Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX AAA Server A.07.00 Administrator's Guide: HP-UX 11i v1, 11i v2, and 11i v3 > Chapter 29 Attribute-Value Pairs

Attributes in User Profiles
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The following attributes can be used to establish the authorization rules for a user profile. Authorization determines the following:

  • The services and network resources that the user can access

  • The services that the user can access

  • The time duration that the user can access the network

The attributes in a user profile may act a configuration, check (and deny), or reply item. Some attributes may act as both a check and reply items.

Configuration Attributes

You can add configuration attributes that are not directly supported by the Server Manager graphic interface. You can add configuration attributes through the Server Manager as a check item under the Free tab on the User Creation screen. For more information, see “Tabs on the Add Users Screen”.

Authentication-Type

The authentication type is applied to a user just as it would be applied to a user belonging to a realm. Check and reply items in the user entry will be appended to any items used later in the authentication process.

Comment

This attribute does not perform any server function. It allows you to provide any necessary explanation for the entry.

Deny-Message

This attribute specifies a string that would be returned as a Reply-Message value to the user in the Access-Reject if any deny item for this user caused a rejection. You can configure a denial message (using the Free tab in the Check Item list box in the Server Manager) as follows:

Deny-Message = "You can't do that."
NAS-Port != 3160

You can also use an asterisk wildcard:

Deny-Message = "*"
NAS-Port != 3160

This wildcard string sends the following message indicating what deny item triggered the rejection:

Access denied, NAS-Port != 3160

IMPORTANT: The Deny-Message will only be returned if a deny item (Attribute!= Value) comparison fails. It will not be returned if a check item fails.
Expiration

In date format, specifies when an entry expires. After the date, the user will receive an Access-Reject with the message, “Password has expired,” in response to all Access-Requests. The correct syntax is as follows:

Expiration = mth day year

mth is the first three letters of the month. day is the two-digit date. year is the four-digit year. The following is an example of an Expiration check item:

Expiration = Jan 31 2004

Group-Name

Can be any string value. Unlike other configuration-only attributes, Group-Name initially appears in a user entry as a reply item and would be used as a check item in a policy definition by LDAP or a customized authentication method.

Password

Specifies the value to compare to the User-Password attribute value in the Access-Request or the user's input in response to an Access-Challenge. The \ character must not be used.

NOTE: The RADIUS protocol does not send clear text passwords. Passwords are encrypted with the client and server’s shared secret according to RFC 2865.

To specify an encrypted password you must follow the syntax {Encrypt-type} Encryptd-password, where Encrypt-type is the method used to encrypt the password and Encryptd-password is the encrypted password. Encrypt-type can be specified as:

  • crypt

  • md5

  • x-nthash

  • x-lmhash

Server-Name

The additional parameter, usually a DNS name or IP address, required to perform the specified authentication type.

User-Category

Can be any string value. Unlike other configuration-only attributes, User-Category initially appears in a user entry as a reply item and would be used as a check item in a policy definition by LDAP or a customized authentication method.

Xvalue

This attribute provides a means to pass an integer value to an action.

Xstring

This attribute provides a means to pass a string value to an action.

Local Authorization Service (LAS) Configuration

Some configuration-only attributes define information for authorization through the servers LAS. To activate the features related to these attributes for users in a given realm, you must enable session tracking for the user’s realm. A NULL realm entry will still be required if the user does not belong to a realm. The Simultaneous-Use attribute can be used in a user entry for LAS functions.

Simultaneous-Use Attribute

This attribute’s value determines the maximum number of active sessions the user can have. The default is 1 (if the LAS is enabled for the user’s realm, but no Simultaneous-Use attribute value is specified for the user or the user’s realm). A value of -1 disables the feature—providing no limit to number of simultaneous sessions for a user in a realm enabled to use the LAS.



Specifying Attribute-Value Pairs
  		 


Check (and Deny) Items  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.