This optional parameter allows you to specify LDAP attributes
to use as general check and reply items during authentication.
AuthAttrDef
is more general and useful than
CheckAttr
and ReplyAttr
, and
should be used in preference to them.
Using AuthAttrDef you can
specify multiple LDAP attributes and tell Radiator to use them as check or
reply items during authentication.
You can specify any number of
AuthAttrDef
parameters, one for each check or reply
attribute in your LDAP database. The general format is:
AuthAttrDef ldapattributename[, radiusattributename, type[, formatted]]
ldapattributename
is the name of the LDAP
attribute that is used as the check or reply item. If it is
multi-valued, and this is a check item, then Radiator permits a match
with any one of the values.
radiusattributename
is the name of the RADIUS
attribute that is used as the check or reply item. The special
radiusattributename ‘GENERIC’ indicates that it is a list of comma
separated attribute=value pairs, similar to ReplyAttr or
CheckAttr.
type
indicates whether it is a check or reply
item. It consists of the word “check” or the word “reply”. If type is
“request” the value is saved in the current request, from where it can
be later collected with a special formatting macro like:
%{attributename}
.
formatted
indicates that the LDAP attributes are
to be subject to special character processing before being used.
Tip
The
radiusattributename
and
type
fields are optional. If they are not specified, then
the
ldapattributename
attribute is fetched from LDAP, but
the fetched value of that attribute is not used. This can be helpful avoid
receiving all attributes from the server, or with for some types of LDAP
query where they can be used with
PostSearchHook

.
Example
Fetch the LDAP attribute called
calledstationid
, and use it as a check item against
the RADIUS Called-Station-Id
AuthAttrDef calledstationid,Called-Station-Id,check
Example
Check the RADIUS Service-Type matches the LDAP attribute
called servicetype
, and return the LDAP attribute
called address
as a static IP address (after special
character replacements):
AuthAttrDef servicetype,Service-Type,check
AuthAttrDef address,Framed-IP-Address,reply,formatted
Example
During LDAP authentication, save 2 LDAP attributes into the
current request:
# Put poolhint attribute into the request:
AuthAttrDef radiusUserPoolHint, X-userPoolHint, request
# Put Group Name attribute into the Request:
AuthAttrDef radiusSimultaneousUseGroupName,X-GroupName, request
Then
use those attributes in a later AuthBy FILE:
fred Group=%{X-GroupName}
PoolHint=%{X-userPoolHint}
Example
Check items handle multi-valued LDAP attributes in a special
way: by permitting a match with any one of the multiple values. For
example, suppose you had callingstation
LDAP
attribute that could be multi-valued, and into which you put all the
numbers the user was permitted to call from (as a separate value for each
number), then you would use:
AuthAttrDef callingstation,Calling-Station-Id,check