LDAP-defined huntrgroups: docs, pointers, anything?
Jostein Fossheim
jfossheim at skyfritt.net
Wed Mar 5 13:19:52 UTC 2025
On 2025-03-05 13:07, Alan DeKok wrote:
>> There is this howto for SQL-based backends, and random searches and LLM-queries don't get me any further:
>>
>> https://wiki.freeradius.org/guide/SQL-Huntgroup-HOWTO
>>
>> I am not certain if this really is a question for the user list or the devel list, but I can try both.
>
> For doing huntgroup-style configuration in LDAP, you will need to define the LDAP schema and queries yourself. Then, write them in unlang policies.
>
> And please submit the results back. We can include them in future releases.
>
> Alan DeKok.
So what you are saying is that I can do ldap-queries directly in unlang,
this the best refference/doc I have:
https://www.freeradius.org/radiusd/man/unlang.html
https://www.freeradius.org/documentation/freeradius-server/3.2.8/unlang/index.html
Do you (or anyone) know of any examples that I can use, to master those
queries quicker? I find some vague hints in the ldap-module section:
https://www.freeradius.org/documentation/freeradius-server/4.0~alpha1/raddb/mods-available/ldap.html
I assume that I can follow the same logic as in the SQL-howto from my
original post (above)?
- Locate the |authorize { }| section in your radiusd.conf or
sites-enabled/defaut configuration.
- After the preprocess module insert the following update request {
Huntgroup-Name := "%{sql:SELECT |groupname| FROM |radhuntgroup| WHERE
nasipaddress='%{NAS-IP-Address}'}" }
And the basic logic of my query should be:
1. Query for all huntgroups in the tree containing hostgroups:
cn=computers,cn=accounts,[base_dn]
2. Do a second query for each member defined in the group (freeipa uses
both member and memberOf), to check if any of the members (hosts/NASes)
have radiusClientIPAddress= %{NAS-IP-Address} defined, if yes, the
connecting NAS is a member of one or more huntrgroups?
I will report back if I am sucessfull.
We also did some work so that we could import the radius-schema directly
into freeIPA, if this would be interesting for anyone, we could share
the results as well.
--
Jostein Fossheim
More information about the Freeradius-Users
mailing list