Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

LDAP Script Examples

 

Example 1: Simple Authentication

Example 1: Simple Authentication

This script executes the search criteria specified in the [Search/LdapSearch1] section of the ldapauth.aut file. If the search is unsuccessful, the script prepends myco. to the username and executes the search criteria specified in the [Search/LdapSearch2] section.

Example 2: Profile Assignment

Example 2: Profile Assignment

Scripts can use authentication information to determine the profile that should be assigned to a user. In this example, the script executes the query specified in the [Search/Radius] section. This query looks up an object named ProfileData that contains multiple instances of the radiusattrs attribute. The script iterates through the returned values of radiusattrs, looking for the first instance that begins with the prefix sbr-. If a matching attribute is found, the prefix is stripped from the attribute and returned as the name of the user profile.

This is the LDIF representation of the ProfileData object, showing the values of the radiusattrs attributes:

The relevant sections of the ldapauth.aut file are shown below.

Example 3: Received Attribute Normalization

Example 3: Received Attribute Normalization

Users frequently need to normalize incoming RADIUS attributes to a common format before performing an LDAP search. This example checks the length of the telephone number string in the Calling-Station-ID attribute, preserving only the final seven digits, if necessary. The truncated telephone number is saved as a new entry (Stripped-CSID) in the variable table. The value of Stripped-CSID is specified as part of the Filter parameter in the [Search/Query1] query definition. This query is executed by the script, and the resulting status code determines the script return code.

Example 4: Conditional Profile Assignment from User Attribute

Example 4: Conditional Profile Assignment from User Attribute

This example illustrates how you can use LDAP scripts to implement multiple queries and complex decision logic. The script starts by invoking the FindUser query to look up the specified user in the LDAP repository. Depending on the employeetype attribute returned from the first query, a second query is selected and invoked to retrieve attributes specific to the user's employee type. Finally, the Radius-Profile attribute of the employee type record is returned as the profile name for the authentication response.

The LDIF data for a sample user is as follows:

The data objects holding the “Radius-Profile” attributes associated with each employee type are retrieved:

Finally, here are the configuration settings and the LDAP search script: