LDAP-defined huntrgroups: docs, pointers, anything?

Jostein Fossheim jfossheim at skyfritt.net
Wed Mar 5 18:59:31 UTC 2025


> Test the queries with the command-line ldapsearch tool.  Then, take the queries, add some dynamic expansions, and add them to FreeRADIUS.  That's the easiest way to test.
>
Did some basic tests from the command line:

I have defined one NAS/client in our lab-setup with IP 172.17.10.112, 
which is a member of two "huntgroups" (hostgroups in FreeIPA), and I can 
either get them in one query or two queries. Like this:

# One query:
$ ldapsearch -LLLQ -o ldif_wrap=no 
"(radiusClientIPAddress=172.17.10.112)" memberOf | grep -v "^dn: "
memberOf: 
cn=radius_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
memberOf: cn=radius_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
memberOf: 
cn=radius_second_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
memberOf: cn=radius_second_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net

# Two queries:
$ "ldapsearch -LLLQ -o ldif_wrap=no 
"(radiusClientIPAddress=172.17.10.112)" fqdn | grep -v "^dn: "
fqdn: valkyrie3.lab.skyfritt.net

$ ldapsearch -LLLQ -o ldif_wrap=no 
"(member=*valkyrie3.lab.skyfritt.net*)" cn | grep -v "^dn: "
cn: radius_huntgroup
cn: radius_second_huntgroup

So huntgroups should be doable, after the model form the SQL-howto.



Best Regards,

Jostein Fossheim


More information about the Freeradius-Users mailing list