Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Subscriber Classification Targets


The target of the subscriber classification script is an LDAP search string. The search string uses a syntax similar to an LDAP URL (see RFC 2255—The LDAP URL Format (December 1997).

The syntax is:

  • baseDN—Distinguished name of object where the LDAP search starts

  • attributes—Can be used to override attributes in the loaded LDAP object. For example, for static IP subscribers the SAE must learn the IP address assigned to a particular subscriber. This address is defined in the ipAddress attribute of the subscriber profile. A target of the form baseDN?ipAddress=<-function(interfaceName)-> invokes function after the subscriber profile is loaded from LDAP and sets the IP address to the return value of function. The function is defined in the subscriber classification script, and can be used for a variety of things; for example, to query an external database.


    You can use subscriber classification to override only the ipAddress, loginName, or accountingId attributes. If you configure values to override other attributes, the value is lost when the SAE recovers from a network or server failure.

  • scope—Scope of search

    • base—Is the default, searches the base DN only.

    • one—Searches the direct children of the base DN.

    • sub—Searches the complete subtree below the base DN.

  • filter—Is an RFC 2254–style LDAP search filter expression; for example, (uniqueId=<-userName->). See RFC 2254—The String Representation of LDAP Search Filters (December 1997).

With the exception of baseDN all the fields are optional.

Along with the set shared sae subscriber-classifier rule name target command, you can either enter the fields as per the syntax or type the ? symbol to see the possible fields that you can use to set the target for the rule. The possible fields are listed based on the configured subscriber level.

For example, to display a list of all the possible fields that you can define to find a target (an LDAP query), type ? with the set shared sae subscriber-classifier rule name target command.

The result of the LDAP search must be exactly one directory object. If no object or more than one object is found, the subscriber session is terminated.