Section 3.65. <AuthBy LDAPDIGIPASS>

3.65. <AuthBy LDAPDIGIPASS>

This module provides authentication of Vasco Digipass tokens from an LDAP database. For more information, see Vasco website

. For more information about details about Digipass tokens, how to obtain and operate them, see Section 3.64. <AuthBy SQLDIGIPASS>.

<AuthBy LDAPDIGIPASS> requires an additional Authen-Digipass module to be installed. The Authen-Digipass Perl module provides access to the Vasco Controller software that does the authentication of each token. Radiator includes pre-compiled binaries of the Authen-Digipass module for Solaris, Linux, and Windows. The Authen-Digipass module also includes the digipass.pl command line application for administering Digipass tokens in SQL and LDAP databases. See goodies/digipassinstall.txt in your distribution for details on how to install and test Authen-Digipass for your platform.

<AuthBy LDAPDIGIPASS> can be used to authenticate the following protocols:

PAP
CHAP
MSCHAP
MSCHAPV2
EAP-MSCHAPV2
EAP-OTP
EAP-GTC

<AuthBy LDAPDIGIPASS> can be configured to work in different LDAP environments and schemas. The example file goodies/radiator-ldap.schema has a sample LDAP schema to hold Digipass token data. This schema is suitable for OpenLDAP and other compatible LDAP servers. See the notes in the top of that file for details on how to install the schema in your LDAP server, so that you can use it to store Digipass token data. You can use digipass.pl program included in the Authen-Digipass module to import token data into this example schema, and to assign them to users, reset tokens, get detailed token information, and so on. By default, <AuthBy LDAPDIGIPASS> works with this sample schema on a local LDAP database, but you can use the <AuthBy LDAPDIGIPASS> parameters to configure it to work with other schemas and databases. There is also a sample Radiator configuration file in goodies/digipass_ldap.cfg.

This clause supports all the common LDAP configuration parameters. For more information about the LDAP configuration parameters, see Section 3.9. LDAP configuration.

<AuthBy LDAPDIGIPASS> understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.

3.65.1. SearchFilter

This is the LDAP filter to use when searching for the user. It is used in similar way as with all LDAP modules. For more information, see Section 3.9.2. SearchFilter.

This optional parameter specifies the LDAP search filter that is used to find the Digipass token record for the user attempting to log in. Special characters can be used. %0 is replaced by UsernameAttr and %1 by the user name, whose token is searched. The default value is (%0=%1).

3.65.5. BaseDN

This is the base DN where searches will be made. For each authentication request, Radiator does a SUBTREE search starting at BaseDN, looking for a UsernameAttr that exactly matches the user name in the radius request (possibly after user name rewriting).

Special formatting characters are permitted. %0 is replaced by UsernameAttr and %1 by the user name, whose token is searched.

Here is an example of using BaseDN with

<AuthBy
                     LDAPDIGIPASS>

# Start looking here
BaseDN o=University of Michigan, c=US

Note

On some LDAP servers, you can get a significant performance increase by narrowing the search to the exact uid you are interested in. This example restricts the search to uid=username,ou=foo,o=bar,c=au:

BaseDN      %0=%1,ou=foo,o=bar,c=au
Scope       base

3.65. <AuthBy LDAPDIGIPASS>

3.65.1. SearchFilter

3.65.2. UsernameAttr

3.65.3. TokenDataAttr

3.65.4. MaxRecords

3.65.5. BaseDN

Note

3.65.6. Vasco Controller Library parameters