Aruba Networks PowerConnect W Clearpass 100 Software Deployment Manual page 497

Table 63 LDAP Module Settings (Continued)
Setting
ldap.tls_certfile = not set
ldap.tls_randfile = not set
ldap.tls_require_cert = not set
ldap.default_profile = not set
ldap.profile_attribute = not set
ldap.access_attrused_for_allow = yes
ldap.access_attr = dialupAccess
ldap.password_header = not set
ldap.password_attribute = not set
ldap.groupname_attribute = not set
ldap.compare_check_items = no
ldap.do_xlat = yes
ClearPass Guest 3.9 | Deployment Guide
Description
The PEM Encoded certificate file that should be presented to
clients that connect.
ldap.tls_keyfile = not set
The PEM Encoded private key that should be used to encrypt the
session.
A file containing random data to seed the OpenSSL PRNG. Not
needed if your OpenSSL is already properly random.
Certificate Verification requirements. Can be "never" (don't even
bother trying), "allow" (try, but don't fail if the certificate can't be
verified), or "demand" (fail if the certificate doesn't verify).
DN of a LDAP object, which contains default RADIUS attributes. If
not set, use only user specific attributes or attributes, supplied by
other modules.
Name of a user object attribute, which contains DN of radiusProfile
object for this user. If unset, use only user specific attributes or
attributes, supplied by other modules.
Determines if the access attribute (described below) will be used to
allow access (meaning if it exists then user remote access will be
allowed) or to deny access.
If attribute is specified, the LDAP module checks for its existence
in the user object. If access_attr_used_for_allow is set to yes, and
the attribute exists, the user is allowed to get remote access.
If the attribute exists and is set to FALSE, the user is denied remote
access. If the attribute does not exist, the user is denied remote
access by default.
If access_attr_used_for_allow is set to no, and the attribute exists,
the user is denied remote access. If it does not exist, the user is
allowed remote access.
If the user password is available we add it to the check items (to
assist in CHAP), stripping any headers first. The password_header
directive is NOT case insensitive.
Define the attribute which contains the user password.
The attribute containing group name in the LDAP server. It is used
to search groups by name.
Specifies if the module will do a comparison on the check items
extracted from the ldap with the corresponding items present in
the incoming request.
Specifies if the module will do an xlat on the radius attributes
extracted from the ldap database. Also, the attribute operators will
be honored. If the directive is set to 'no' then we will fall back to
the pairadd() function which will just add the attributes at the end
of the corresponding attribute list (check or reply items). This can
be used to fall back to 0.8.1 behavior without changing the LDAP
data or to gain a little performance if the LDAP data is rather
simple (no special operators)
Reference | 497