<div dir="ltr"><div>Hi,<br><br></div><div>I previously had to allow Active Directory users to authenticate from some domain with unqualified usernames.<br><br></div><div>I simply forked the LDAP module already present in FreeRADIUS, and removed any authentication part, since it won't be used here.<br>
</div><div>The configuration of the forked module also contains a new "realm" variable.<br></div><div>The module already handle the search for you, so if the user was found, I appended to the username @realm variable that was specified in the configuration file.<br>
<br></div><div>Now that you have a qualified username, simply configure the FreeRADIUS to proxy the users for that domain, and configure the NPS service on your Active Directory.<br>The key part is to call the suffix module after the custom LDAP module, so everything will go smoothly.<br>
<br></div><div>It was quite some time since I looked at the sources, and the "packaging" of the module is not that nice, but here is the Github page if you are interested:<br><a href="https://github.com/ether42/freeradius-ldap-kerberos#rlm_ldap_forwarder">https://github.com/ether42/freeradius-ldap-kerberos#rlm_ldap_forwarder</a><br>
<br></div><div>And here are the modules sources:<br><a href="https://github.com/ether42/freeradius-ldap-kerberos/tree/master/radius/freeradius-server-3.1.0/src/modules/rlm_ldap_forwarder">https://github.com/ether42/freeradius-ldap-kerberos/tree/master/radius/freeradius-server-3.1.0/src/modules/rlm_ldap_forwarder</a><br>
</div><div><br></div><div>If I remember correctly, you'll have to tune a bit the LDAP configuration on the Active Directory or it will not respond in case of too much connections.<br></div><div><br></div><div>PS: don't pay attention to the Kerberos part, the FreeRADIUS did have to handle accounts that had MIT Kerberos profiles too, but that's not the topic here =)<br>
</div><div><br></div>Regards.<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-08-29 17:19 GMT+02:00 Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On 29/08/14 13:41, Ricardo Esteves wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
1 - The main goal is to authenticate Oracle Database users against<br>
Active Directory ( i think oracle works as normal radius client)<br>
2 - The usernames are unqualified.<br>
3 - Users are unique across domains.<br>
</blockquote>
<br></div>
Ok, so broadly speaking do something like this:<br>
<br>
authorize {<br>
...<br>
# run a script telling you which LDAP to query<br>
update request {<br>
Tmp-String-0 := "%{exec:/my/script %{User-Name}}"<br>
}<br>
# switch over the result<br>
switch "%{Tmp-String-0}" {<br>
case "mycompany" {<br>
ldap_mycompany<br>
}<br>
case "branch1" {<br>
ldap_branch1<br>
}<br>
}<br>
...<br>
}<br>
<br>
The script should be something like this:<br>
<br>
#!/bin/bash<br>
<br>
username="$1"<br>
domain=`some query $username`<br>
echo $domain<br>
exit 0<br>
<br>
You'll then need to define the LDAP modules:<br>
<br>
modules/myldap:<br>
<br>
ldap ldap_mycompany {<br>
# ldap settings go here<br>
}<br>
<br>
ldap ldap_branch1 {<br>
# ldap settings go here<br>
}<br>
<br>
<br>
Note that "authenticating" to LDAP has some subtleties. I would aim to get it working for one user in one domain first without any of the above, then replicate it out for N domains.<br>
<br>
Note also that running a shell script on every auth will be slow; if you can, consider using a SQL query or building a key/value file and getting the domain from rlm_passwd or similar.<div class="HOEnZb"><div class="h5">
<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/<u></u>list/users.html</a><br>
</div></div></blockquote></div><br></div>