LDAP-defined huntrgroups: docs, pointers, anything?

Wed Mar 5 14:39:56 UTC 2025

One follow up question, I had originally a plan to define radiusAttributes that are mapped to dictionary-attributes on (user)group-objects in ldap, but I abandoned the idea. 

But with direct ldap-queries via unlang this should be achievable as well, shouldn’t it?

For instance a radiusVlanID- or a radiuswifiAccess-attribute, and do a checks on all groups which a user belongs for such attributes. If some are set, then map them to the corresponding dictionary values in the reply.

--
Jostein Fossheim

> On 5 Mar 2025, at 14:56, Alan DeKok <aland at deployingradius.com> wrote:
> 
>> On Mar 5, 2025, at 8:19 AM, Jostein Fossheim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> So what you are saying is that I can do ldap-queries directly in unlang,
> 
>  Yes.
> 
>> this the best refference/doc I have: https://www.freeradius.org/radiusd/man/unlang.html https://www.freeradius.org/documentation/freeradius-server/3.2.8/unlang/index.html Do you (or anyone) know of any examples that I can use, to master those queries quicker? I find some vague hints in the ldap-module section:
> 
>  You can do LDAP queries in v3 with the syntax:  %{ldap:...}  Just replace the "..." with the LDAP query.
> 
>> https://www.freeradius.org/documentation/freeradius-server/4.0~alpha1/raddb/mods-available/ldap.html I assume that I can follow the same logic as in the SQL-howto from my original post (above)?
> 
>  Don't follow the v4 docs for v3, but yes.  Just write "unlang" policies to check things in LDAP, and make decisions based on the result.
> 
>> - Locate the |authorize { }| section in your radiusd.conf or sites-enabled/defaut configuration.
>> - After the preprocess module insert the following update request { Huntgroup-Name := "%{sql:SELECT |groupname| FROM |radhuntgroup| WHERE nasipaddress='%{NAS-IP-Address}'}" }
>> 
>> And the basic logic of my query should be:
>> 
>> 1. Query for all huntgroups in the tree containing hostgroups:
>> 
>> cn=computers,cn=accounts,[base_dn]
>> 
>> 2. Do a second query for each member defined in the group (freeipa uses both member and memberOf), to check if any of the members (hosts/NASes) have radiusClientIPAddress= %{NAS-IP-Address} defined, if yes, the connecting NAS is a member of one or more huntrgroups?
> 
>  You should be able to combine both of those searches into one LDAP query.
> 
>  Test the queries with the command-line ldapsearch tool.  Then, take the queries, add some dynamic expansions, and add them to FreeRADIUS.  That's the easiest way to test.
> 
>> I will report back if I am sucessfull.
>> 
>> We also did some work so that we could import the radius-schema directly into freeIPA, if this would be interesting for anyone, we could share the results as well.
> 
>  That would be good, thanks.
> 
>  Alan DeKok.