In the exauth.properties file, set the type of the external authentication server to be used, the server identification name, and the machine information about the external authentication server.
- Common properties
See "Setup items in the exauth.properties file for RADIUS authentication (common items)"
- Properties for an external authentication server
Specify these property values for each RADIUS server.
See "Setup items in the exauth.properties file for RADIUS authentication (settings for the external authentication server)
-
Properties for an external authorization server
These properties must be set when an external authorization server is also linked to. Specify information about the LDAP directory server for each domain.
Setup items in the exauth.properties file vary depending on whether information about the LDAP directory server being connected to is directly specified or looked up by using the DNS server.
-
When directly specifying information about the LDAP directory server
See "Setup items in the exauth.properties file for RADIUS authentication (common settings for the external authorization server)", "Setup items in the exauth.properties file for RADIUS authentication (when directly specifying information about the external authorization server)", and "Setup items in the exauth.properties file for RADIUS authentication (when an external authorization server and Start TLS are used for communication)"
-
When using the DNS server to look up the information about the LDAP directory server
See "Setup items in the exauth.properties file for RADIUS authentication (common settings for the external authorization server)" and "Setup items in the exauth.properties file for RADIUS authentication (when using the DNS server to look up information about the external authorization server)"
-
- Make sure to distinguish between uppercase and lowercase letters for property settings.
- To use StartTLS for communication between the management server and the LDAP directory server, you must directly specify information about the LDAP directory server to connect to in the exauth.properties file.
- If you use the DNS server to look up the LDAP directory server to connect to, it might take longer for users to log in.
|
Property names |
Details |
|---|---|
|
auth.server.type |
Specify an external authentication server type. Specify radius. Default value: internal (used when not linking to an external authentication server) |
|
auth.server.name |
Specify the server identification names of RADIUS servers. You can specify any name for this property to identify which RADIUS servers the settings such as the port number and the protocol for connecting to the RADIUS server (see "Setup items in the exauth.properties file for RADIUS authentication (settings for the external authentication server)" are applied to. ServerName has been set as the initial value. You must specify at least one name. When configuring a redundant configuration, separate the server identification name of each server with a comma (,). Do not register the same server identification name more than once. Specifiable values: No more than 64 bytes of the following characters: A to Z a to z 0 to 9 ! # ( ) + - . = @ [ ] ^ _ { } ~ Default value: none |
|
auth.group.mapping |
Specify whether to also link to an external authorization server. Specify true to link to an external authorization server. Specify false to not to link to an external authorization server. Default value: false |
| Attributes | Details |
|---|---|
|
protocol |
Specify the protocol for RADIUS server authentication. This attribute is required. Specifiable values: PAP or CHAP Default value: none |
|
host1 |
Specify the host name or IP address of the RADIUS server. If you specify the host name, make sure beforehand that the host name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. When specifying an IPv6 address, enclose it in square brackets ([]). This attribute is required. Default value: none |
|
port |
Specify the port number for RADIUS server authentication. Make sure beforehand that the port you specify is set as the listen port number on the RADIUS server. Specifiable values: 1 to 65535 Default value: 1812 |
|
timeout |
Specify the amount of time to wait before timing out when connecting to the RADIUS server. Specifiable values: 1 to 65535 (seconds) Default value: 1 |
|
retry.times |
Specify the number of times to try to connect to the RADIUS. If you specify 0, no further tries occur. Specifiable values: 0 to 50 Default value: 3 |
|
attr.NAS-Identifier2 |
Specify the host name of the Ops Center Automator management server. The RADIUS server uses this attribute value to identify the management server. The host name of the management server has been set as the initial value. Specifiable values: Specify no more than 253 bytes of the following characters: A to Z a to z 0 to 9 ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ Default value: none |
|
attr.NAS-IP-Address2 |
Specify the IPv4 address of the Ops Center Automator management server. The RADIUS server uses this attribute value to identify the management server. If the format of the address is not valid, this property is disabled. Default value: none |
|
attr.NAS-IPv6-Address2 |
Specify the IPv6 address of the Ops Center Automator management server. The RADIUS server uses this attribute value to identify the management server. Enclose the IPv6 address in square brackets ([]). If the format of the address is not valid, this property is disabled. Default value: none |
Note: To specify the attributes, use the following syntax: auth.radius.auth.server.name-property-value.attribute=value |
|
| Attributes | Details |
|---|---|
|
domain.name |
Specify the name of a domain managed by the LDAP directory server. This item is required when an external authorization server is also linked to. Default value: none |
|
dns_lookup |
Specify whether to use the DNS server to look up the information about the LDAP directory server. To directly specify information about the LDAP directory server in the exauth.properties file, specify false. To use the DNS server to look up the information, specify true. However, if the following attribute values are already set, the LDAP directory server will be connected to by using the user-specified values instead of by using the DNS server to look up the information.
Default value: false |
|
Note: To specify the attributes, use the following syntax: auth.radius.auth.server.name-property-value.attribute=value |
|
| Attributes | Details |
|---|---|
| protocol | Specify the protocol for connecting to the LDAP directory server. When communicating in plain text format, specify ldap. When using StartTLS communication, specify tls. Before specifying tls, make sure that one of the following encryption methods can be used on the LDAP directory server. For StartTLS, TLS 1.2 and TLS 1.3 are supported.
Specifiable values: ldap or tls Default value: ldap Note: When communicating by using StartTLS as the protocol for connecting to the LDAP directory server, you must specify the security settings of Common Component. |
| host |
If the external authentication server and the external authorization server are running on different computers, specify the host name or IP address of the LDAP directory server. If you specify the host name, make sure beforehand that the host name can be resolved to an IP address. If you specify the IP address, you can use either an IPv4 or IPv6 address. When specifying an IPv6 address, enclose it in square brackets ([]). If you omit this attribute, the external authentication server and the external authorization server are assumed to be running on the same computer. Default value: none Note: When the external authentication server and the external authorization server are running on different computers and when using StartTLS as the protocol for connecting to the LDAP directory server, in the host attribute specify the same host name as the value of CN in the LDAP directory server certificate. You cannot use an IP address. |
|
port |
Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port number on the LDAP directory server. Specifiable values: 1 to 65535 Default value: 389 |
|
basedn |
Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information on the LDAP directory server. The user entries that are located in the hierarchy after this DN will be verified during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched. Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN, you must use a backslash (\) to escape each character. Spaces # + ; , < = > \ If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the specified value will be passed to the LDAP directory server without change. If you omit this attribute, the value specified in the defaultNamingContext property of Active Directory is assumed as the BaseDN. Default value: none |
|
timeout |
Specify the amount of time to wait before timing out when connecting to the LDAP directory server. If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 15 |
|
retry.interval |
Specify the interval (in seconds) between tries to connect to the LDAP directory server. Specifiable values: 1 to 60 (seconds) Default value: 1 |
|
retry.times |
Specify the number of tries to connect to the LDAP directory server. If you specify 0, no further tries occur. Specifiable values: 0 to 50 Default value: 20 |
Note: To specify the attributes, use the following syntax:auth.group.domain-name.attribute=value For domain-name, specify the value specified for auth.radius.auth.server.name-property-value.domain.name. |
|
| Property | Details |
|---|---|
| auth.ocsp.enable | Specify whether to verify the validity of an LDAP directory server's electronic signature certificate by using an OCSP responder when the LDAP directory server and StartTLS are used for communication. To verify the validity of certificates, specify true. To not verify the validity of certificates, specify false. Default value: false |
| auth.ocsp.responderURL | Specify the URL of an OCSP responder to use an OCSP responder that is not the one written in the AIA field of the electronic signature certificate to verify the validity of the electronic signature certificate. If this value is omitted, the OCSP responder written in the AIA field is used. Default value: None |
| Attributes | Details |
|---|---|
| protocol | Specify the protocol for connecting to the LDAP directory server. Specifiable values: ldap Default value: ldap |
| port | Specify the port number of the LDAP directory server. Make sure beforehand that the port you specify is set as the listen port number on the LDAP directory server. Specifiable values: 1 to 65535 Default value: 389 |
| basedn | Specify the BaseDN, which is the DN of the entry that will be used as the start point when searching for LDAP user information on the LDAP directory server. The user entries that are located in the hierarchy after this DN will be verified during authorization. Specify the DN of the hierarchy that includes all of the user entries to be searched. Specify the DN by following the rules defined in RFC4514. For example, if any of the following characters are included in a DN, you must use a backslash (\) to escape each character. Spaces # + ; , < = > \ If characters that must be escaped are included in the specified BaseDN, escape all of those characters correctly because the specified value will be passed to the LDAP directory server without change. If you omit this attribute, the value specified in the defaultNamingContext property of Active Directory is assumed as the BaseDN. Default value: none |
| timeout | Specify the amount of time to wait before timing out when connecting to the LDAP directory server. If you specify 0, the system waits until a communication error occurs without timing out. Specifiable values: 0 to 120 (seconds) Default value: 15 |
| retry.interval | Specify the interval (in seconds) between tries to connect to the LDAP directory server. Specifiable values: 1 to 60 (seconds) Default value: 1 |
| retry.times | Specify the number of times to try to connect to the LDAP directory server. If you specify 0, no further tries occur. Specifiable values: 0 to 50 Default value: 20 |
|
Note: To specify the attributes, use the following syntax: auth.group.domain-name.attribute=value For domain-name, specify the value specified for auth.radius.auth.server.name-property-value.domain.name. |
|