Configuring LDAP Access to Directory Data
The SRC software stores subscriber, service, persistent login, policy, router, and cached subscriber profiles and session data in a directory. The SAE uses LDAP to store and retrieve the data.
If you do not store data in the local directory, you need to configure the LDAP connections to the directories in which the data is stored. You can also select the filter that the SAE uses to search for subscriptions in the directory and directory eventing parameters for data stored in the directory.
The tasks to configure LDAP access to directory data are:
- (Optional) Configuring Access Through LDAPS to Service and Subscriber Data
- Configuring Access to Subscriber Data
- Configuring Access to Service Data
- Configuring Access to Policy Data
- Configuring Access to the Persistent Login Cache
- Configuring the Location of Network Device Data
- Enabling Automatic Discovery of Changes in SAE Configuration Data
- Setting the Timeout and Number of Events for SAE Directory Eventing
Configuring Access Through LDAPS to Service and Subscriber Data
You can secure connections between a router and an external directory that contains service data or subscriber data, and you can configure the router to use LDAPS when it connects to the same data source.
Use the following configuration statements to configure access through LDAPS to service data and subscriber data:
shared sae configuration ldap service-data {(ldaps);}shared sae configuration ldap subscriber-data {(ldaps);}To use LDAPS to secure connections between a router and an external directory:
- Configure the directory connection from the SAE to use LDAPs. For example:
user@host#set shared sae configuration ldap service-data ldaps
user@host#set shared sae configuration ldap subscriber-data ldaps
- In the router initialization script you specify the directory context.
The /opt/UMC/sae/lib/poolPublisher.py script and the /opt/UMC/sae/lib/IorPublisher.py script provide examples of how to configure a directory context, For example, from the /opt/UMC/sae/lib/IorPublisher.py script:
dirContext = Ssp.registry.get('ServiceDataSource.component').getContext()In addition, you can change the directory context.
For information about how to use InitialDirContext class or the DirContext class to specify directory context, see:
http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/ InitialDirContext.htmlhttp://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/DirContext.htmlRelated Topics
Configuring Access to Subscriber Data
Use the following configuration statements to configure access to subscriber data:
shared sae configuration ldap subscriber-data {subscription-loading-filter (subscriberRefFilter | objectClassFilter); load-subscriber-schedules; login-cache-dnlogin-cache-dn
; session-cache-dnsession-cache-dn
; server-addressserver-address
; dndn
; authentication-dnauthentication-dn
; passwordpassword
; directory-eventing; polling-intervalpolling-interval
; (ldaps);}To configure SAE access to subscriber data:
- From configuration mode, access the configuration statement that configures SAE access to subscriber data in the directory. In this sample procedure, the subscriber data is configured in the se-region group.
user@host#edit shared sae group se-region configuration ldap subscriber-data
- Select the filter that the SAE uses to search for subscriptions in the directory when the SAE loads a subscription to a subscriber reference filter.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#
set subscription-loading-filter
(subscriberRefFilter | objectClassFilter)- (Optional) Enable loading of subscriber schedules.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#
set load-subscriber-schedules
- Specify the subtree in the directory in which subscriber information is stored.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set login-cache-dn
login-cache-dn
- Specify the subtree in the directory in which persistent session data is cached.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set session-cache-dn
session-cache-dn
- (Optional) Specify the directory server that stores subscriber information.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set server-address
server-address
- Specify the subtree in the directory where subscriber data is cached.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set dn
dn
- (Optional) Specify the DN that the SAE uses to authenticate access to the directory server.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set authentication-dn
authentication-dn
- (Optional) Specify the password used to authenticate access to the directory server.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set password
password
- (Optional) Enable automatic discovery of changes in subscriber profiles.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set directory-eventing
- Set the frequency for checking the directory for updates.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set polling-interval
polling-interval
- Enable LDAPS as the secure protocol for connections to the server that stores subscriber data.
[
edit shared sae group se-region configuration ldap subscriber-data]
user@host#set ldaps
- (Optional) Verify your configuration.
[edit shared sae group se-region configuration ldap subscriber-data]user@host#show
subscription-loading-filter objectClassFilter;load-subscriber-schedules;login-cache-dn o=users,<base>;session-cache-dn o=PersistentSessions,<base>;server-address 127.0.0.1;dn o=users,<base>;authentication-dn cn=ssp,o=components,o=operators,<base>;password ********;directory-eventing;polling-interval 30;ldaps;Related Topics
- For information about setting up SAE groups, see SRC-PE Getting Started Guide, Chapter 21, Setting Up an SAE with the SRC CLI.
- Configuring Access Through LDAPS to Service and Subscriber Data
Configuring Access to Service Data
Use the following configuration statements to configure access to service data:
shared sae configuration ldap service-data {server-addressserver-address
; dn dn; authentication-dnauthentication-dn
; passwordpassword
; directory-eventing; polling-intervalpolling-interval
; (ldaps);}To configure SAE access to service data:
- From configuration mode, access the configuration statement that configures SAE access to service data in the directory. In this sample procedure, the service data is configured in the se-region group.
user@host#edit shared sae group se-region configuration ldap service-data
- (Optional) Specify the directory server that stores service data.
[edit shared sae group se-region configuration ldap service-data]
user@host#set server-address
server-address
- Specify the subtree in the directory where service data is cached.
[edit shared sae group se-region configuration ldap service-data]
user@host#set dn
dn
- (Optional) Specify the DN that the SAE uses to authenticate access to the directory server.
[edit shared sae group se-region configuration ldap service-data]
user@host#set authentication-dn
authentication-dn
- (Optional) Specify the password used to authenticate access to the directory server.
[edit shared sae group se-region configuration ldap service-data]
user@host#set password
password
- (Optional) Enable or disable automatic discovery of changes to service data.
[edit shared sae group se-region configuration ldap service-data]
user@host#set directory-eventing
- Set the frequency for checking the directory for updates.
[edit shared sae group se-region configuration ldap service-data]
user@host#set polling-interval
polling-interval
- Enable LDAPS as the secure protocol for connections to the server that stores service data.
edit shared sae group se-region configuration ldap service-data]
user@host#set ldaps
- (Optional) Verify your configuration.
[edit shared sae group se-region configuration ldap service-data]user@host#show
server-address 10.10.45.3;dn <base>;authentication-dn <base>;password ********;directory-eventing;polling-interval 30;ldaps;Related Topics
- For information about setting up SAE groups, see SRC-PE Getting Started Guide, Chapter 21, Setting Up an SAE with the SRC CLI.
- Configuring Access Through LDAPS to Service and Subscriber Data
Configuring Access to Policy Data
Use the following configuration statements to configure access to policy data:
shared sae configuration ldap policy-data {policy-dnpolicy-dn
; parameter-dnparameter-dn
; directory-eventing; polling-intervalpolling-interval
;}To configure SAE access to subscriber data:
- From configuration mode, access the configuration statement that configures SAE access to policy data in the directory. In this sample procedure, the policy data is configured in the se-region group.
user@host#edit shared sae group se-region configuration ldap policy-data
- Specify the subtree in the directory in which policy data stored.
[edit shared sae group se-region configuration ldap policy-data]
user@host#set policy-dn
policy-dn
- Specify the subtree in the directory in which policy parameter data is cached.
[edit shared sae group se-region configuration ldap policy-data]
user@host#set parameter-dn
parameter-dn
- (Optional) Enable or disable automatic discovery of changes to policy data.
[edit shared sae group se-region configuration ldap policy-data]
user@host#set directory-eventing
- Set the frequency for checking the directory for updates.
[edit shared sae group se-region configuration ldap policy-data]
user@host#set polling-interval
polling-interval
- (Optional) Verify your configuration.
[edit shared sae group se-region configuration ldap policy-data]user@host#show
policy-dn o=Policy,<base>;parameter-dn o-Parameters,<base>;directory-eventing;polling-interval 30;Related Topics
- For information about setting up SAE groups, see SRC-PE Getting Started Guide, Chapter 21, Setting Up an SAE with the SRC CLI.
Configuring Access to the Persistent Login Cache
Use the following configuration statements to configure access to persistent login cache data:
shared sae configuration ldap persistent-login-cache {server-addressserver-address
; dn dn; authentication-dnauthentication-dn
; passwordpassword
; directory-eventing; polling-intervalpolling-interval
; (ldaps);}To configure SAE access to persistent login cache data:
- From configuration mode, access the configuration statement that configures SAE access to persistent login cache data in the directory. In this sample procedure, the persistent login cache data is configured in the se-region group.
user@host#edit shared sae group se-region configuration ldap persistent-login-cache
- (Optional) Specify the directory server that stores service data.
[edit shared sae group se-region configuration ldap persistent-login-cache]
user@host#set server-address
server-address
- Specify the subtree in the directory where persistent login cache data is cached.
[edit shared sae group se-region configuration ldap persistent-login-cache]
user@host#set dn
dn
- (Optional) Specify the DN that the SAE uses to authenticate access to the directory server.
[edit shared sae group se-region configuration ldap persistent-login-cache]
user@host#set authentication-dn
authentication-dn
- (Optional) Specify the password used to authenticate access to the directory server.
[edit shared sae group se-region configuration ldap persistent-login-cache]
user@host#set password
password
- (Optional) Enable automatic discovery of changes to persistent login cache data.
[edit shared sae group se-region configuration ldap persistent-login-cache]
user@host#set directory-eventing
- Set the frequency for checking the directory for updates.
[edit shared sae group se-region configuration ldap persistent-login-cache]
user@host#set polling-interval
polling-interval
- Enable LDAPS as the secure protocol for connections to the server that stores persistent login cache data.
[edit shared sae group se-region configuration ldap persistent-login-cache]
user@host#set ldaps
- (Optional) Verify your configuration.
[edit shared sae group se-region configuration ldap persistent-login-cache]user@host#show
dn "o=authCache, <base>";directory-eventing;polling-interval 30;ldaps;Related Topics
- For information about setting up SAE groups, see SRC-PE Getting Started Guide, Chapter 21, Setting Up an SAE with the SRC CLI.
Configuring the Location of Network Device Data
Use the following configuration statement to configure access to network device data:
shared sae configuration ldap {network-dnnetwork-dn
;}To configure SAE access to network device data:
- From configuration mode, access the configuration statement that configures SAE access to network device data in the directory. In this sample procedure, the network device data is configured in the se-region group.
user@host#edit shared sae group se-region configuration ldap
- Specify the subtree in the directory where network device data is stored.
[edit shared sae group se-region configuration ldap]
user@host#set network-dn
network-dn
- Verify your configuration.
[edit shared sae group se-region configuration ldap]user@host#show network-dn
network-dn o=Network,<base>;Related Topics
- For information about setting up SAE groups, see SRC-PE Getting Started Guide, Chapter 21, Setting Up an SAE with the SRC CLI.
Enabling Automatic Discovery of Changes in SAE Configuration Data
Use the following configuration statement to enable automatic discovery of changes in SAE configuration data:
shared sae configuration ldap {enable-directory-eventing;}To enable automatic discovery of changes in SAE configuration data:
- From configuration mode, access the configuration statement that enables automatic discovery of changes in SAE configuration data in the directory. In this sample procedure, automatic discovery is configured in the se-region group.
user@host#edit shared sae group se-region configuration ldap
- Enable automatic discovery of changes to SAE configuration data.
[edit shared sae group se-region configuration ldap]user@host#enable-directory-eventing
Related Topics
- For information about setting up SAE groups, see SRC-PE Getting Started Guide, Chapter 21, Setting Up an SAE with the SRC CLI.
Setting the Timeout and Number of Events for SAE Directory Eventing
Use the following configuration statements to set the directory eventing timeout and the number of simultaneous events that the SAE can receive from the directory:
shared sae configuration ldap directory-eventing {timeouttimeout
; dispatcher-pool-sizedispatcher-pool-size
;}To configure the directory eventing timeout and the number of simultaneous events that the SAE can receive from the directory:
- From configuration mode, access the configuration statement that configures SAE directory eventing. In this sample procedure, directory eventing is configured in the se-region group.
user@host#edit shared sae group se-region configuration ldap directory-eventing
- Specify the maximum time that the directory eventing system waits for the directory to respond.
[edit shared sae group se-region configuration ldap directory-eventing]
user@host#set timeout
timeout
- Specify the number of events that the SAE can receive from the directory simultaneously.
[edit shared sae group se-region configuration ldap directory-eventing]
user@host#set dispatcher-pool-size
dispatcher-pool-size
- (Optional) Verify your configuration.
[edit shared sae group se-region configuration ldap directory-eventing]user@host#show
timeout 60;dispatcher-pool-size 1000;Related Topics