Sometimes Roxen Challenger needs to access data about the users. The main reason for this is user authentication, but Roxen can also do other things with the data from the user database, for example, displaying them on a web page.

The LDAP User Database module enables Roxen Challenger to keep such user data in a LDAP directory. The data is stored in objects with the attributes (as defined in RFC2307) uid, userpassword, uidnumber, gidnumber, gecos, homedirectory and loginshell. These columns correspond to the fields in a UNIX password file, and are the fields that Challenger Authentication modules use. The directory object must contain the uid and userpassword attributes, whereas theother attributes can be replaced by default values. It is also possible to add extra columns when needed.

Access mode

This switch sets the authentification mode of the module. The mode can be user or guest.

With mode is changing several variables will be folded/unfolded.

guest

This mode is used for first-time users of LDAP based authentication. The connection to the LDAP server is done by user definitions in the configuration interface within the LDAP server sub menu.

This mode is not recommended for real using! The user defined for connection to the LDAP server must to have read permission to the whole subtree. This is, of course a security risk.

After connection the LDAP server an object corresponding to the search filter (see bellow) is searched and if user is founded his attribute userpassword is checked.

user

The connection to the LDAP server is done as real user his DN is constructed by the following formula:

[LDAP server->bind template] + [LDAP server->Base name]
for example (bind template='uid=%u%' and base name='o=UniBASE Ltd.,c=CZ'):
if user='hop' than
DN='uid=hop,o=UniBASE Ltd.,c=CZ'

If the connection is successful, then if is required existence of some attribute and/or her value, this is checked.

If some attributes aren't retrieved then is used defaults one.

Access type

The type of LDAP operation used for checking password (Guest mode only) and required attribute (User mode only.

Only 'search' type is implemented.

Cache entries

This flag defines whether the module will cache the user entries or not. Makes accesses faster, but changes in the directory will not show immediately.

Close the directory if not used

Guest mode only

Setting this will save resources when the module is not used.

Defaults...

Gecos

Default gecos.

Gecos map

The name of LDAP attribute mapped to gecos field.

Group ID

Default in case there is no Group ID attribute.

Group ID map

The name of LDAP attribute mapped to Group ID field.

Home Directory

Default in case there is no Home Directory attribute.

Home Directory map

The name of LDAP attribute mapped to Home Directory field.

Login Shell

Default in case there is no Login Shell attribute.

Login Shell map

The name of LDAP attribute mapped to Login Shell field.

User ID

Default in case there is no User ID attribute.

User ID map

The name of LDAP attribute mapped to User ID field.

Username add

Setting this will add user name to path to default directory. Mostly used in environment where all home directories have the same parent directory.

Search template ID

The template used by LDAP search operation as filter for retrieving user object. %u% will be replaced by user name.

Directory connection close timer

Guest mode only

How many seconds of inactivity it should take before the directory connection is closed.

LDAP query depth

Guest mode only

Scope used by LDAP search.

LDAP server...

Base name

The distinguished name to use as a base for queries. The value is also used for user DN creating (User mode only).

Typically, this would be an 'o' or 'ou' entry local to the DSA which contains the user entries.

Bind template

User mode only

The template for creating user DN. The Base name will be added as suffix.

Directory search username

Guest mode only

This user name will be used to authenticate when connecting to the LDAP server.

Directory user's password

Guest mode only

The password used to authenticate connection to directory.

Location

Name of host running the LDAP server with the authentication information.

Required attribute

User mode only

The attribute name which must be present for successfully authentication. Can be empty.

Required value

User mode only

The value of required attribute which must be present for successfully authentication. Can be empty.