Tripp Lite B097048 Owners Manual for B093- B097- and B098-Series Console Serve - Page 171

9. Authentication RADIUS The Remote Authentication Dial-In User Service (RADIUS) protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol. The RADIUS server can support a variety of methods to authenticate a user. When provided with the username and original password by the user, it can support PPP, PAP or CHAP, UNIX login and other authentication mechanisms. Further information on configuring remote RADIUS servers can be found at the following websites: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/d4fe8248-eecd-49e4-88f69e304f97fefc.mspx http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800945cc.shtml http://www.freeradius.org/ 9.1.4 LDAP Authentication With firmware version 3.11 and later, LDAP authentication now supports OpenLDAP servers using the Posix style schema for user and group definitions. Performing simple authentication against any LDAP server (AD or OpenLDAP) is straightforward, as both follow common LDAP standards and protocols. More difficult is configuring how to obtain extra data about the users, such as groups they are in, etc. On a Tripp Lite device, it may be configured to analyze group information from an LDAP server for authentication and authorization. This group information is stored in a number of different ways. Active Directory has one method, and OpenLDAP has two other methods: • Active Directory: Each user entry will have multiple 'memberOf' attributes. Each 'memberOf' value is the full DN of the group they belong to. The entry for the user will be of objectClass "user". • OpenLDAP / Posix: Each entry for a user must have a 'gidNumber' attribute. This will be an integer value, which is the user's primary group (e.g., mapping to the /etc/passwd file with the group ID field). To determine which group this is, search for an entry in the directory that has that group ID, which will provide the group name. The users are of objectClass "posixAccount", and the groups are of objectClass "posixGroup". • OpenLDAP / Posix: Each group entry in the group tree (of objectClass 'posixGroup') may have multiple 'memberUid' attributes. These represent secondary groups (e.g,, mapping to the /etc/groups file). Each attribute contains a username. To accommodate all possibilities, the pam_ldap module has been modified to perform group searches for each of the three styles. This allows for a relatively 'generic' configuration and not be concerned with how the LDAP directory is set up. Only two parameters need to be configured based on what the user wishes to look up: these are the LDAP username and group membership attributes. To clarify to the user what parameters to use, the descriptions for these fields are updated to prompt the user for common or likely attributes. For example, two configuration fields have descriptions as follows: LDAP Username Attribute: Corresponds to the login name of the user (commonly 'sAMAccountName' for Active Directory, and 'uid' for OpenLDAP). LDAP Group Membership Attribute: Indicates group membership in a user record (commonly 'memberOf' for Active Directory, and unused for OpenLDAP). 171