Configuring LDAP Access to Directory Data
The SRC software stores subscriber, service, persistent login, policy, router, and cached subscriber profiles and session data in a directory. The SAE uses LDAP to store and retrieve the data. You can configure the LDAP connections to the directories in which this data is stored. You can also select the filter that the SAE uses to search for subscriptions in the directory and directory eventing parameters for data stored in the directory.
The tasks to configure LDAP access to directory data are:
- Configuring Access to Subscriber Data
- Configuring Access to Service Data
- Configuring Access to Policy Data
- Configuring Access to the Persistent Login Cache
- Configuring the Location of Router, Persistent Login, and Persistent Session Data
- Enabling Automatic Discovery of Changes in SAE Configuration Data
Configuring Access to Subscriber Data
To use SDX Configuration Editor to configure the LDAP connection from the SAE to the directory in which subscriber data is stored:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the LDAP tab, and expand the User Data section.
![]()
- Edit or accept the default values in the fields.
See User Data Fields.
- Select File > Save.
- Right-click the configuration file, select SDX System Configuration > Export to LDAP Directory.
User Data Fields
In SDX Configuration Editor, you can modify the following fields in the User Data section of the LDAP pane in an SAE configuration file.
Server Address
- Disables or enables and identifies the directory server that stores subscriber information.
- Value—IP address or hostname; use a space to separate addresses for multiple directory servers: 127.153.27.1 192.168.0.1
- Default—Disabled
- Property name—UserDataSource.repository.ldap.server.address
Search Base
- Subtree in the directory in which subscriber information is stored. When a subscriber logs in to a residential portal, the SAE searches subscriber profiles by mapping the realm of the login name to a retailer object found below the search base.
- Value—<DN>
You can use the special value <base> to refer to the globally configured base distinguished name (DN).
- Guidelines—Sensible values include o=Users, o=umc for multidomain support and retailerName=Retailer, o=Users, o=umc for single domain support.
- Default—o=Users, <base>
- Property name—UserDataSource.repository.ldap.server.base.dir
Authentication DN
- Disables or enables and sets the DN that the SAE uses to authenticate access to the directory server. The specified directory entry must exist and have read access to all attributes. The entry must have write access if subscribers are allowed to customize their subscription profiles.
- Value—<DN>
You can use the special value <base> to refer to the globally configured base DN.
- Default—Disabled, which means that the value configured for the directory is used
- Property name—UserDataSource.repository.ldap.server.authDN
Password
- Disables or enables and sets the password used to authenticate access to the directory server. You must configure the password in the directory to authenticate read-access to the directory.
- Value—Text string or base64 string that matches the value of the userPassword attribute of the authentication DN
- Default—Disabled, which means that the value configured for the directory is used
- Property name—UserDataSource.repository.ldap.server.password
Enable Directory Eventing
- Yes—Changes in the subscriber profile or subscriptions take effect automatically while the subscriber is logged in.
- No—Changes in the subscriber profile or subscriptions do not take effect until the next time the subscriber logs in.
Directory Polling Interval [s]
- Sets the frequency for checking the directory for updates.
- Value—Number of seconds in the range 15-86400
- Default—30
- Property name—UserDataSource.repository.ldap.server.des.pollinginterval
Secured LDAP protocol
- Enables or disables LDAPS as the secure protocol for connections to the server that stores subscriber data.
- Value—Enable or Disable
- Default—Disable
- Property name—UserDataSource.repository.ldap.server.security.protocol
Filter for loading subscriptions
- Selects the filter that the SAE uses to search for subscriptions in the directory when the SAE loads a subscription.
- Value—Select one of the following values from the drop-down menu:
- Subscriber reference filter—The SAE runs a search based on the subscriberRef attribute in the umcServiceProfile object, which is the base object class of the service profile hierarchy. The subscriberRef attribute contains a DN that points to the parent of the subscriber object.
- Subscription Objectclass filter—The SAE performs a one-level search with the directory entry, which represents the subscriber folder as the base DN. The search filter is (objectClass=sspServiceProfile). This method can be slow if you have a large number of subscription entries within the subscriber folder subtree.
- Default—Subscription Objectclass filter
- Property name—UserDataSource.repository.ldap.server.loadSubscriptionFilter
Configuring Access to Service Data
To use SDX Configuration Editor to configure the LDAP connection from the SAE to the directory in which service data is stored:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the LDAP tab, and expand the Service Data section.
![]()
- Edit or accept the default values in the fields.
See Service Data Fields.
- Select File > Save.
- Right-click the configuration file, select SDX System Configuration > Export to LDAP Directory.
Service Data Fields
In SDX Configuration Editor, you can modify the following fields in the Service Data section of the LDAP pane in an SAE configuration file.
Server Address
- Disables or enables and identifies the directory server that stores service data.
- Value—IP address or hostname; use a space to separate addresses for multiple directory servers: 127.153.27.1 192.168.0.1
- Default—Disabled, which means that the value configured for the directory is used
- Property name—ServiceDataSource.repository.ldap.server.address
Search Base
- Subtree in the directory in which service information is stored. The SAE loads service definitions on startup and when service reloading is requested.
- Value—<DN>
You can use the special value <base> to refer to the globally configured base DN.
Authentication DN
- Disables or enables and sets the DN that the SAE uses to authenticate access to the directory server. The specified directory entry must exist and have read access to all attributes.
- Value—<DN>
You can use the special value <base> to refer to the globally configured base DN.
- Default—Disabled, which means that the value configured for the directory is used
- Property name—ServiceDataSource.repository.ldap.server.authDN
Password
- Disables or enables and sets the password used to authenticate access to the directory server. You must configure the password in the directory to authenticate read access to the directory.
- Value—Text string or base64 string
- Default—Disabled, which means that the value configured for the directory is used
- Property name—ServiceDataSource.repository.ldap.server.password
Enable Directory Eventing
- Yes—Changes in service definitions take effect automatically. If a changed service is in use, all service instances are deactivated and then reactivated with the modified settings. Consequently, service may be affected for subscribers who are logged in at the time of the modification.
- No—Changes in service definitions do not take effect until the SAE is restarted.
Directory Polling Interval [s]
- Sets the frequency for checking the directory for updates.
- Value—Number of seconds in the range 15-86400
- Default—30
- Property name—ServiceDataSource.repository.ldap.server.des.pollinginterval
Secured LDAP protocol
- Enables or disables LDAPS as the secure protocol for connections to the server that stores service data.
- Value—Enable or Disable
- Default—Disable
- Property name—ServiceDataSource.repository.ldap.server.security.protocol
Configuring Access to Policy Data
To use SDX Configuration Editor to configure the LDAP connection from the SAE to the directory in which policy data is stored:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the LDAP tab, and expand the Policy Data section.
![]()
- Edit or accept the default values in the fields.
See Policy Data Fields.
- Select File > Save.
- Right-click the configuration file, select SDX System Configuration > Export to LDAP Directory.
Policy Data Fields
In SDX Configuration Editor, you can modify the following fields in the Policy Data section of the LDAP pane in an SAE configuration file.
Policy Search Base
You can use the special value <base> to refer to the globally configured base DN.
Parameter Search Base
You can use the special value <base> to refer to the globally configured base DN.
Enable Directory Eventing
- Enables or disables automatic discovery of changes in policy definitions and in interface classifiers.
- Value
- Yes—Changes in policy definitions take effect automatically. If a changed policy is in use, all policy instances are deactivated and then reactivated with the modified settings. Consequently, service may be affected for subscribers who are logged in when the change is made.
- No—Changes in policy definitions do not take effect until the SAE is restarted.
Directory Polling Interval [s]
- Sets the frequency for checking the directory for updates.
- Value—Number of seconds in the range 15-86400
- Default—30
- Property name—net.juniper.smgt.des.pollinginterval
Configuring Access to the Persistent Login Cache
To use SDX Configuration Editor to configure the LDAP connection from the SAE to the directory in which persistent login cache data is stored:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the LDAP tab, and expand the Persistent Login Cache section.
![]()
- Edit or accept the default values in the fields.
See Persistent Login Cache Data Fields.
- Select File > Save.
- Right-click the configuration file, select SDX System Configuration > Export to LDAP Directory.
Persistent Login Cache Data Fields
In SDX Configuration Editor, you can modify the following fields in the Persistent Login Cache section of the LDAP pane in an SAE configuration file.
Server Address
- Disables or enables and identifies the directory server that stores persistent login data.
- Value—IP address or hostname; use a space to separate addresses for multiple directory servers: 127.153.27.1 192.168.0.1
- Default—Disabled, which means that the value configured for the directory is used
- Property name—UserCacheDataSource.repository.ldap.server.address
Search Base
You can use the special value <base> to refer to the globally configured base DN.
Authentication DN
- Disables or enables and sets the DN that the SAE uses to authenticate access to the directory server. The specified directory entry must exist and have read access to all attributes.
- Value—<DN>
You can use the special value <base> to refer to the globally configured base DN.
Password
- Disables or enables and sets the password used to authenticate access to the directory server. You must configure the password in the directory to authenticate read access to the directory.
- Value—Text string or base64
- Default—ssp
- Property name—UserCacheDataSource.repository.ldap.server.password
Enable Directory Eventing
- Enables or disables automatic discovery of changes to the persistent login cache.
- Value—Yes or No
- Default—No
- Property name—
UserCacheDataSource.repository.ldap.server.des.enable_eventingDirectory Polling Interval [s]
- Sets the frequency for checking the directory for updates.
- Value—Number of seconds in the range 15-86400
- Default—30
- Property name—
UserCacheDataSource.repository.ldap.server.des.pollingintervalSecured LDAP protocol
- Enables or disables LDAPS as the secure protocol for connections to the server that stores persistent login cache data.
- Value—Enable or Disable
- Default—Disable
- Property name—UserCacheDataSource.repository.ldap.server.security.protocol
Configuring the Location of Router, Persistent Login, and Persistent Session Data
To use SDX Configuration Editor to configure the location of router data, persistent login information for DHCP scenarios, and persistent session data:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the LDAP tab.
![]()
- Edit or accept the default values in the Network Data Search Base, SAE Cache Repository Search Base, and Persistent Session Cache Repository Search Base fields.
See Router Data, DHCP Persistent Login Information, and Persistent Session Data Fields.
- Select File > Save.
- Right-click the configuration file, select SDX System Configuration > Export to LDAP Directory.
Router Data, DHCP Persistent Login Information, and Persistent Session Data Fields
In SDX Configuration Editor, you can edit the following fields in the LDAP pane in an SAE configuration file.
Network Data Search Base
You can use the special value <base> to refer to the globally configured base DN.
SAE Cache Repository Search Base
- Base DN for storing and retrieving subscriber profiles. This is the directory subtree in which persistent login information is stored for DHCP scenarios.
- Value—<DN>
You can use the special value <base> to refer to the globally configured base DN.
Persistent Session Cache Repository Search Base
You can use the special value <base> to refer to the globally configured base DN.
- Default—o=PersistentSessions, <base>
- Property name—UserDataSource.repository.ldap.server.persistent.session
Enabling Automatic Discovery of Changes in SAE Configuration Data
To use SDX Configuration Editor to enable directory eventing of SAE configuration data:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the LDAP tab.
![]()
- Edit or accept the default value in the Enable Configuration Directory Eventing field.
See Enable Configuration Directory Eventing Field.
- Select File > Save.
- Right-click the configuration file, select SDX System Configuration > Export to LDAP Directory.
Enable Configuration Directory Eventing Field
In SDX Configuration Editor, you can edit the following fields in the LDAP pane in an SAE configuration file.
Enable Configuration Directory Eventing