LDAP-defined huntrgroups: docs, pointers, anything?

Jostein Fossheim jfossheim at skyfritt.net
Thu Mar 6 10:31:00 UTC 2025


On 2025-03-06 10:06, Jostein Fossheim via Freeradius-Users wrote:
> On 2025-03-05 23:31, Jostein Fossheim via Freeradius-Users wrote:
>>
>> On 05/03/2025 20:34, Alan DeKok wrote:
>>> On Mar 5, 2025, at 1:59 PM, Jostein Fossheim 
>>> <jfossheim at skyfritt.net> wrote:
>>>> Did some basic tests from the command line:
>>>>
>>>> I have defined one NAS/client in our lab-setup with IP 
>>>> 172.17.10.112, which is a member of two "huntgroups" (hostgroups in 
>>>> FreeIPA), and I can either get them in one query or two queries. 
>>>> Like this:
>>>>
>>>> # One query:
>>>> $ ldapsearch -LLLQ -o ldif_wrap=no 
>>>> "(radiusClientIPAddress=172.17.10.112)" memberOf | grep -v "^dn: "
>>>> memberOf: 
>>>> cn=radius_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net 
>>>>
>>>> memberOf: cn=radius_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
>>>> memberOf: 
>>>> cn=radius_second_huntgroup,cn=hostgroups,cn=accounts,dc=lab,dc=skyfritt,dc=net
>>>> memberOf: 
>>>> cn=radius_second_huntgroup,cn=ng,cn=alt,dc=lab,dc=skyfritt,dc=net
>>>>
>>>> # Two queries:
>>>> $ "ldapsearch -LLLQ -o ldif_wrap=no 
>>>> "(radiusClientIPAddress=172.17.10.112)" fqdn | grep -v "^dn: "
>>>> fqdn: valkyrie3.lab.skyfritt.net
>>>>
>>>> $ ldapsearch -LLLQ -o ldif_wrap=no 
>>>> "(member=*valkyrie3.lab.skyfritt.net*)" cn | grep -v "^dn: "
>>>> cn: radius_huntgroup
>>>> cn: radius_second_huntgroup
>>>>
>>>> So huntgroups should be doable, after the model form the SQL-howto.
>>>    That's good news!
>> I see that the exact structure/syntax for doing ldap-queries in 
>> unlang is somewhat different from the ldapsearch tool, but goes via 
>> standard ldap-urls, like this bellow. I tested with a reply-message 
>> in the post-auth section that queries for my full name:
>>
>> update reply {
>>     Reply-Message += "Welcome to our realm 
>> %{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?displayName?sub?(uid=%{User-Name})}"
>>
>> }
>
> Almost there!
>
> I am able to sucessfully add the first HuntGroup from my query, so if 
> a NAS is only member of one ldap-group, everything seems to be ok now, 
> but I want multiple groups, if posible. I can do something like this:
>
>         update request {
>               Huntgroup-Name := 
> "%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(member=*valkyrie3.lab.skyfritt.net*)}"
>               Huntgroup-Name += 
> "%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*valkyrie3.lab.skyfritt.net*)(!(cn=%{Huntgroup-Name})))}"
>         }
>
> Then Huntgroup-Name will contain both radius_huntgroup and 
> radius_second_huntgroup, but I am uncertain on how to expand this 
> trick into handeling more groups.
>
> The ldap-query seems only to report back one group, but it should 
> report back two. Can I handle this with a foreach, or is the 
> query-functionality limited here?
>

The following code handles HuntGroups in my setup, I have still not 
handled multiple HuntGroups, which should be doable, but I have the 
trick for showing two groups.

         update request {
             Huntgroup-Name := "testgroup"
             Tmp-String-0 := 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?fqdn?sub?(radiusClientIPAddress=%{NAS-IP-Address})}"
         }

         update request {
               Huntgroup-Name := 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(member=*%{Tmp-String-0}*)}"
               Huntgroup-Name += 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*%{Tmp-String-0}*)(!(cn=%{Huntgroup-Name})))}"
         }

         update reply {
               Reply-Message += "NAS-IP-Address is: %{NAS-IP-Address}"
         }

         update reply {
             Reply-Message += "NAS-FQDN is: %{Tmp-String-0}"
         }

         foreach &Huntgroup-Name {
               update reply {
                     Reply-Message += "NAS is a member of Huntgroup: 
%{Foreach-Variable-0}"
               }
         }

I probably need some help with my query, from someone with more 
unlang-experience.



-- 
Best Regards,

Jostein Fossheim



More information about the Freeradius-Users mailing list