This section includes the following call flows.

• Sh Interface Call Flow

This section describes how to set up the profile data.

PCF establishes a connection with an LDAP server to access the subscriber profile data that resides on an external database. Upon receiving the PCF query, the LDAP searches its database to retrieve the user profile and other information.

You can set an LDAP interface profile for a new or an existing domain. By configuring the Domain, you direct PCF to retrieve data from an LDAP query.

1. Log in to Policy Builder and select the Services tab.

2. Navigate to the Domains tab and select DATA_5G.

3. In the Domains pane, click the Additional Profile Data tab.

4. Select Generic Ldap Search in the drop-down menu on the right-hand side of the Additional Profile section heading.

5. Under Profile Mappings, click Add to configure a new row for each attribute that is retrieved from the LDAP server. In the Profile Mappings table, the following parameters can be configured for the new row:

   1. External Code: The LDAP attribute name to retrieve.

   2. Mapping Type: The mapping of the data to an internal PCF data type.

   3. Regex Expression and Regex Group: If parsing of the incoming AVP is required then define a regular expression and regular expression group to support retrieval of the parsed values.

   4. Missing AVP: Defines the default AVP value when the subscriber attribute that is received from the external profile is missing.

      Note

      If a subscriber attribute is missing and its missing AVP value is not configured, PCF does not create or update policy derived AVP for this subscriber with Missing AVP Value. This parameter is applicable only for Mapping Type as Subscriber Attribute or Service. For all other mapping types, this column is not applicable.

   5. Empty AVP Value: Defines the default AVP value when a subscriber attribute that is received from an external profile has empty or blank value.

      Note

      If a subscriber attribute is empty or blank and its empty or blank AVP value is not configured, PCF does not create or update policy derived AVP for this subscriber with Empty AVP Value. This parameter is applicable only for Mapping Type as Subscriber Attribute or Service. For all other mapping types, this column is not applicable.

   6. Apply Timer: This check box indicates whether Timer Attribute is applicable to other subscriber attributes or not. Select the check box if Timer Attribute that must be applied for that subscriber attribute.

   7. Discard If Empty: When checked, deletes the LDAP attribute from the session (thus preventing any further use) if regex (when configured) does not match the received value. By default, the check box is unchecked (false).

6. Enter the appropriate value in the following fields for completing the configuration:

   The following table describes the configuration service parameters.

   Table 3. Configuration Parameters

   Field	Description
   Ldap Server Set	Associate the LDAP server set defined in the LDAP Server Set Definition.
   Base Dn	Specify the Base DN that is sent in the LDAP query. If not defined, then the request does not contain a base DN.
   Filter	Set to the filter value that is sent in the LDAP query. If not defined, then the request does not contain a filter. Note  This string supports string replacement using the find and replace of strings with variables from the policy state as defined in the “Replacement Rules” table.
   Dereference Policy	This is an optional field that controls whether to disable the LDAP query. This is often used along with Custom Reference Data tables and other session attributes to optionally disable an LDAP query. If the calculated CRD AVP has a value (ignoring case) of “false”, then the LDAP query is skipped.
   Avp Code to Disable Query	Set this to the dereference policy that the LDAP query requires. Default value is NEVER.
   Profile Refresh Interval (mins)	Set this value to automatically refresh a profile by querying the profile after specified delay.
   Replacement Rules	In the replacement rules table, add one row per replacement string to substitute into the Base DN or Filter string on a request by request basis.
   Subscriber Timer Attribute	Indicates which attribute is a timer attribute among all the LDAP server attributes. The timer follows the ISO 8601 time standards. See ISO 8601 for more information.
   Lower Bound For Timer Attribute In Minutes	Indicates how much time before the start time of Subscriber Timer Attribute PCF has to accept when LDAP server sends timer attribute. Default value is 30 mins.

This section describes how to associate PCF with LDAP.

When you configure PCF environment to interact with a defined LDAP, PCF must connect to the LDAP server using a trusted authentication method. This method is known as binding. PCF uses the binding information while making LDAP queries to retrieve the required subscriber information from the LDAP server.

config 
 product pcf 
     ldap replicas replica_count 
     ldap server-set server_set 
        search-user dn cn=username,dc=C ntdb 
        search-user password 
        health-check interval-ms interval 
        initial-connections connection_count 
        max-connections maximum_connections 
        retry-count retry_count 
        retry-timer-ms retry_time 
        max-failover-connection-age-ms maximum_failover 
        binds-per-second binds 
        number-consecutive-timeout-for-bad-connection consecutive_timeout 
        connection ip_address 
          priority priority 
          connection-rule connection_type 
          auto-reconnect [ true | false ] 
          timeout-ms timeout  
          bind-timeout-ms bind_timeout 
          end 

NOTES:

• product pcf – Enters the PCF configuration mode.

• ldap replicas replica_count – Specifies the LDAP replica count. Depending on the count, the LDAP pods are created.

• ldap server-set server_set – Specifies the LDAP server set details.

• search-user dn cn=username, dc=C ntdb – Specifies the domain details.

• search-user password – Indicates the password.

• health-check interval-ms interval – Specifies the interval at which the health check should be initiated.

• initial-connections connection_count – Specifies the number of connections that can be attempted initially.

• max-connections maximum_connections – Specifies the maximum number of connections at any point of time.

• retry-count retry_count – Specifies the number of retries that the PCF Engine must attempt on a timeout.

• retry-timer-ms retry_time – Specifies the interval after which the PCF Engine must reattempt.

• max-failover-connection-age-ms maximum_failover – Specifes the maximum number of connection failures after which failover must happen

• binds-per-second binds – Specifies the interval in seconds for the bind operation.

• number-consecutive-timeout-for-bad-connection consecutive_timeout – Specifies the number of bad connections after which the timeout occurs.

• connection ip_address – Indicates the IP address of the LDAP server that attempts the connection.

• priority priority – Indicates the priority of the connection.

• connection-rule connection_type – Specifies the connection type. The default rules are "Fastest" or "Round Robin".

• auto-reconnect [ true | false ] – Specifies if the auto-connect capability should be enabled or disabled.

• timeout-ms timeout – Indicates the period between the LDAP client or endpoint when the timeout must happen.

• bind-timeout-ms bind_timeout – Specifies the bind timeout.