3.55. <AuthBy LDAPRADIUS>

This clause proxies requests to one or more target RADIUS servers. The target host is determined by a lookup in an LDAP database. This allows the easy management of large numbers of downstream radius servers, such as in a wholesale ISP. It inherits from both LDAP and <AuthBy RADIUS>.
<AuthBy LDAPRADIUS> runs the SearchFilter query to determine the details of the target RADIUS server until either an acknowledgment is received from the target or Num-Hosts is exceeded. This permits fallback RADIUS servers to be configured.
SearchFilter can be configured to select the target RADIUS server based on any attribute in the incoming request. The default is the user's Realm, but other possibilities, such as Called-Station-Id may be more useful for your organisation.
There is a sample LDAP schema for OpenLDAP in goodies/radiator-ldap.schema in your Radiator distribution. This schema is compatible with the default behaviour of SearchFilter and HostAttrDef allowing the selection of a target host primary based on Realm.
If SearchFilter fails to find any matching LDAP records, <AuthBy LDAPRADIUS> attempts to proxy according any <Host xxxxxx> clauses contained within the <AuthBy LDAPRADIUS> clause. For more information, see Section 3.43. <Host xxxxxx> within <AuthBy RADIUS>. This permits unknown realms to be proxied to a catchall target server, such as GoRemote (GRIC) and IPASS.
This clause supports all the common LDAP configuration parameters. For more information about the LDAP configuration parameters, see Section 3.9. LDAP configuration.
<AuthBy LDAPRADIUS> understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.

3.55.1. BaseDN

This is the base DN, where searches are made. It is used in similar way as with all LDAP modules. For more information, see Section 3.9.1. BaseDN.
Special formatting characters are permitted. %0 is replaced by the host counter. It is an integer that starts at 1 and counts the searches made for a given request. %1 is replaced by the realm of the user name in the current request.

3.55.2. SearchFilter

This parameter specifies the LDAP search filter that is used to find the LDAP records containing remote RADIUS server data. The default value is (oscRadiusTarget=%1), which is compatible with the example schema provided in goodies/radiator-ldap.schema, and selects a record where oscRadiusTarget matches the user's realm.
SearchFilter can contain any of the special characters. For more information, see Section 3.3. Special formatters. %0 is replaced by the host counter. It is an integer that starts at 1 and counts the searches made for a given request. %1 is replaced by the realm of the user name in the current request. Use %0 to select a different record each time HostSelect is run for a given record, allowing you to choose, for example, primary or secondary server.

3.55.3. NumHosts

This parameter defines the maximum number of times that SearchFilter will be called for as given request. If NumHosts is exceeded for a given request, the proxying of the request fails. Defaults to 1. The current count is available as %0 in SearchFilter and HostAttrDef.

3.55.4. HostAttrDef

This optional parameter specifies which parameters to get from an LDAP record and how they are to be used to set the parameters of the Radiator Host clause for proxying. Format is
HostAttrDef ldapattrname,hostparamname
where ldapattrname is the name of the LDAP attribute to fetch and hostparamname is the name of the Radiator Host clause parameter it will be used to set. For more information about the available hostparamname, see Section 3.43. <Host xxxxxx> within <AuthBy RADIUS>. If hostparamname is ‘failurePolicy’ it will be used to specify how AuthBy LDAPRADIUS will reply to the originating NAS if no reply is heard from any remote server for this request. The following values are supported:
  • 0 ACCEPT
  • 1 REJECT
  • 2 IGNORE
The default behaviour if no reply is heard from any remote server is to not reply to the NAS. This will usually cause the NAS to re-send the request to its secondary RADIUS server.
In HostAttrDef, the ldapattrname may contain special characters, and %0 is replaced by hostCounter, an integer which starts at 1 and increases by one each time a search is made for a given request. You can use that mechanism to fetch different LDAP attributes for the primary, secondary etc. RADIUS servers.
If no HostAttrDef lines are specified, defaults to the equivalent of the following, which is compatible the sample OpenLDAP schema in goodies/radiator-ldap.schema. Note that not all LDAP parameters are required to be present. The minimum set required are Host and Secret. Host can be an IPv4 or IPv6 address.
HostAttrDef oscRadiusHost,Host
HostAttrDef oscRadiusSecret,Secret
HostAttrDef oscRadiusAuthPort,AuthPort
HostAttrDef oscRadiusAcctPort,AcctPort
HostAttrDef oscRadiusRetries,Retries
HostAttrDef oscRadiusRetryTimeout,RetryTimeout
HostAttrDef oscRadiusUseOldAscendPasswords,UseOldAscendPasswords
HostAttrDef oscRadiusServerHasBrokenPortNumbers,ServerHasBrokenPortNumbers
HostAttrDef oscRadiusServerHasBrokenAddresses,ServerHasBrokenAddresses
HostAttrDef oscRadiusIgnoreReplySignature,IgnoreReplySignature
HostAttrDef oscRadiusFailurePolicy,failurePolicy