Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

LDAP Script Examples

Example 1: Simple Authentication

This script executes the search criteria specified in the [Search/LdapSearch1] section of the ldapauth.aut file. If the search is unsuccessful, the script prepends myco. to the username and executes the search criteria specified in the [Search/LdapSearch2] section.

[Script]
// Try the initial query.
Status = Ldap.Search('LdapSearch1');
if (status == Ldap.NOTFOUND) {
// Add “myco.” to the username and run new query.
userName = LdapVariables.Get('User-Name');
LdapVariables.Reset('User-Name');
LdapVariables.Add('User-Name', 'myco.' + userName);
status = Ldap.Search('LdapSearch2');
}
 
// Return value depends on final search status.
switch (status) {
case Ldap.FOUND:
    return SBR_RET_SUCCESS;
case Ldap.NOTFOUND:
    return SBR_RET_NOT_AUTHENTICATED;
default:
    return SBR_RET_FAILURE;
}

Example 2: Profile Assignment

Scripts can use authentication information to determine the profile that should be assigned to a user. In this example, the script executes the query specified in the [Search/Radius] section. This query looks up an object named ProfileData that contains multiple instances of the radiusattrs attribute. The script iterates through the returned values of radiusattrs, looking for the first instance that begins with the prefix sbr-. If a matching attribute is found, the prefix is stripped from the attribute and returned as the name of the user profile.

This is the LDIF representation of the ProfileData object, showing the values of the radiusattrs attributes:

dn: name=ProfileData, ou=radius, dc=funk,dc=com
name: ProfileData
objectClass: top
objectClass: radiusobject
radiusattrs: attr1
radiusattrs: attr2
radiusattrs: sbr-defaultprofile
radiusattrs: attr3

The relevant sections of the ldapauth.aut file are shown below.

[Attributes/RadiusAttrs]
radiusattrs
 
[Response]
%Profile = Return-Profile
 
[Search/Radius]
Base = ou=radius,dc=funk,dc=com
Scope = 2
Filter = name=ProfileData
Attributes = RadiusAttrs
Timeout = 20
%DN = dn
 
[Script]
// Look up "ProfileData" object using the "Radius" query.
if (Ldap.Search("Radius") == Ldap.FOUND) {
    var attr = ““ ;
    var profile = "default";
 
// Loop through all "radiusattrs" attributes.
    for(i = 0; attr != null; i++) {
        attr = LdapVariables.Get("radiusattrs", i);
        // If prefix matches "sbr-" extract profile name.
        if ((attr !=null) && (att.substr(0, 4) == "sbr-")) {
            profile = attr.substr(4);
            break;
}
}
 
    // Add profile name to the variable table and return.
    LdapVariables.Add("Return-Profile", profile);
    return SBR_RET_SUCCESS;
}
 
// Object wasn't found, so signal a failure.
return SBR_RET_FAILURE;

Example 3: Received Attribute Normalization

Users frequently need to normalize incoming RADIUS attributes to a common format before performing an LDAP search. This example checks the length of the telephone number string in the Calling-Station-ID attribute, preserving only the final seven digits, if necessary. The truncated telephone number is saved as a new entry (Stripped-CSID) in the variable table. The value of Stripped-CSID is specified as part of the Filter parameter in the [Search/Query1] query definition. This query is executed by the script, and the resulting status code determines the script return code.

[Request]
%UserName = User-Name
Calling-Station-Id = Received-CSID
 
[Search/Query1]
Base=ou=people,dc=funk,dc=com
Scope = 2
Filter = (&(uid=<User-Name>)(callingStationId=<Stripped-CSID>))
Timeout = 20
%DN = dn
 
[Script]
// Get the received Calling-Station-ID attribute.
var csid = LdapVariables.Get("Received-CSID");
 
// Check length and retain last seven digits of CSID.
var length = csid.length;
if (length > 7) {
csid = csid.substr(length - 7);
SbrWriteToLog("Shortened CSID to: " + csid);
}
 
// Save result to variable table so we can search on it.
LdapVariables.Add("Stripped-CSID", csid);
 
// Perform the search with normalized CSID.
var status = Ldap.Search("Query1");
 
// Generate return code based on search result.
if (status == Ldap.FOUND) {
return SBR_RET_SUCCESS;
}
return SBR_RET_NOT_AUTHENTICATED;

Example 4: Conditional Profile Assignment from User Attribute

This example illustrates how you can use LDAP scripts to implement multiple queries and complex decision logic. The script starts by invoking the FindUser query to look up the specified user in the LDAP repository. Depending on the employeetype attribute returned from the first query, a second query is selected and invoked to retrieve attributes specific to the user's employee type. Finally, the Radius-Profile attribute of the employee type record is returned as the profile name for the authentication response.

The LDIF data for a sample user is as follows:

dn: uid=SStudent, ou=People, dc=funk,dc=com
employeeType: Student
uid: SStudent
userPassword:: e1NTSEF9cTZvdFFOYXArcFowaG5rOWJQU3dZYlExbkFIL1doMXBnMlR4
==
objectClass: Sam
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Student
cn: Sam Student

The data objects holding the “Radius-Profile” attributes associated with each employee type are retrieved:

dn: ou=radius, dc=funk,dc=com
ou: radius
objectClass: top
objectClass: organizationalunit
 
dn: name=VendorType, ou=radius, dc=funk,dc=com
Radius-Profile: Vendor-Profile
name: VendorType
objectClass: top
objectClass: radius
 
dn: name=FacultyType, ou=radius, dc=funk,dc=com
Radius-Profile: Faculty-Profile
name: FacultyType
objectClass: top
objectClass: radius
 
dn: name=StudentType, ou=radius, dc=funk,dc=com
Radius-Profile: Student-Profile
name: StudentType
objectClass: top
objectClass: radius

Finally, here are the configuration settings and the LDAP search script:

[Request]
%UserName = User-Name
 
[Response]
%Profile = Radius-Profile
%Password = userpassword
 
[Attributes/UserAttributes]
employeetype
userpassword
 
[Attributes/TypeAttributes]
radius-profile
 
[Search/FindUser]
Base=ou=people,dc=funk,dc=com
Scope = 2
Filter = uid=<User-Name>
Attributes = UserAttributes
Timeout = 20
%DN = dn
 
[Search/Student]
Base=ou=radius,dc=funk,dc=com
Scope = 2
Filter = name=StudentType
Attributes = TypeAttributes
Timeout = 20
 
[Search/Faculty]
Base=ou=radius,dc=funk,dc=com
Scope = 2
Filter = name=FacultyType
Attributes = TypeAttributes
Timeout = 20
 
[Search/Vendor]
Base=ou=radius,dc=funk,dc=com
Scope = 2
Filter = name=VendorType
Attributes = TypeAttributes
Timeout = 20
 
[Script]
// Look up the specified user in the LDAP repository.
var status = Ldap.Search("FindUser");
if (status != Ldap.FOUND) {
    return SBR_RET_NOT_AUTHENTICATED;
}
 
// Get the employeetype attribute from the query result.
var type = LdapVariables.Get("employeetype");
 
// Execute query to look up employee type object.
switch (type) {
case "Student":
    status = Ldap.Search("Student");
    break;
case "Faculty":
    status = Ldap.Search("Faculty");
    break;
case "Vendor":
    status = Ldap.Search("Vendor");
    break;
default:
    SbrWriteToLog("Invalid employee type: " + type);
    return SBR_RET_DO_NOT_AUTHENTICATE;
}
 
// This error should never happen.
if (status != Ldap.FOUND) {
    SbrWriteToLog("No record for employee type: " + type);
    return SBR_RET_DO_NOT_AUTHENTICATE;
}
 
// Get the profile name for this employee type.
var profile = LdapVariables.Get("profilename");
if (profile == null) {
    profile = "Default-Profile";
}
 
// Save profile name to variable table and return.
LdapVariables.Add("Radius-Profile", profile);
return SBR_RET_SUCCESS;

 

Modified: 2018-01-11