The configuration file config/authentication.conf in the NameSurfer directory tree contains a number of configurable settings in a simple, human-readable text format. It is read by the the NameSurfer HTTP server process on startup. Changes made to this file will not take effect until the process is killed and restarted.

Each setting is entered on a line of its own as a "name: value" pair. Empty lines and comments beginning with a # character are allowed.

If the use_external_auth option in webui.conf is not enabled, this configuration file will not be read on startup at all.

The allowed options in this configuration file depend on the supported authentication methods, which are LDAP, Radius and Tacacs in the current standard NmeSurfer package. Each of the methods has its own set of configuration options which need to be present in this file if that method is used.

The following general settings are supported:

authentication_method (string), default ldap

The external authentication method to be used for authenticating users. Corresponding method-specific configuration options will be read from this configuration file.

The following settings are supported for the LDAP authentication:

ldap_uri (string), default ldap://localhost:389/

URI pointing to an LDAP server to use for authentication.

ldap_base (string), default not set

Fixed LDAP base DN binding options.

ldap_ad_domain (string), Active Directory domain name

When configuring for simple AD authentication, all LDAP configuration options except this and the ldap_uri should be left blank to ensure correct operation.

ldap_idfield (string), default uid

Name of the variable field used to compare username stored in LDAP while binding.

ldap_binduser (string), default not set

If set, the given user will be used to do the initial binding to the LDAP server before conducting the search for the actual user name used for NameSurfer access. If not defined, the binding will be attempted using the account name given to NameSurfer login.

ldap_bindpassword (string), default not set

Password for the LDAP binding user, if defined. This value is ignored if the separate binding user is not defined.

ldap_searchbase (string), default not set

If the base location for user accounts is different from the initial LDAP binding base (when a separate binding user is used), this field must contain the correct search path. If this value is not set, the base DN value will be used for the actual user data search.

ldap_accessfield (string), default not set

If defined, a field that must be present in user's LDAP data to allow login to NameSurfer.

ldap_accesstoken (string), default not set

If defined, a value that must be present in the user's access field value to allow login to NameSurfer. If access field is not defined,this parameter has no effect either.

The following settings are supported for the Radius authentication:

radius_host (string), default localhost

Name or IP address of the host running the Radius authentication server

radius_localaddr (string), default not set

If defined, the local IP address to use for sending Radius authentication requests.

radius_service (string), default radius

Service (port) name to use for Radius connections.

radius_secret (string), default testing123

Shared secret used when communicating with the Radius server.

radius_rfc3579 (true or false), default false

Use Radius in RFC3579 compliant mode.

radius_debug (true or false), default false

Enable Radius authentication module debug mode.

The following settings are supported for the Tacacs authentication:

tacacs_servers (string), default not set

A comma-separated list of Tacacs+ servers to authenticate against (in order of preference)

tacacs_port (string), default tacacs

Tacacs server port identifier or number.

tacacs_secret (string), default not set

Shared secret value used to communicate with the Tacacs server.

tacacs_timeout (integer), default 15

Timeout, in seconds, to wait for answer from a single Tacacs server before giving up.