LDAP-defined huntrgroups: docs, pointers, anything?

Jostein Fossheim jfossheim at skyfritt.net
Thu Mar 6 13:19:53 UTC 2025 

On 2025-03-06 13:45, Alan DeKok wrote:
> On Mar 6, 2025, at 6:10 AM, Jostein Fossheim via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> My final attempt to handle up to five huntgroups per NAS:
>    Why not just search for _all_ NAS names, and return the values as a string?  You can then split the string apart in unlang.  I don't know enough about LDAP to suggest changes to the queries, but it should work in theory.  Something like "cn=*" may work.
>
>    Or, create a second LDAP module which just runs the hunt group queries.  That will result in more connections to the LDAP server, but that shouldn't be a problem.  You can then use the LDAP module 'update' section to add multiple huntgoup names.
>
>    Alan DeKok.

That is the strange part, i would assume that this would do the trick to 
get all the values:

         update request {
             Huntgroup-Name := "testgroup"
             Tmp-String-0 := 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?fqdn?sub?(radiusClientIPAddress=%{NAS-IP-Address})}"
         }


         update request {
               Huntgroup-Name += 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?cn?sub?(member=*%{Tmp-String-0}*)}"

         }

If I run the query via the command  line:

$ ldapsearch -LLLQ -o ldif_wrap=no -b 
"cn=accounts,dc=lab,dc=skyfritt,dc=net" 
"(radiusClientIPAddress=172.17.10.112)" fqdn | grep -v "^dn:"
fqdn: valkyrie3.lab.skyfritt.net

$ ldapsearch -LLLQ -o ldif_wrap=no -b 
"cn=accounts,dc=lab,dc=skyfritt,dc=net" 
"(member=*valkyrie3.lab.skyfritt.net*)" cn | grep -v "^dn:"
cn: radius_huntgroup
cn: radius_second_huntgroup
cn: radius_third_huntgroup
cn: radius_fourth_huntgroup
cn: radius_fifth_huntgroup

It returns this, but when I do the query above, in the 
authorize-section, i am only able to get one/the first value back, so it 
might be a limitation in the query-function.

Huntgroup-Name := 
"%{ldap:ldap:///cn=accounts,dc=lab,dc=skyfritt,dc=net?fqdn?sub?(radiusClientIPAddress=%{NAS-IP-Address})}"

I am uncertain on how to do a better search, and I have to do a deeper 
investigation into you're second suggestion. I hope to have a solution 
ready for deployment in a couple of weeks, since both my own company and 
several customers wants this working. But it might for all practical 
purposes be enough that a NAS can be a member of five different 
huntgroups. After all I do believe that there is a limitation on one 
group per NAS, in the original implementation (but I might be wrong on 
that)

Output from radtest, which loops through the the Hountgroup-Name attribute:

Received Access-Accept Id 148 from 172.17.251.110:1812 to 
172.17.10.112:50114 length 3758
         Reply-Message = "NAS-FQDN is: valkyrie3.lab.skyfritt.net"
         Reply-Message = "NAS-IP-Address is: 172.17.10.112"
         Reply-Message = "NAS is a member of Huntgroup: radius_huntgroup"
         Reply-Message = "NAS is a member of Huntgroup: 
radius_second_huntgroup"
         Reply-Message = "NAS is a member of Huntgroup: 
radius_third_huntgroup"
         Reply-Message = "NAS is a member of Huntgroup: 
radius_fourth_huntgroup"
         Reply-Message = "NAS is a member of Huntgroup: 
radius_fifth_huntgroup"

-- 
Best Regards,

Jostein Fossheim

More information about the Freeradius-Users mailing list