Hi, 1 - The main goal is to authenticate Oracle Database users against Active Directory ( i think oracle works as normal radius client) 2 - The usernames are unqualified. 3 - Users are unique across domains. Best regards, Ricardo Esteves. On 29-08-2014 12:33, Phil Mayers wrote:
On 29/08/14 12:10, Ricardo Esteves wrote:
Hi,
I need to setup a radius server in order to authenticate users against ActiveDirectory.
But i've got one problem, my activedirectory has multiple domains, for example:
company.com branch1.company.com branch2.company.com branch3.company.com
Anyone has any idea on the best way to accomplish this task? Multiple LDAP configurations?
For example with multiple ldap settings is there anyway to preprocess the autentication request with a script to find which domain the user belongs and then use the corresponding ldap configuration to that domain?
Your question is a bit vague, but the short (unhelpful) answer is yes. See the example config for the "exec" module, the documentation about defining module instances, and the if/switch/case statement in "man unlang".
If you want more info, you'd need to give a bit more detail before people could help you, such as:
1. What authentication types (EAP, MSCHAP, PAP) 2. Will the usernames be qualified or unqualified 3. Are usernames unique across all domains
Note also that AD LDAP will not expose passwords or password hashes. You can't authenticate against it except when doing plain PAP, which are proxied to LDAP binds. In particular you can't authenticate EAP/802.1x wireless or MSCHAP (common for VPNs) against AD LDAP.
If AD LDAP isn't sufficient you'll end up needing to run multiple copies of Samba or deal with domain/forest trust issues, which gets complex quickly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html