LDAP-defined huntrgroups: docs, pointers, anything?
Jostein Fossheim
jfossheim at skyfritt.net
Thu Mar 6 11:10:12 UTC 2025
> The following code handles HuntGroups in my setup, I have still not
> handled multiple HuntGroups, which should be doable, but I have the
> trick for showing two groups.
>
> update request {
> Huntgroup-Name := "testgroup"
> Tmp-String-0 :=
> "%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?fqdn?sub?(radiusClientIPAddress=%{NAS-IP-Address})}"
> }
>
> update request {
> Huntgroup-Name :=
> "%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(member=*%{Tmp-String-0}*)}"
> Huntgroup-Name +=
> "%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*%{Tmp-String-0}*)(!(cn=%{Huntgroup-Name})))}"
> }
>
> update reply {
> Reply-Message += "NAS-IP-Address is: %{NAS-IP-Address}"
> }
>
> update reply {
> Reply-Message += "NAS-FQDN is: %{Tmp-String-0}"
> }
>
> foreach &Huntgroup-Name {
> update reply {
> Reply-Message += "NAS is a member of Huntgroup:
> %{Foreach-Variable-0}"
> }
> }
>
> I probably need some help with my query, from someone with more
> unlang-experience.
>
My final attempt to handle up to five huntgroups per NAS:
update request {
Huntgroup-Name := "testgroup"
Tmp-String-0 :=
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?fqdn?sub?(radiusClientIPAddress=%{NAS-IP-Address})}"
}
update request {
# First huntgroup
Huntgroup-Name :=
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(member=*%{Tmp-String-0}*)}"
}
# Only try for a second huntgroup if the first one was found
if ("%{Huntgroup-Name[0]}" != "") {
update request {
Huntgroup-Name +=
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*%{Tmp-String-0}*)(!(cn=%{Huntgroup-Name[0]})))}"
Huntgroup-Name -= "" # Remove any empty values
}
}
# Only try for a third huntgroup if the second one was found
if ("%{Huntgroup-Name[1]}" != "") {
update request {
Huntgroup-Name +=
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*%{Tmp-String-0}*)(!(cn=%{Huntgroup-Name[0]}))(!(cn=%{Huntgroup-Name[1]})))}"
Huntgroup-Name -= "" # Remove any empty values
}
}
# Only try for a fourth huntgroup if the third one was found
if ("%{Huntgroup-Name[2]}" != "") {
update request {
Huntgroup-Name +=
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*%{Tmp-String-0}*)(!(cn=%{Huntgroup-Name[0]}))(!(cn=%{Huntgroup-Name[1]}))(!(cn=%{Huntgroup-Name[2]})))}"
Huntgroup-Name -= "" # Remove any empty values
}
}
# Only try for a fifth huntgroup if the fourth one was found
if ("%{Huntgroup-Name[3]}" != "") {
update request {
Huntgroup-Name +=
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(&(member=*%{Tmp-String-0}*)(!(cn=%{Huntgroup-Name[0]}))(!(cn=%{Huntgroup-Name[1]}))(!(cn=%{Huntgroup-Name[2]}))(!(cn=%{Huntgroup-Name[3]})))}"
Huntgroup-Name -= "" # Remove any empty values
}
}
I either have to find a way to get multiple huntgroups returned, from my
query, or do a better kind of loop to handle even more huntgroups.
Any other inputs or suggestions is greatly appreciated
--
Best Regards
Jostein Fossheim
More information about the Freeradius-Users
mailing list