#ident "@(#)radius.mapping 1.34 10/05/99 SMI" # # # Copyright 10/05/99 Sun Microsystems, Inc. All Rights Reserved # # # Exercise great caution if you edit this file. It is recommended that # you make the changes you require through the Admin Console. Do not # delete attribute mappings. Comment out a mapping if you do not need # it. If you add a mapping build definition, make sure you include it # in both the Import and the Export section of the table. # # This is a the RADIUS mapping file. # Front-End:RADIUS.2 Common: # FE_BlockingMode determines the number of allowed failures # for a user logging in to a NAS. Once this number has been # exceeded, the user will be silently ignored. # 0 turns off this feature. Max_allowed_failures=4 # FE_DynamicData is..... Dynamic=off # This is the maximum number of threads the radius daemon # will create. Max_threads=103 # This is the authorization port number. Authentication_Port=1645 #Authentication_Port=1812 # This is the accounting port number. Accounting_Port=1646 #Accounting_Port=1813 # This is the accounting directory. Acounting_dir=/var/opt/SUNWconn/ldap/radacct # This is the length of time a client may wait # for a reply from the radius daemon. Max_wait_b4_reject=58 # This is the LDAP timeout parameter for ldap_search # operations in the server. Must be less than (not equal to) # Max_wait_b4_reject timer. Time_limit=50 Table:USERS Common: # This is the base DN used by the radius daemon when # looking for users in the LDAP database. BaseDN =o=xyz.com Dynamic: # All whitespace is important after the = and => symbols. # # This line allows the server to set $uid based on the entry # of UserID tag. All identifiers on the left of the => symbol # are tags which the server sends data into the mapping. These # lines can be used to break input into variables. $UserID # could have been used directly as a variable without this line # and the next one. UserID=>$uid # This next line allows the server to retrieve $UserID tag. # $UserID is also a variable which can now be used in the mapping # as well as $uid. UserID is an identifier which the server uses # to extract information from the mapping. UserID=$uid # If neither of these two previous lines were given, the server # would have used the UserID it received in the request and # the FILTER would need to have used $UserID as a variable # instead of $uid below. # FILTER=(&(Objectclass=remoteUser)(uid=$UserID)) # The BaseDN is taken from the Common section above unless it's # specified here dynamically. It is also an identifier which # the server uses to extract information from the mapping. # This is an example of how you would build the BaseDN and # $uid dynamically. The first line breaks $UserID apart. # The second line builds $BaseDN. Also notice that $UserID # above (UserID=$uid) is rebuilt from the $uid created here. # || is used to denote an alternative. In the first line, # alternatives are used if the pattern fails. In the second # line, the alternative is used if all the variables are not # set (in this case $l) are not set. # UserID=>$uid/$l||$uid # BaseDN=l=$l,o=sun.com||l=grenoble,o=sun.com # # The filters are also identifiers which the server uses # to extract information from the mapping. They are given # for input $UserID and $dyn_Addr depending on the filter. # # DYNAMIC_USER_FILTER is a filter which you can use with the # variable $UserID to match entries for this user in a start and # stop accounting request to add or remove dynamic data to/from # the user's entry. If there is no DYNAMIC_USER_FILTER in the # radius.mapping file, FILTER will be used instead. # # DYNAMIC_IPADDR_FILTER is a filter which you can use with the # variable $dyn_Addr to match entries for this user during an # accounting start and stop requests to remove dynamic data in the # entry. If there is no DYNAMIC_IPADDR_FILTER in the # radius.mapping file, DYNAMIC_FILTER will be used instead. # In both the start and stop accounting requests, first it is # attempted to locate the entry by DYNAMIC filters, then failing # that, it tries with just FILTER. You may need the 2 new filters # in case FILTER matches on dynamic data which changes (such as # the dynamicSessionCounter) then no longer match an entry. In # cases like this, the dynamic data cannot be removed without the # second filter. # Thus, it's possible to create a filter which allows a user to # connect only n times simultaneously. For example, to allow a # user to connect only 1 time: # # FILTER=(&(Objectclass=remoteUser)(uid=$UserID)(|(dynamicSessionCounter<=0)(!(dynamicSessionCounter=*)))) # To modify this filter for n>1, modify the "<=0" to be n-1 the number # of simultaneously sessions you want to allow. FILTER=(&(Objectclass=remoteUser)(uid=$uid)) DYNAMIC_USER_FILTER=(&(Objectclass=remoteUser)(UID=$uid)) DYNAMIC_FILTER=(&(Objectclass=remoteUser)(dynamicIPAddress=$dyn_Addr)) # Set the list of hidden attributes for anonymous users (does not # work with Netscape server 4.1, only works with servers which # support ldap_compare such as SunDS 3.1.) # HiddenAttributes = userPassword,chapPassword,radiusLoginPasswd,radiusPppPasswD,radiusSlipPasswd Export: build: User-Name =$uid Crypt-Password =$userPassword CHAP-Password =$chapPassword NAS-Port =$authHostPortNumber NAS-Identifier =$authNASidentifier NAS-IP-Address =$ipHostNumber Service-Type =$authServiceProtocol Framed-Protocol =$framedProtocol Framed-IP-Address =$framedIPAddress Framed-IP-Netmask =$ipNetmaskNumber Framed-Routing =$framedRouting Filter-Id =$authFilterId Framed-MTU =$framedMTU Framed-Compression =$framedCompression Login-IP-Host =$ipLoginHost Login-Service =$authLoginService Login-TCP-Port =$ipLoginPort Reply-Message =$authReplyMessage Callback-Number =$userCallbackNumber Callback-Id =$userCallbackId Framed-Route =$framedRoute Framed-IPX-Network =$ipxNetworkNumber State =$authState Session-Timeout =$sessionTimeoutNumber Idle-Timeout =$idleTimeoutNumber Termination-Action =$authTerminationAction Called-Station-Id =$authCalledStationId Calling-Station-Id =$authCallingStationId Acct-Status-Type =$acctStatusType Acct-Delay-Time =$acctDelayTime Acct-Input-Octets =$acctInputOctet Acct-Input-Packets =$acctInputPacket Acct-Output-Octets =$acctOutputOctet Acct-Output-Packets =$acctOutputPacket Acct-Session-Id =$acctSessionId Acct-Authentic =$acctAuthentic Acct-Session-Time =$acctSessionTime Acct-Terminate-Cause =$acctTerminateCause NAS-Port-Type =$authHostPortType Port-Limit =$authPortLimit # # Non-Protocol Attributes # These attributes are used internally by the server # Expiration =$expirationDate Auth-Type =$authType Menu =$authStartMenuId Termination-Menu =$authStopMenuId Prefix =$authPrefixName Suffix =$authSuffixName user-check =$grpCheckInfo user-reply =$grpReplyInfo # # SUN-DS new attributes for LDAP integration # Login-Profile =$radiusLoginProfile PPP-Profile =$radiusPppProfile SLIP-Profile =$radiusSlipProfile Login-Passwd =$radiusLoginPasswd PPP-Passwd =$radiusPppPasswd SLIP-Passwd =$radiusSlipPasswd Login-Expiration =$radiusLoginExpiration PPP-Expiration =$radiusPppExpiration SLIP-Expiration =$radiusSlipExpiration Auth-Failed-Access =$radiusAuthFailedAccess Dynamic-Session-Counter =$dynamicSessionCounter Dynamic-SessionId =$dynamicSessionId Dynamic-IPAddress =$dynamicIPAddress Dynamic-IPAddr-Binding =$dynamicIPaddrBinding PAM-Service-Name =$pamServiceName Import: build: uid =$User-Name userPassword =$Crypt-Password chapPassword =$CHAP-Password authHostPortNumber =$NAS-Port authNASidentifier =$NAS-Identifier ipHostNumber =$NAS-IP-Address authServiceProtocol =$Service-Type framedProtocol =$Framed-Protocol framedIPAddress =$Framed-IP-Address ipNetmaskNumber =$Framed-IP-Netmask framedRouting =$Framed-Routing authFilterId =$Filter-Id framedMTU =$Framed-MTU framedCompression =$Framed-Compression ipLoginHost =$Login-IP-Host authLoginService =$Login-Service ipLoginPort =$Login-TCP-Port authReplyMessage =$Reply-Message userCallbackNumber =$Callback-Number userCallbackId =$Callback-Id framedRoute =$Framed-Route ipxNetworkNumber =$Framed-IPX-Network authState =$State sessionTimeoutNumber =$Session-Timeout idleTimeoutNumber =$Idle-Timeout authTerminationAction =$Termination-Action authCalledStationId =$Called-Station-Id authCallingStationId =$Calling-Station-Id acctStatusType =$Acct-Status-Type acctDelayTime =$Acct-Delay-Time acctInputOctet =$Acct-Input-Octets acctInputPacket =$Acct-Input-Packets acctOutputOctet =$Acct-Output-Octets acctOutputPacket =$Acct-Output-Packets acctSessionId =$Acct-Session-Id acctAuthentic =$Acct-Authentic acctSessionTime =$Acct-Session-Time acctTerminateCause =$Acct-Terminate-Cause authHostPortType =$NAS-Port-Type authPortLimit =$Port-Limit # # Non-Protocol Attributes # These attributes are used internally by the server # expirationDate =$Expiration authType =$Auth-Type authStartMenuId =$Menu authStopMenuId =$Termination-Menu authPrefixName =$Prefix authSuffixName =$Suffix grpCheckInfo =$user-check grpReplyInfo =$user-reply # # SUN-DS new attributes for LDAP integration # radiusLoginProfile =$Login-Profile radiusPppProfile =$PPP-Profile radiusSlipProfile =$SLIP-Profile radiusLoginPasswd =$Login-Passwd radiusPppPasswd =$PPP-Passwd radiusSlipPasswd =$SLIP-Passwd radiusLoginExpiration =$Login-Expiration radiusPppExpiration =$PPP-Expiration radiusSlipExpiration =$SLIP-Expiration radiusAuthFailedAccess =$Auth-Failed-Access dynamicSessionCounter =$Dynamic-Session-Counter dynamicSessionId =$Dynamic-SessionId dynamicIPAddress =$Dynamic-IPAddress dynamicIPaddrBinding =$Dynamic-IPAddr-Binding pamServiceName =$PAM-Service-Name Table:RAS Common: # This is the base DN used by the radius daemon when # looking for a NAS in the ldap database. BaseDN =o=xyz.com Dynamic: FILTER=(&(Objectclass=nas)(iphostnumber=$ip_NAS_Addr)) Export: build: Dictionary-File =$dictionaryFile AcctAttr-File =$acctattrFile MD5Secret =$sharedKeY NAS-IP-Address =$ipHostNumber Import: build: dictionaryFile =$Dictionary-File acctattrFile =$AcctAttr-File sharedKeY =$MD5Secret ipHostNumber =$NAS-IP-Address Table:PEER Common: # This is the base DN used by the radius daemon when # looking for a proxy NAS in the ldap database. BaseDN =o=xyz.com Dynamic: FILTER=(&(Objectclass=radiusServer)(iphostnumber=$ip_PEER_Addr)) Export: build: Dictionary-File =$dictionaryFile AcctAttr-File =$acctattrFile MD5Secret =$sharedKeY Proxy-IP-Address =$ipHostNumber Proxy-Auth-Port =$authHostPortNumber Proxy-Acct-port =$acctHostPortNumber Proxy-Realm =$radiusServerRealm Proxy-Flags =$radiusServerFlags Import: build: dictionaryFile =$Dictionary-File acctattrFile =$AcctAttr-File sharedKeY =$MD5Secret ipHostNumber =$Proxy-IP-Address authHostPortNumber =$Proxy-Auth-Port acctHostPortNumber =$Proxy-Acct-Port radiusServerRealm =$Proxy-Realm radiusServerFlags =$Proxy-Flags # eof