LDAP-defined huntrgroups: docs, pointers, anything?

Jostein Fossheim jfossheim at skyfritt.net
Thu Mar 6 09:06:53 UTC 2025 

On 2025-03-05 23:31, Jostein Fossheim via Freeradius-Users wrote:
>
> On 05/03/2025 20:34, Alan DeKok wrote:
>> On Mar 5, 2025, at 1:59 PM, Jostein Fossheim <jfossheim at skyfritt.net> 
>> wrote:
>>> Did some basic tests from the command line:
>>>
>>> I have defined one NAS/client in our lab-setup with IP 
>>> 172.17.10.112, which is a member of two "huntgroups" (hostgroups in 
>>> FreeIPA), and I can either get them in one query or two queries. 
>>> Like this:
>>>
>>> # One query:
>>> $ ldapsearch -LLLQ -o ldif_wrap=no 
>>> "(radiusClientIPAddress=172.17.10.112)" memberOf | grep -v "^dn: "
>>> memberOf: 
>>> cn=radius_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
>>> memberOf: cn=radius_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
>>> memberOf: 
>>> cn=radius_second_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
>>> memberOf: 
>>> cn=radius_second_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
>>>
>>> # Two queries:
>>> $ "ldapsearch -LLLQ -o ldif_wrap=no 
>>> "(radiusClientIPAddress=172.17.10.112)" fqdn | grep -v "^dn: "
>>> fqdn: valkyrie3.lab.skyfritt.net
>>>
>>> $ ldapsearch -LLLQ -o ldif_wrap=no 
>>> "(member=*valkyrie3.lab.skyfritt.net*)" cn | grep -v "^dn: "
>>> cn: radius_huntgroup
>>> cn: radius_second_huntgroup
>>>
>>> So huntgroups should be doable, after the model form the SQL-howto.
>>    That's good news!
> I see that the exact structure/syntax for doing ldap-queries in unlang 
> is somewhat different from the ldapsearch tool, but goes via standard 
> ldap-urls, like this bellow. I tested with a reply-message in the 
> post-auth section that queries for my full name:
>
> update reply {
>     Reply-Message += "Welcome to our realm 
> %{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?displayName?sub?(uid=%{User-Name})}"
>
> }

Almost there!

I am able to sucessfully add the first HuntGroup from my query, so if a 
NAS is only member of one ldap-group, everything seems to be ok now, but 
I want multiple groups, if posible. I can do something like this:

         update request {
               Huntgroup-Name := 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(member=*valkyrie3.lab.skyfritt.net*)}"
               Huntgroup-Name += 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*valkyrie3.lab.skyfritt.net*)(!(cn=%{Huntgroup-Name})))}"
         }

Then Huntgroup-Name will contain both radius_huntgroup and 
radius_second_huntgroup, but I am uncertain on how to expand this trick 
into handeling more groups.

The ldap-query seems only to report back one group, but it should report 
back two. Can I handle this with a foreach, or is the 
query-functionality limited here?

-- 
Best Regards

Jostein Fossheim

More information about the Freeradius-Users mailing list