3.47.7. AuthAttrDef Previous topic Parent topic Child topic Next topic

This optional parameter allows you to specify LDAP attributes to use as general check and reply items during authentication. AuthAttrDef is more general and useful than CheckAttr and ReplyAttr, and should be used in preference to them.
Using AuthAttrDef you can specify multiple LDAP attributes and tell Radiator to use them as check or reply items during authentication.
You can specify any number of AuthAttrDef parameters, one for each check or reply attribute in your LDAP database. The general format is:
AuthAttrDef ldapattributename[, radiusattributename, type[, formatted]]
  • ldapattributename is the name of the LDAP attribute that is used as the check or reply item. If it is multi-valued, and this is a check item, then Radiator permits a match with any one of the values.
  • radiusattributename is the name of the RADIUS attribute that is used as the check or reply item. The special radiusattributename ‘GENERIC’ indicates that it is a list of comma separated attribute=value pairs, similar to ReplyAttr or CheckAttr.
  • type indicates whether it is a check or reply item. It consists of the word “check” or the word “reply”. If type is “request” the value is saved in the current request, from where it can be later collected with a special formatting macro like: %{attributename}.
  • formatted indicates that the LDAP attributes are to be subject to special character processing before being used.
Tip
The radiusattributename and type fields are optional. If they are not specified, then the ldapattributename attribute is fetched from LDAP, but the fetched value of that attribute is not used. This can be helpful avoid receiving all attributes from the server, or with for some types of LDAP query where they can be used with PostSearchHook Opens in new window.

Example

Fetch the LDAP attribute called calledstationid, and use it as a check item against the RADIUS Called-Station-Id
AuthAttrDef       calledstationid,Called-Station-Id,check

Example

Check the RADIUS Service-Type matches the LDAP attribute called servicetype, and return the LDAP attribute called address as a static IP address (after special character replacements):
AuthAttrDef       servicetype,Service-Type,check
AuthAttrDef       address,Framed-IP-Address,reply,formatted

Example

During LDAP authentication, save 2 LDAP attributes into the current request:
# Put poolhint attribute into the request:
AuthAttrDef radiusUserPoolHint, X-userPoolHint, request
# Put Group Name attribute into the Request:
AuthAttrDef radiusSimultaneousUseGroupName,X-GroupName, request
Then use those attributes in a later AuthBy FILE:
fred        Group=%{X-GroupName}
            PoolHint=%{X-userPoolHint}

Example

Check items handle multi-valued LDAP attributes in a special way: by permitting a match with any one of the multiple values. For example, suppose you had callingstation LDAP attribute that could be multi-valued, and into which you put all the numbers the user was permitted to call from (as a separate value for each number), then you would use:
AuthAttrDef callingstation,Calling-Station-Id,check