This optional parameter allows you to specify LDAP attributes
to use as general check and reply items during authentication.
AuthAttrDef is more general and useful than
CheckAttr and ReplyAttr, and
should be used in preference to them.
Using AuthAttrDef you can
specify multiple LDAP attributes and tell Radiator to use them as check or
reply items during authentication.
You can specify any number of
AuthAttrDef parameters, one for each check or reply
attribute in your LDAP database. The general format is:
AuthAttrDef ldapattributename[, radiusattributename, type[, formatted]]
ldapattributename is the name of the LDAP
attribute that is used as the check or reply item. If it is
multi-valued, and this is a check item, then Radiator permits a match
with any one of the values.
radiusattributename is the name of the RADIUS
attribute that is used as the check or reply item. The special
radiusattributename ‘GENERIC’ indicates that it is a list of comma
separated attribute=value pairs, similar to ReplyAttr or
CheckAttr.
type indicates whether it is a check or reply
item. It consists of the word “check” or the word “reply”. If type is
“request” the value is saved in the current request, from where it can
be later collected with a special formatting macro like:
%{attributename}.
formatted indicates that the LDAP attributes are
to be subject to special character processing before being used.
Tip
The
radiusattributename and
type fields are optional. If they are not specified, then
the
ldapattributename attribute is fetched from LDAP, but
the fetched value of that attribute is not used. This can be helpful avoid
receiving all attributes from the server, or with for some types of LDAP
query where they can be used with
PostSearchHook 
.
Example
Fetch the LDAP attribute called
calledstationid, and use it as a check item against
the RADIUS Called-Station-Id
AuthAttrDef calledstationid,Called-Station-Id,check
Example
Check the RADIUS Service-Type matches the LDAP attribute
called servicetype, and return the LDAP attribute
called address as a static IP address (after special
character replacements):
AuthAttrDef servicetype,Service-Type,check
AuthAttrDef address,Framed-IP-Address,reply,formatted
Example
During LDAP authentication, save 2 LDAP attributes into the
current request:
# Put poolhint attribute into the request:
AuthAttrDef radiusUserPoolHint, X-userPoolHint, request
# Put Group Name attribute into the Request:
AuthAttrDef radiusSimultaneousUseGroupName,X-GroupName, request
Then
use those attributes in a later AuthBy FILE:
fred Group=%{X-GroupName}
PoolHint=%{X-userPoolHint}
Example
Check items handle multi-valued LDAP attributes in a special
way: by permitting a match with any one of the multiple values. For
example, suppose you had callingstation LDAP
attribute that could be multi-valued, and into which you put all the
numbers the user was permitted to call from (as a separate value for each
number), then you would use:
AuthAttrDef callingstation,Calling-Station-Id,check