This module provides authentication of Vasco Digipass tokens from an LDAP database. For more information, see Vasco website Opens in new window. For more information about details about Digipass tokens, how to obtain and operate them, see Section 3.64. <AuthBy SQLDIGIPASS>.
<AuthBy LDAPDIGIPASS> requires an additional Authen-Digipass module to be installed. The Authen-Digipass Perl module provides access to the Vasco Controller software that does the authentication of each token. Radiator includes pre-compiled binaries of the Authen-Digipass module for Solaris, Linux, and Windows. The Authen-Digipass module also includes the digipass.pl command line application for administering Digipass tokens in SQL and LDAP databases. See goodies/digipassinstall.txt in your distribution for details on how to install and test Authen-Digipass for your platform.
<AuthBy LDAPDIGIPASS> can be used to authenticate the following protocols:
<AuthBy LDAPDIGIPASS> can be configured to work in different LDAP environments and schemas. The example file goodies/radiator-ldap.schema has a sample LDAP schema to hold Digipass token data. This schema is suitable for OpenLDAP and other compatible LDAP servers. See the notes in the top of that file for details on how to install the schema in your LDAP server, so that you can use it to store Digipass token data. You can use digipass.pl program included in the Authen-Digipass module to import token data into this example schema, and to assign them to users, reset tokens, get detailed token information, and so on. By default, <AuthBy LDAPDIGIPASS> works with this sample schema on a local LDAP database, but you can use the <AuthBy LDAPDIGIPASS> parameters to configure it to work with other schemas and databases. There is also a sample Radiator configuration file in goodies/digipass_ldap.cfg.
This clause supports all the common LDAP configuration parameters. For more information about the LDAP configuration parameters, see Section 3.9. LDAP configuration.
<AuthBy LDAPDIGIPASS> understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.

3.65.1. SearchFilter

This is the LDAP filter to use when searching for the user. It is used in similar way as with all LDAP modules. For more information, see Section 3.9.2. SearchFilter.
This optional parameter specifies the LDAP search filter that is used to find the Digipass token record for the user attempting to log in. Special characters can be used. %0 is replaced by UsernameAttr and %1 by the user name, whose token is searched. The default value is (%0=%1).

3.65.2. UsernameAttr

This optional parameter gives the name of the LDAP attribute that contains the user name of the user assigned to that token. It is used as %0 in the SearchFilter. The default value is oscDigipassTokenAssignedTo.

3.65.3. TokenDataAttr

This parameter specifies the name of the LDAP attribute that contains the Digipass token data, which is used to authenticate Digipass token logins. Defaults to oscDigipassTokenData.

3.65.4. MaxRecords

This optional parameter specifies the maximum number of Digipass tokens returned by the SearchFilter that will be examined. Defaults to 1.

3.65.5. BaseDN

This is the base DN where searches will be made. For each authentication request, Radiator does a SUBTREE search starting at BaseDN, looking for a UsernameAttr that exactly matches the user name in the radius request (possibly after user name rewriting).
Special formatting characters are permitted. %0 is replaced by UsernameAttr and %1 by the user name, whose token is searched.
Here is an example of using BaseDN with <AuthBy LDAPDIGIPASS>:
# Start looking here
BaseDN o=University of Michigan, c=US
On some LDAP servers, you can get a significant performance increase by narrowing the search to the exact uid you are interested in. This example restricts the search to uid=username,ou=foo,o=bar,c=au:
BaseDN      %0=%1,ou=foo,o=bar,c=au
Scope       base

3.65.6. Vasco Controller Library parameters

These parameters can be used to control the behaviour of the Vasco Controller Library:
  • UpdateQuery
  • ITimeWindow
  • IThreshold
  • SyncWindow
  • CheckChallenge
  • ChkInactDays
  • DeriveVector
  • EventWindow
  • HSMSlotId
  • StorageKeyId
  • TransportKeyId
  • StorageDeriveKey1
  • StorageDeriveKey2
  • StorageDeriveKey3
  • StorageDeriveKey4
  • ChallengeMessage
For more information about these parameters, see Section 3.64. <AuthBy SQLDIGIPASS>.