search
Defines a named LDAP search operation for querying the directory. Each search specifies a base DN, scope, filter, and result mapping. A search operation uses the shared connection pool. See connections for pool sizing.
search "FIND_USER" {
base "dc=example,dc=com";
scope sub;
filter "(&(uid=%{aaa.identity})(objectClass=inetOrgPerson))";
mapping {
user.username = uid;
vars.dn = entry::dn;
}
}
Parameters
| Parameter | Required | Description |
|---|---|---|
base | No | Base DN for the search. Default is an empty string (directory root). |
scope | No | Search scope. Default is base. |
filter | Yes | LDAP search filter expression. |
mapping { ... } | No | Maps LDAP attributes from search results to Radiator context variables. |
authentication | No | Override server-level credentials for this search. Uses dn and password only (no SASL modes). |
base
The base distinguished name defines the starting point in the directory tree for the search. Accepts expressions with %{...} variable substitution -- special characters are automatically escaped for LDAP DN safety.
Default: Empty string (directory root).
search "FIND_USER" {
base "uid=%{aaa.identity},dc=example,dc=com";
scope base;
filter "objectClass=inetOrgPerson";
mapping {
user.username = uid;
}
}
scope
Controls how deep the LDAP search extends from the base DN.
| Value | Description |
|---|---|
base | Search only the base DN entry itself. |
one | Search one level below the base DN (immediate children). |
sub | Search the entire subtree below the base DN. |
Default: base
filter
The LDAP search filter expression selects which entries match. Follows standard LDAP filter syntax (RFC 4515). Accepts expressions with %{...} variable substitution -- special characters are automatically escaped for LDAP filter safety.
This parameter is required. If omitted, the configuration is rejected.
When you use a triple-quoted string for readability, Radiator removes layout-only line breaks and indentation before sending the search. RFC 4515 would not normally allow that preserved whitespace between filter components. This lets you format long compound filters across multiple lines without changing the effective LDAP filter.
search "FIND_USER" {
base "dc=example,dc=com";
scope sub;
filter "(&(uid=%{aaa.identity})(objectClass=inetOrgPerson))";
mapping {
user.username = uid;
}
}
search "FIND_USER" {
base "dc=example,dc=com";
scope sub;
filter """
(&
(uid=%{aaa.identity})
(objectClass=inetOrgPerson)
)
""";
mapping {
user.username = uid;
}
}
mapping
Maps LDAP attributes from search result entries to Radiator context variables. Each line specifies a target variable, an operator, and a source LDAP attribute.
Operators
| Operator | Description |
|---|---|
= | Set the target to the source value. Overwrites any existing value. |
?= | Set the target only if it has no value yet. Useful for fallback chains across different attribute names. |
+= | Append the source value to the target. Accumulates all values across all result entries. |
Special source attributes
| Source | Description |
|---|---|
entry::dn | The distinguished name of the matched LDAP entry. |
Example
mapping {
# entry::dn is always single-valued and unique per entry
vars.dn = entry::dn;
# uid is the OpenLDAP convention; sAMAccountName is the Active Directory equivalent
user.username ?= uid;
user.username ?= sAMAccountName;
# += accumulates values across all result entries
user.group += memberOf;
}
authentication (per-operation)
Override the server-level authentication for this specific search operation. Only simple bind authentication (dn and password) is supported. The dn and password parameters accept expressions with %{...} variable substitution.
search "USER_GROUPS" {
base "dc=example,dc=com";
scope sub;
filter "(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=%{aaa.identity},dc=example,dc=com))";
authentication {
dn "cn=group-reader,dc=example,dc=com";
password "secret";
}
mapping {
user.group += cn;
}
}