LDAP-defined huntrgroups: docs, pointers, anything?
Alan DeKok
aland at deployingradius.com
Wed Mar 5 13:56:02 UTC 2025
> On Mar 5, 2025, at 8:19 AM, Jostein Fossheim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> So what you are saying is that I can do ldap-queries directly in unlang,
Yes.
> this the best refference/doc I have: https://www.freeradius.org/radiusd/man/unlang.html https://www.freeradius.org/documentation/freeradius-server/3.2.8/unlang/index.html Do you (or anyone) know of any examples that I can use, to master those queries quicker? I find some vague hints in the ldap-module section:
You can do LDAP queries in v3 with the syntax: %{ldap:...} Just replace the "..." with the LDAP query.
> https://www.freeradius.org/documentation/freeradius-server/4.0~alpha1/raddb/mods-available/ldap.html I assume that I can follow the same logic as in the SQL-howto from my original post (above)?
Don't follow the v4 docs for v3, but yes. Just write "unlang" policies to check things in LDAP, and make decisions based on the result.
> - Locate the |authorize { }| section in your radiusd.conf or sites-enabled/defaut configuration.
> - After the preprocess module insert the following update request { Huntgroup-Name := "%{sql:SELECT |groupname| FROM |radhuntgroup| WHERE nasipaddress='%{NAS-IP-Address}'}" }
>
> And the basic logic of my query should be:
>
> 1. Query for all huntgroups in the tree containing hostgroups:
>
> cn=computers,cn=accounts,[base_dn]
>
> 2. Do a second query for each member defined in the group (freeipa uses both member and memberOf), to check if any of the members (hosts/NASes) have radiusClientIPAddress= %{NAS-IP-Address} defined, if yes, the connecting NAS is a member of one or more huntrgroups?
You should be able to combine both of those searches into one LDAP query.
Test the queries with the command-line ldapsearch tool. Then, take the queries, add some dynamic expansions, and add them to FreeRADIUS. That's the easiest way to test.
> I will report back if I am sucessfull.
>
> We also did some work so that we could import the radius-schema directly into freeIPA, if this would be interesting for anyone, we could share the results as well.
That would be good, thanks.
Alan DeKok.
More information about the Freeradius-Users
mailing list