label that appears in the Search Type option button (for example, RADIUS_RU_SEARCH_USER_LABEL), and the search definition (for example, (& (objectclass=remoteuser)(uid={$uid;RADIUS_RU_UID_ATTR_LABEL$})) ).


RADIUS_COMPLEX_SEARCH_LIST

Contains a list of the attributes and header labels for the complex search results table. By default the cn, iphostnumber and uid attributes are listed.

Adding a RADIUS Remote Access Server Search

To add a RADIUS Remote Access Server search for the mail attribute.

  1. Declare the search definition in the RADIUS_RAS_SEARCH line:


    RADIUS_RAS_SEARCH=s_name;RADIUS_RAS_SEARCH_NAME_LABEL,
s_addr;RADIUS_RAS_SEARCH_IPADDR_LABEL, s_mail;Search by Email

    The name for the new search is s_mail, and the label that appears in the Search Type option button is Search by Email.

  2. Define the search:


    RADIUS_RAS_FILTER.s_mail=
(& (objectclass=nas) (uid={$uid;Email;string$}) )

    The expression {$uid;Email;string$} tells Deja that for this search, the user input is a text string (string), the label to appear by the text field is Email (Email), and that the search text string is a user id (uid).

  3. Define the headings for the search results table:


    RADIUS_RAS_LIST.s_mail= cn;RADIUS_RAS_CN_ATTR_LABEL, uid;Email

    If you do not specify a RADIUS_RAS_LIST for the search, the default headings are used (RADIUS_RAS_LIST.default).

  4. Close Deja and restart it.

    You search type is added to the RADIUS Remote Access Server Search panel.

    Example A-7 RADIUS Search Definitions

    #
# Radius SEARCH PANEL
#
# Searches defined for Remote Users
RADIUS_RU_SEARCH=s_user;RADIUS_RU_SEARCH_USER_LABEL,
s_name;RADIUS_RU_SEARCH_NAME_LABEL,
l_bl_acc;RADIUS_RU_LIST_BLOCKED_ACCOUNTS_LABEL ,
l_ppp;RADIUS_RU_LIST_PPP_USER_LABEL, l_slip;RADIUS_RU_LIST_SLIP_USER_LABEL,
l_login;RADIUS_RU_LIST_LOGIN_USER_LABEL, s_n_u;RADIUS_RU_SEARCH_NAME_UID_LABEL

# Associated filters pour Remote Users searches
RADIUS_RU_FILTER.s_user=   (&
(objectclass=remoteuser)(uid={$uid;RADIUS_RU_UID_ATTR_LABEL$}))
RADIUS_RU_FILTER.s_name=   (&
(objectclass=remoteuser)(cn={$cn;RADIUS_RU_CN_ATTR_LABEL$}))
RADIUS_RU_FILTER.l_bl_acc= (&
(objectclass=remoteuser)(radiusAuthFailedAccess>=$RADIUS_MAX_FAIL))
RADIUS_RU_FILTER.l_ppp=    (&
(objectclass=remoteuser)(radiusPppProfile=*)(radiusPppPasswd=*))
RADIUS_RU_FILTER.l_slip=   (&
(objectclass=remoteuser)(radiusSlipProfile=*)(radiusSlipPasswd=*))
RADIUS_RU_FILTER.l_login=  (&
(objectclass=remoteuser)(radiusLoginProfile=*)(radiusLoginPasswd=*))
RADIUS_RU_FILTER.s_n_u=    (&
(objectclass=remoteuser)(cn={$cn;RADIUS_RU_CN_ATTR_LABEL$})(uid={$uid;RADIUS_R
U_UID_ATTR_LABEL$}))

# Attributes to be included (listed) in the searches' results
RADIUS_RU_LIST.s_user=     cn;RADIUS_RU_CN_ATTR_LABEL,
uid;RADIUS_RU_UID_ATTR_LABEL,
framedProtocol;RADIUS_RU_FRAMEDPROTOCOL_ATTR_LABEL
RADIUS_RU_LIST.l_bl_acc=   cn;RADIUS_RU_CN_ATTR_LABEL,
uid;RADIUS_RU_UID_ATTR_LABEL,
radiusAuthFailedAccess;RADIUS_RU_RADIUSAUTHFAILEDACCESS_ATTR_LABEL
RADIUS_RU_LIST.default=    cn;RADIUS_RU_CN_ATTR_LABEL,
uid;RADIUS_RU_UID_ATTR_LABEL

# Searches defined for RASes (Remote Access Servers)
RADIUS_RAS_SEARCH=s_name;RADIUS_RAS_SEARCH_NAME_LABEL,
s_addr;RADIUS_RAS_SEARCH_IPADDR_LABEL

# Associated filters pour NAS searches
RADIUS_RAS_FILTER.s_name=  (&
(objectclass=NAS)(cn={$cn;RADIUS_RAS_CN_ATTR_LABEL$}))
RADIUS_RAS_FILTER.s_addr=  (&
(objectclass=NAS)(iphostnumber={$iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LAB
EL;ipaddr$}))

# Attributes to be included (listed) in the searches' results
RADIUS_RAS_LIST.default=   cn;RADIUS_RAS_CN_ATTR_LABEL,
iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL

# Attributes to be listed in case of a complex search
RADIUS_COMPLEX_SEARCH_LIST=cn;RADIUS_CN_ATTR_LABEL,
iphostnumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL, uid;RADIUS_RU_UID_ATTR_LABEL

RADIUS Create Panel Definitions

You can define alternate names for attributes that are displayed in the Choose Attributes list of the RADIUS Create panel. You can also restrict user input to one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

RADIUS_RU_ADD_COMMON defines attributes for Remote User Entries that are common to all remote user profiles, and RADIUS_RAS_ADD_COMMON defines attributes for Remote Access Server entries that are common to all remote user profiles. The syntax of an attribtue definition is:


RADIUS_RAS_ADD_COMMON= attribute_name;label;input_type, ...

where:

attribute_name is the name of an attribute

label is the name you want to appear in the Choose Attributes list instead of the attribute name, and

input_type is one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

Example A-8 RADIUS Create Panel Definitions

# Radius ADD PANEL

RADIUS_RU_ADD_COMMON= uid;RADIUS_RU_UID_ATTR_LABEL,
grpCheckInfo;RADIUS_RU_GRPCHECKINFO_ATTR_LABEL,
grpReplyInfo;RADIUS_RU_GRPREPLYINFO_ATTR_LABEL,
framedIPAddress;RADIUS_RU_FRAMEDIPADDRESS_LABEL;ipaddr,
userPassword;RADIUS_RU_USERPASSWORD_LABEL;crypt
RADIUS_RAS_ADD_COMMON=    
iphostNumber;RADIUS_RAS_IPHOSTNUMBER_ATTR_LABEL;ipaddr,
sharedKey;RADIUS_RAS_SHAREDKEY_LABEL;crypt

RADIUS Profiles

Three RADIUS Remote User profiles are supplied in the default Deja.properties file. There are no Remote Access Server profiles defined in the default Deja.properties file. You can add more profiles, or add attributes to the existing profiles, but you should not remove default attributes in the existing profiles.


RADIUS_RU_PROFILE / RADIUS_RAS_PROFILE

Specifies the RADIUS profiles available to Deja. The default profiles are SLIP, PPP and LOGIN. The syntax is:


RADIUS_RU_PROFILE= profile_name;label, profile_name;label ...
RADIUS_RAS_PROFILE= profile_name;label, profile_name;label ...

Where profile_name is the name of the profile, and label is the label that appears in the Create or Modify panels.


RADIUS_RU_ADD.profile_name / RADIUS_RAS_ADD.profile_name

Defines the default attributes that are added to the entry automatically. The syntax is:


RADIUS_RU_ADD.profile_name= attribute;label;input_type, ...
RADIUS_RAS_ADD.profile_name= attribute;label;input_type, ...

Where attribute is the attribute you want automatically added to the entry definition, label is the name to appear in the entry definition, and input_type is one of the four basic input types (int, string, crypt and ipaddr). The default input_type is string.

Example A-9 RADIUS Profile Definitions

# Profiles defined for Remote Users (RU)
RADIUS_RU_PROFILE= ppp_p;RADIUS_RU_PPP_PROFILE_LABEL,
slip_p;RADIUS_RU_SLIP_PROFILE_LABEL, login_p;RADIUS_RU_LOGIN_PROFILE_LABEL

# Mandatory RU profile attributes (you can edit the next line by ADDING
attributes, but
# NEVER erase the attributes that are given by default)
RADIUS_RU_ADD.ppp_p=      
radiuspppprofile;RADIUS_RU_RADIUSPPPPROFILE_ATTR_LABEL;int,
radiusPppPasswd;RADIUS_RU_RADIUSPPPPASSWD_ATTR_LABEL;crypt
RADIUS_RU_ADD.slip_p=     
radiusSlipprofile;RADIUS_RU_RADIUSSLIPPROFILE_ATTR_LABEL;int,
radiusSlipPasswd;RADIUS_RU_RADIUSSLIPPASSWD_ATTR_LABEL;crypt
RADIUS_RU_ADD.login_p=    
radiusLoginprofile;RADIUS_RU_RADIUSLOGINPROFILE_ATTR_LABEL;int,
radiusLoginPasswd;RADIUS_RU_RADIUSLOGINPASSWD_ATTR_LABEL;crypt


# Profiles defined for Remote Access Servers (RAS)
#RADIUS_RAS_PROFILE= no defined profiles

# Mandatory RAS profile attributes
#RADIUS_RAS_ADD.??= no defined profiles

RADIUS General Parameters

The following general parameters are defined for RADIUS. The RADIUS_RU_OCLASS, RADIUS_RAS_OCLASS, RADIUS_RU_ROOT, RADIUS_RU_ROOT and RADIUS_MAX_FAIL definitions can be automatically generated from the radius.mapping(4) file by the dejasync utility. See Appendix B, dejasync Command Reference, or the dejasync(1M) manpage for information.


RADIUS_RU_OCLASS

Specifies the object class associated with the RADIUS Remote User entry type. A single object class is required for each type. This definition is automatically generated if you use the dejasync utility. The default object class is remoteuser.


RADIUS_RAS_OCLASS

Specifies the object class associated with the RADIUS Remote Access Server entry type. A single object class is required for each type. This definition is automatically generated if you use the dejasync utility. The default object class is nas.


RADIUS_RU_ROOT

Specifies the DN of the root entry used for RADIUS Remote User searches. It is also the default parent entry displayed in the RADIUS Create panel. This definition is automatically generated if you use the dejasync utility. The default value is o=xyz_remote_users,c=us.


RADIUS_RAS_ROOT

Specifies the DN of the root entry used for RADIUS Remote Access Server searches. It is also the default parent entry displayed in the RADIUS Create panel. This definition is automatically generated if you use the dejasync utility. The default value is o=xyz_ras,c=us.


RADIUS_RU_NAMINGATTR

Specifies the naming attributes that are available in the RADIUS Create panel for Remote User entries. This is a comma delimited list. The default naming attributes are cn and uid.


RADIUS_RAS_NAMINGATTR

Specifies the naming attributes that are available in the RADIUS Create panel for Remote Access Server entries. This is a comma delimited list. The default naming attribute is cn.


RADIUS_MAX_FAIL

Specifies search limit for the RADIUS Remote User blocked accounts search. The blocked accounts search returns entries that have a value for the attribute radiusAuthFailedAccess greater than or equal to the value of RADIUS_MAX_FAIL. The default value is 4. This definition is automatically generated if you use the dejasync utility.

Example A-10 RADIUS General Parameters

# Add object classes (a single objectclass is accepted for every type)
RADIUS_RU_OCLASS=          remoteuser
RADIUS_RAS_OCLASS=         nas

# Radius COMMON to ADD and SEARCH Panels
# Root DN: a single RootDN is accepted for every type
RADIUS_RU_ROOT=            o=xyz_remote_users,c=us
RADIUS_RAS_ROOT=           o=xyz_ras,c=us

# Naming attributes: a comma (,) separated list is accepted for every type
RADIUS_RU_NAMINGATTR=      cn, uid
RADIUS_RAS_NAMINGATTR=     cn
RADIUS_MAX_FAIL=           4