LDAP-defined huntrgroups: docs, pointers, anything?
Jostein Fossheim
jfossheim at skyfritt.net
Wed Mar 5 14:39:56 UTC 2025
One follow up question, I had originally a plan to define radiusAttributes that are mapped to dictionary-attributes on (user)group-objects in ldap, but I abandoned the idea.
But with direct ldap-queries via unlang this should be achievable as well, shouldn’t it?
For instance a radiusVlanID- or a radiuswifiAccess-attribute, and do a checks on all groups which a user belongs for such attributes. If some are set, then map them to the corresponding dictionary values in the reply.
--
Jostein Fossheim
> On 5 Mar 2025, at 14:56, Alan DeKok <aland at deployingradius.com> wrote:
>
>> On Mar 5, 2025, at 8:19 AM, Jostein Fossheim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> So what you are saying is that I can do ldap-queries directly in unlang,
>
> Yes.
>
>> this the best refference/doc I have: https://www.freeradius.org/radiusd/man/unlang.html https://www.freeradius.org/documentation/freeradius-server/3.2.8/unlang/index.html Do you (or anyone) know of any examples that I can use, to master those queries quicker? I find some vague hints in the ldap-module section:
>
> You can do LDAP queries in v3 with the syntax: %{ldap:...} Just replace the "..." with the LDAP query.
>
>> https://www.freeradius.org/documentation/freeradius-server/4.0~alpha1/raddb/mods-available/ldap.html I assume that I can follow the same logic as in the SQL-howto from my original post (above)?
>
> Don't follow the v4 docs for v3, but yes. Just write "unlang" policies to check things in LDAP, and make decisions based on the result.
>
>> - Locate the |authorize { }| section in your radiusd.conf or sites-enabled/defaut configuration.
>> - After the preprocess module insert the following update request { Huntgroup-Name := "%{sql:SELECT |groupname| FROM |radhuntgroup| WHERE nasipaddress='%{NAS-IP-Address}'}" }
>>
>> And the basic logic of my query should be:
>>
>> 1. Query for all huntgroups in the tree containing hostgroups:
>>
>> cn=computers,cn=accounts,[base_dn]
>>
>> 2. Do a second query for each member defined in the group (freeipa uses both member and memberOf), to check if any of the members (hosts/NASes) have radiusClientIPAddress= %{NAS-IP-Address} defined, if yes, the connecting NAS is a member of one or more huntrgroups?
>
> You should be able to combine both of those searches into one LDAP query.
>
> Test the queries with the command-line ldapsearch tool. Then, take the queries, add some dynamic expansions, and add them to FreeRADIUS. That's the easiest way to test.
>
>> I will report back if I am sucessfull.
>>
>> We also did some work so that we could import the radius-schema directly into freeIPA, if this would be interesting for anyone, we could share the results as well.
>
> That would be good, thanks.
>
> Alan DeKok.
More information about the Freeradius-Users
mailing list