LDAP-defined huntrgroups: docs, pointers, anything?

[Jostein Fossheim]

On 05/03/2025 20:34, Alan DeKok wrote:
> On Mar 5, 2025, at 1:59 PM, Jostein Fossheim <jfossheim at skyfritt.net> wrote:
>> Did some basic tests from the command line:
>>
>> I have defined one NAS/client in our lab-setup with IP 172.17.10.112, which is a member of two "huntgroups" (hostgroups in FreeIPA), and I can either get them in one query or two queries. Like this:
>>
>> # One query:
>> $ ldapsearch -LLLQ -o ldif_wrap=no "(radiusClientIPAddress=172.17.10.112)" memberOf | grep -v "^dn: "
>> memberOf: cn=radius_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
>> memberOf: cn=radius_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
>> memberOf: cn=radius_second_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
>> memberOf: cn=radius_second_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
>>
>> # Two queries:
>> $ "ldapsearch -LLLQ -o ldif_wrap=no "(radiusClientIPAddress=172.17.10.112)" fqdn | grep -v "^dn: "
>> fqdn: valkyrie3.lab.skyfritt.net
>>
>> $ ldapsearch -LLLQ -o ldif_wrap=no "(member=*valkyrie3.lab.skyfritt.net*)" cn | grep -v "^dn: "
>> cn: radius_huntgroup
>> cn: radius_second_huntgroup
>>
>> So huntgroups should be doable, after the model form the SQL-howto.
>    That's good news!
I see that the exact structure/syntax for doing ldap-queries in unlang 
is somewhat different from the ldapsearch tool, but goes via standard 
ldap-urls, like this bellow. I tested with a reply-message in the 
post-auth section that queries for my full name:

update reply {
     Reply-Message += "Welcome to our realm 
%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?displayName?sub?(uid=%{User-Name})}"

}

Which indeed delivers the following output after successful authentication:

     Reply-Message = "Welcome to our realm Jostein Fossheim (lab)"

I do believe that I have the proper know-how to produce/emulate my 
huntgroups after the SQL example now. Will make an attempt tomorrow.

Thank you for the pointers,

Jostein Fossheim