Contents

1   Introduction

This document describes the interface between Authentication, Authorization, Accounting services (AAA) and the Centralized User Database (CUDB).

Scope

This document covers the following topics:

• Describes the LDAP user Database for accessing the CUDB.
• Provides the Ericsson reference DIT for accessing AAA data.
• Specifies the LDAP operations required to be supported by the CUDB.

Target Groups

This document is intended for personnel who needs to understand the logical entity, including interfaces and protocols, of IPWorks.

1.1   Prerequisites

There are no prerequisites for reading this document.

1.2   Related Information

Trademark information, typographic conventions, definition and explanation of acronyms and terminology can be found in the following documents:

• Trademark Information, Reference [2]
• Glossary of Terms and Acronyms, Reference [1]
• Typographic Conventions, Reference [3]

For the standards related to this interface, see Section References.

2   Interface Overview

The CUDB is a network entity in a layered architecture domain that serves as the central storage point for AAA data and other applications (HSS, AuC, and so on). The CUDB is built as an LDAP directory server, containing the necessary entries and attributes according to the defined schema for the different applications. The LDAP server accesses the AAA data, which is then re-structured according to LDAP specifications. That is, the data is displayed in a tree structure format from an external LDAP client. The tree structure is called Directory Information Tree (DIT), where each entry is identified by a Relative Distinguished Name (RDN), referring to the path to the tree root, that is, the Distinguished Name (DN).

2.1   Interface Role

The AAA LDAP CUDB interface uses the LDAP Protocol to access the CUDB and provides the reference Ericsson DIT for accessing the AAA data. The interface also specifies the LDAP operations required to be supported by the CUDB.

2.2   Services

The services offered by the AAA LDAP CUDB interface are presented in Table 1.

2.3   Encapsulation and Addressing

The following lower-level protocols are used on this interface:

• TCP
• LDAP

3   LDAP Directory Information Tree

LDAP information is displayed in a tree structure format, called DIT. The DIT is composed of entries that have one or more attributes.

The name and value of all the attributes of an entry form the RDN of the entry. The concatenation of the RDNs of the sequence of entries from a particular object to the root entry of the tree forms the DN. The DN uniquely identifies an object within the tree.

This section describes the LDAP DIT for the following service:

• AAA FE (Radius)
• AAA FE (PKI)

3.1   LDAP Directory Information Tree for AAA FE (Radius)

The DIT of the AAA FE (Radius) application is built into the following main structures corresponding to the data it contains:

• Subscriber data
• Subscriber common data

Figure 1 presents the container data level distribution offered by the CUDB for the AAA FE (Radius) application.

3.1.1   Subscriber Data

Subscriber data is located under the container level entry mSCId=<multiserviceconsumer identity> in the DIT. Within this entry, AAA subscriber data is located as a child under AA services, that is, serv=AA.

Entries above the serv entry are described in the CUDB data model. For more information, see Reference [4].

The most important piece of information to identify a subscriber in the AAA DIT is the UserName.

AAA subscriber data is accessible either through the multiSCs branch or through the identities branch.

The identities branch contains an alias to the corresponding multiSCs branch entry. The DN of the associated subscriber identifier entry is obtained by de-referencing the alias.

The serv entry contains the individual policies. The individual policies belong to the subscriber.

The serv entry contains aliases to the common subscriber data under the mSCCommonData branch. The DN of the associated common subscriber data entry is obtained by de-referencing the alias. When common subscriber data is accessed by de-referencing the aliases in the serv entry, the data is accessible only for reading purposes.

Subscriber data provisioning operations are performed through the multiSCs branch and traffic operations are performed through the identities branch.

• Access to AAA Subscriber Data

  Access to the AAA subscriber data entries can be provisioned using the following DN:

  serv=AA, mscId=<multiserviceconsumerId>, 
  ou=multiSCs, dc=<CUDB root entry>

• AAA FE (Radius) Access to AAA Subscriber Data

  AAA subscriber data is accessible from the AAA Front End (FE) by means of using the standard LDAP aliases for searching and the Ericsson LDAP aliases for modification. When an LDAP alias is used for searching or modification, the alias is de-referenced when the "search" or "modify" LDAP operation is performed, respectively.

  The AAA subscriber data entry is accessible from the AAA FE using the following DN:

  serv=AA, UserName=<UserName>, dc=UserName, 
  ou=identities, dc=<CUDB root entry>

  The DN points to the following entry in the CUDB:

  sev=AA, mscld=<multiserviceconsumerId>, 
  ou=multiSCs

3.1.2   Subscriber Common Data

Subscriber common data is located under the container level entry mscCommonData. Subscriber common data is located in the tree as a child under AA services, that is, serv=AA. Within this entry, AAA subscriber common data is located under Groups or Policies.

Entries above the "serv" entry are described in the CUDB data model. For more information, see Reference [4].

Under the serv level, each subscriber entry is accessible based on the group or policy identifier.

• Group Access to Subscriber Common Data

  groupname=<groupname>, ou=groups, serv=AA, 
  ou=mscCommonData, dc=<CUDB root entry>

• Policy Access to Subscriber Common Data

  policyname=<policyname>, ou=policies, serv=AA, 
  ou=mscCommonData, dc=<CUDB root entry>

Subscriber common data is also accessible for reading purposes through the identities branch by de-referencing the aliases.

ei=Policy1, serv=AA, UserName=<UserName>, 
dc=UserName, ou=identities, dc=<CUDB root entry>

ei=Group1, serv=AA, UserName=<UserName>, 
dc=UserName, ou=identities, dc=<CUDB root entry>

3.2   LDAP Directory Information Tree for AAA FE (PKI)

Figure 2 presents the container data level distribution offered by the CUDB for the AAA FE (PKI) application.

• AAA PKI Subscriber Data

  AAA PKI subscriber data entries can be provisioned using the following DN:

  serv=NSD,mscId=<multiserviceconsumerId>,ou=multiSCs,dc=<CUDB root entry>

• AAA FE (PKI) Access to AAA PKI Subscriber Data

  The AAA PKI subscriber data entry is accessible from the AAA FE using the following DN:

  serv=NSD,IMSI=%s,dc=IMSI,ou=identities,dc=<CUDB root entry>

4   AAA Entries

The tables in this section specify all the entries for the AAA application. According to LDAP standard RFC 4512 (see Reference [7]), an entry can be initiated with attributes corresponding to several object classes.

The tables contain a header and three columns with the following information:

4.1   AAA Entries for AAA FE (Radius)

4.1.1   AA Profile Entry

This entry contains the authentication and authorization data and it is a child of the mSC entry.

4.1.2   AA Individual Policy Entry

This entry contains the individual AA policy data and it is a child of the AA Profile entry.

<![CDATA[ 
expression :=  condition | '(' expression ')' | expression logicalop expression
condition := avpname relop value 
logicalop := '&' | '|' | '&&' | '||'
relop := '=' | '==' | '!=' | '>' | '>=' | '<' | '<='| '?'

<![CDATA[ 
expression :=  condition | ', ' expression
condition := avpname = value
value := fixed value | $REQUEST

4.1.3   AA Shared Policy Alias Entry

This entry contains an alias to the AA Shared Policy entry in the mSCCommon branch and it is a child of the AA entry.

4.1.4   AA Group Alias Entry

This entry contains an alias to the AA Group entry in the mSCCommon branch and it is a child of the AA entry.

4.1.5   AAA Multiservice Consumers Entry

This entry is the container for the AAA data and for the group and policy alias entries in the CUDB.

4.1.6   AA Shared Policy Domain Entry

This entry is the container for the shared policies within the Policy domain.

4.1.7   AA Shared Policy Entry

This entry contains the policy data and it is a child of the AA Shared Policy domain entry.

4.1.8   AA Group Domain entry

This entry is the container for the groups within the Group domain.

4.1.9   AA Group Entry

This entry contains the AA Group data and it is a child of the Group domain entry.

4.2   AA Entries for AAA FE (PKI)

4.2.1   PKI User Entry

This entry contains the PKI user data and it is a child of the mSC entry.

5   Procedures

This section describes the operations used by the AAA FE (Radius and PKI) and Provisioning Gateway (PG) to communicate with the CUDB in order to handle AAA data.

The following LDAP operation are used:

• Add
• Delete
• Modify
• Search

These LDAP operations are described in Reference [6] and Reference [9] .

The PG is the client responsible for provisioning the CUDB Server node. It adds, modifies, and deletes entries in the CUDB Server, as well as performs any search operation the PG needs.

The AAA FE is the client responsible for traffic operations. It performs any search operation the AAA FE needs for traffic.

Subscriber-specific data operations from the PG are performed using the branch under multiSCs for specific multiple subscription data.

Subscriber common data operations from the PG are performed using the branch under mscCommonData.

The PG can perform following operations:

• Add new entries
• Delete entries
• Modify the attributes of an entry (replace, add, delete)
• Search for an entry

All operation from the AAA FE are performed using the branch under identities .

The AAA FE can perform the following operation under the branch multiSCs:

• Search for an entry

5.1   Procedures for AAA FE (Radius)

5.1.1   Creation and Deletion of Entries

5.1.1.1   Creating the Multiservice Consumer AA Entry

Missing information.

5.1.1.2   Creating the Service Common Data AA Entry

The Service Common Data AA entry is an entry of the AAProfile structural object class and the CUDBServiceAuxiliary auxiliary object class defined in the CUDB data model (see Reference [4]).

To create the entry, an LDAP add operation must be performed.

5.1.1.3   Creating the Service Common Data Groups Entry

To create the entry, an LDAP add operation must be performed.

5.1.1.4   Creating the Service Common Data Policies Entry

To create the entry, an LDAP add operation must be performed.

5.1.1.5   Creating the AA Profile Entry

The AA Profile entry is an entry of the AAProfile structural object class and the CUDBServiceAuxiliary auxiliary object class defined in the CUDB data model (see Reference [4]).

To create the entry, an LDAP add operation must be performed.

(1)  The <ipalloctype> can be set in the range of 0~3.

(2)  The <ipallocvalue> can be set as a valid pool name or IPv4 address.

(3)  The <ipv6alloctype> can be set in the range of 0~3.

(4)  The <ipv6allocvalue> can be set as a valid pool name or IPv6 prefix.

5.1.1.6   Creating the AA Individual Policy Entry

The AA Individual Policy entry is an entry of the Policy structural object class defined in the CUDB data model (see Reference [4]).

To create the entry, an LDAP add operation must be performed.

5.1.1.7   Creating the AA Group Entry

The AA Group entry is an entry of the Group structural object class defined in the CUDB data model (see Reference [4]).

To create the entry, an LDAP add operation must be performed.

5.1.1.8   Creating the AA Group Alias Entry

To create the entry, an LDAP add operation must be performed.

At the same time, the group name must be added to the GroupNameList attribute of the AA Profile.

5.1.1.9   Creating the AA Shared Policy Entry

The AA Shared Policy entry is an entry of the Group structural object class defined in the CUDB data model (see Reference [4]).

To create the entry, an LDAP add operation must be performed.

5.1.1.10   Creating the AA Shared Policy Alias Entry for User

To create the entry, an LDAP add operation must be performed.

At the same time, the policy name must be added to the PolicyNameList attribute of the AAA User Profile.

5.1.1.11   Creating the AA Shared Policy Alias Entry for Group

To create the entry, an LDAP add operation must be performed.

At the same time, the policy name must be added to the PolicyNameList attribute of the AAA Group.

5.1.1.12   Deleting the AA User Profile Entry

To delete the entry, an LDAP delete operation must be performed.

5.1.1.13   Deleting the AA Group Entry

To delete the entry, an LDAP delete operation must be performed&dot;.

5.1.1.14   Deleting the AA Shared Policy Entry

To delete the entry, an LDAP delete operation must be performed&dot;.

5.1.1.15   Deleting the AA Individual Policy Entry

To delete the entry, an LDAP delete operation must be performed&dot;.

5.1.1.16   Deleting the AA Group Alias Entry

To delete the entry, an LDAP delete operation must be performed&dot;.

5.1.1.17   Deleting the AA Shared Policy Alias Entry

To delete the entry, an LDAP delete operation must be performed&dot;.

5.1.2   AAA Data Modification

This section includes examples of AAA data modification.

5.1.2.1   AAA User Profile Modification (Replace) Using multiSCs Branch

AAA subscriber data is an entry of the AAProfile object class.

The following table presents an example of possible AA subscriber data modification, where the authentication method is changed for a subscriber. In this example, an LDAP replace operation is performed.

5.1.2.2   AAA Alias Modification (Replace) Using multiSCs Branch

The AAA alias is an entry of the alias object class.

The following table presents an example of possible Group alias modification, where a new group is assigned to an AA subscriber. In this example, an LDAP replace operation is performed.

The following table presents an example of possible Policy alias modification, where a new policy is assigned to an AA subscriber. In this example, an LDAP replace operation is performed.

5.1.2.3   AAA Subscriber Data Modification (Delete) Using multiSCs Branch

AAA Profile data is an entry of the AAProfile object class.

The following table presents an example of possible AAA Profile data modification, where the AuthMethod attribute or one of the shared policies is removed. In this example, an LDAP delete operation is performed.

5.1.2.4   AA Individual Policy Data Modification (Replace)

The following table presents an example of possible AAA Individual Policy data modification, where the PolicyChecklist attribute is updated. In this example, an LDAP replace operation is performed.

5.1.2.5   AAA Multiservice Consumer Common Data Modification (Replace)

The following table presents an example of possible AAA Group data modification, where a new Policy is assigned to the group. In this example, an LDAP replace operation is performed.

The following table presents an example of possible AAA Shared Policy data modification, where the PolicyChecklist attribute is updated. In this example, an LDAP replace operation is performed.

5.1.2.6   AAA Multiservice Consumer Common Data Modification (Delete)

The following table presents an example of possible AAA group data modification, where one of the policies is removed from the group. In this example, an LDAP delete operation is performed.

The following table presents an example of possible policy data modification, where one of the policy checklists is removed. In this example, an LDAP delete operation is performed.

5.1.3   AAA Subscriber Data Search

This section describes how to search for AAA subscriber data.

5.1.3.1   Subscriber Common Data Search

Subscriber common data is an entry of the AA object class. To search the subscriber common data, an LDAP search operation must be performed.

It is possible to request the following:

• All AAA Group data
• A specific type of AAA Group data (all attributes in a specific group)
• All AAA Policy data
• A specific type of AAA Policy data (all attributes in a specific policy)

5.1.3.1.1   Searching for All AAA Group Data

AAA Group data is an entry of the AAGroup structural object class. To search for AAA Group data, an LDAP search operation must be performed.

Searching for all AAA Group data can be done from the Groups entry with the scope set to "singleLevel".

5.1.3.1.2   Searching for Specific Type of Group Data

Searching for a specific type of Group data can be performed from the GroupName entry with the scope set to "baseObject".

5.1.3.1.3   Searching for All AAA Policy Data

AAA Policy data is an entry of the AAPolicy structural object class. To search for AAA Policy data, an LDAP search operation must be performed.

Searching for all AAA Policy data can be performed from the Policies entry with the scope set to "singleLevel".

5.1.3.1.4   Searching for Specific Type of Policy Data

Searching for a specific type of policy data can be performed from the PolicyName entry with the scope set to "baseObject".

5.1.3.2   Subscriber Data Search

Subscriber data is an entry of the AA object class. To search the subscriber data, an LDAP search operation must be performed.

It is possible to request the following:

• All data of a subscriber
• Individual subscriber data of a subscriber
• List of subscribers
• List of subscribers with specific data

5.1.3.2.1   Searching for All Data of a Subscriber

AAA subscriber data is an entry of the AAProfile structural object classes. To search for AAA subscriber data, an LDAP search operation must be performed.

Searching for all data of a subscriber can be performed either from the multiSCs branch or from the identities branch with the scope set to "wholeSubtree".

The following table presents how to search for all data of a subscriber from the multiSCs entry.

The following table presents how to search for all data of a subscriber from the identities entry.

5.1.3.2.2   Searching for Individual Subscriber Data of a Subscriber

AAA individual subscriber data is an entry of the AAProfile structural object class. To search for AAA individual subscriber data, an LDAP search operation must be performed.

Searching for the individual subscriber data of a subscriber can be performed either from the multiSCs branch or from the identities branch with the scope set "towholeSubtree".

The following table presents how to search for the individual subscriber data of a subscriber from the multiSCs entry.

The following table presents how to search for the individual subscriber data of a subscriber from the identities entry.

5.1.3.2.3   Searching for a List of Subscribers

To search for a list of AAA subscribers, an LDAP search operation must be performed.

Searching for a list of subscribers can be performed from the subscribers branch with the scope set to "wholeSubtree". The filter must be set to "objectclass=AAProfile" and include the value range. In the example below, the value range is "UserName = User*", where searching is performed for all subscribers whose username begins with "User".

5.1.3.2.4   Searching for a List of Subscribers with Specific Data

To search for a list of AAA subscribers with specific data, an LDAP search operation must be performed.

Searching for all subscribers with a specific attribute or a set of attributes can be performed from the multiSCs entry with the scope set "towholeSubtre". The attributevalueassertion must be set to the specific attribute for which searching is performed. In the example below, searching is performed for all subscribers provisioned with the EAP-MD5 authentication method.

5.2   Procedures for AAA FE (PKI)

5.2.1   Creation and Deletion of Entries

5.2.1.1   Creating the PKI User Entry

To create the entry, an LDAP add operation must be performed.

5.2.1.2   Deleting the PKI User Entry

To delete the entry, an LDAP delete operation must be performed.

5.2.2   PKI Data Modification

This section includes examples of PKI data modification.

PKI subscriber data is an entry of the nsduser object class.

5.2.2.1   PKI User Modification (Replace) Using multiSCs Branch

The following table presents an example of possible PKI subscriber data modification, where the user status is changed for a subscriber. In this example, an LDAP replace operation is performed.

5.2.2.2   PKI Subscriber Data Modification (Delete) Using multiSCs Branch

The following table presents an example of possible PKI subscriber data modification, where the nsduserpwd attribute or one of the apnlist is removed. In this example, an LDAP delete operation is performed.

5.2.3   PKI Subscriber Data Search

The following table presents how to search for the individual subscriber data of a subscriber from the identities entry.

6   Related Standards

See section References.

Reference List