LDAP-defined huntrgroups: docs, pointers, anything?
Jostein Fossheim
jfossheim at skyfritt.net
Wed Mar 5 18:59:31 UTC 2025
> Test the queries with the command-line ldapsearch tool. Then, take the queries, add some dynamic expansions, and add them to FreeRADIUS. That's the easiest way to test.
>
Did some basic tests from the command line:
I have defined one NAS/client in our lab-setup with IP 172.17.10.112,
which is a member of two "huntgroups" (hostgroups in FreeIPA), and I can
either get them in one query or two queries. Like this:
# One query:
$ ldapsearch -LLLQ -o ldif_wrap=no
"(radiusClientIPAddress=172.17.10.112)" memberOf | grep -v "^dn: "
memberOf:
cn=radius_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
memberOf: cn=radius_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
memberOf:
cn=radius_second_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
memberOf: cn=radius_second_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
# Two queries:
$ "ldapsearch -LLLQ -o ldif_wrap=no
"(radiusClientIPAddress=172.17.10.112)" fqdn | grep -v "^dn: "
fqdn: valkyrie3.lab.skyfritt.net
$ ldapsearch -LLLQ -o ldif_wrap=no
"(member=*valkyrie3.lab.skyfritt.net*)" cn | grep -v "^dn: "
cn: radius_huntgroup
cn: radius_second_huntgroup
So huntgroups should be doable, after the model form the SQL-howto.
Best Regards,
Jostein Fossheim
More information about the Freeradius-Users
mailing list