search
Defines a named LDAP search operation for querying the directory. Each search specifies a base DN, scope, filter, and result mapping. A search operation uses the shared connection pool. See connections for pool sizing.
search "FIND_USER" {
base "dc=example,dc=com";
scope sub;
filter "(&(uid=%{aaa.identity})(objectClass=inetOrgPerson))";
mapping {
user.username = uid;
vars.dn = entry::dn;
}
}
Parameters
| Parameter | Required | Description |
|---|---|---|
base | No | Base DN for the search. Default is an empty string (directory root). |
scope | No | Search scope. Default is base. |
filter | Yes | LDAP search filter expression. |
mapping { ... } | No | Maps LDAP attributes from search results to Radiator context variables. |
authentication | No | Override server-level credentials for this search. Uses dn and password only (no SASL modes). |
base
The base distinguished name defines the starting point in the directory tree for the search. Accepts expressions with %{...} variable substitution -- special characters are automatically escaped for LDAP DN safety.
Default: Empty string (directory root).
search "FIND_USER" {
base "uid=%{aaa.identity},dc=example,dc=com";
scope base;
filter "objectClass=inetOrgPerson";
mapping {
user.username = uid;
}
}
scope
Controls how deep the LDAP search extends from the base DN.
| Value | Description |
|---|---|
base | Search only the base DN entry itself. |
one | Search one level below the base DN (immediate children). |
sub | Search the entire subtree below the base DN. |
Default: base
filter
The LDAP search filter expression selects which entries match. Follows standard LDAP filter syntax (RFC 4515). Accepts expressions with %{...} variable substitution -- special characters are automatically escaped for LDAP filter safety.
This parameter is required. If omitted, the configuration is rejected.
search "FIND_USER" {
base "dc=example,dc=com";
scope sub;
filter "(&(uid=%{aaa.identity})(objectClass=inetOrgPerson))";
mapping {
user.username = uid;
}
}
mapping
Maps LDAP attributes from search result entries to Radiator context variables. Each line specifies a target variable, an operator, and a source LDAP attribute.
Operators
| Operator | Description |
|---|---|
= | Set the target to the source value. Overwrites any existing value. |
?= | Set the target only if it has no value yet. Useful for fallback chains across different attribute names. |
+= | Append the source value to the target. Accumulates all values across all result entries. |
Special source attributes
| Source | Description |
|---|---|
entry::dn | The distinguished name of the matched LDAP entry. |
Example
mapping {
# entry::dn is always single-valued and unique per entry
vars.dn = entry::dn;
# uid is the OpenLDAP convention; sAMAccountName is the Active Directory equivalent
user.username ?= uid;
user.username ?= sAMAccountName;
# += accumulates values across all result entries
user.group += memberOf;
}
authentication (per-operation)
Override the server-level authentication for this specific search operation. Only simple bind authentication (dn and password) is supported. The dn and password parameters accept expressions with %{...} variable substitution.
search "USER_GROUPS" {
base "dc=example,dc=com";
scope sub;
filter "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=%{aaa.identity},dc=example,dc=com))";
authentication {
dn "cn=group-reader,dc=example,dc=com";
password "secret";
}
mapping {
user.group += cn;
}
}