3.43.6. AuthAttrDef Previous topic Parent topic Child topic Next topic

This optional parameter allows you to specify LDAP attributes to use as general check and reply items during authentication. AuthAttrDef is more general and useful than CheckAttr and ReplyAttr, and should be used in preference to them.
Using AuthAttrDef you can specify multiple LDAP attributes and tell Radiator to use them as check or reply items during authentication.
You can specify any number of AuthAttrDef parameters, one for each check or reply attribute in your LDAP database. The general format is:
AuthAttrDef ldapattributename[, radiusattributename, type[, formatted]]
  • ldapattributename is the name of the LDAP attribute to be used as the check or reply item. If it is multi-valued, and this is a check item, then Radiator will permit a match with any one of the values.
  • radiusattributename is the name of the RADIUS attribute that wall be used as the check or reply item. The special radiusattributename ‘GENERIC’ indicates that it is a list of comma separated attribute=value pairs, similar to ReplyAttr or CheckAttr.
  • type indicates whether it is a check or reply item. It consists of the word “check” or the word “reply”. If type is “request” the value is saved in the current request, from where it can be later collected with a special formatting macro like: %{attributename}.
  • formatted indicates that the LDAP attributes are to be subject to special character processing before being used.
Tip
The radiusattributename and type fields are optional. If they are not specified, then the ldapattributename attribute will be fetched from LDAP, but the fetched value of that attribute will not be used. This can be helpful for some types of LDAP query.

Example

Fetch the LDAP attribute called calledstationid, and use it as a check item against the RADIUS Called-Station-Id
AuthAttrDef       calledstationid,Called-Station-Id,check

Example

Check the RADIUS Service-Type matches the LDAP attribute called servicetype, and return the LDAP attribute called address as a static IP address (after special character replacements):
AuthAttrDef       servicetype,Service-Type,check
AuthAttrDef       address,Framed-IP-Address,reply,formatted

Example

During LDAP authentication, save 2 LDAP attributes into the current request:
# Put poolhint attribute into the request:
AuthAttrDef radiusUserPoolHint, X-userPoolHint, request
# Put Group Name attribute into the Request:
AuthAttrDef radiusSimultaneousUseGroupName,X-GroupName, request
Then use those attributes in a later AuthBy FILE:
fred        Group=%{X-GroupName}
            PoolHint=%{X-userPoolHint}

Example

Check items handle multi-valued LDAP attributes in a special way: by permitting a match with any one of the multiple values. For example, suppose you had callingstation LDAP attribute that could be multi-valued, and into which you put all the numbers the user was permitted to call from (as a separate value for each number), then you would use:
AuthAttrDef callingstation,Calling-Station-Id,check