Hi,

I previously had to allow Active Directory users to authenticate from some domain with unqualified usernames.

I simply forked the LDAP module already present in FreeRADIUS, and removed any authentication part, since it won't be used here.
The configuration of the forked module also contains a new "realm" variable.
The module already handle the search for you, so if the user was found, I appended to the username @realm variable that was specified in the configuration file.

Now that you have a qualified username, simply configure the FreeRADIUS to proxy the users for that domain, and configure the NPS service on your Active Directory.
The key part is to call the suffix module after the custom LDAP module, so everything will go smoothly.

It was quite some time since I looked at the sources, and the "packaging" of the module is not that nice, but here is the Github page if you are interested:
https://github.com/ether42/freeradius-ldap-kerberos#rlm_ldap_forwarder

And here are the modules sources:
https://github.com/ether42/freeradius-ldap-kerberos/tree/master/radius/freeradius-server-3.1.0/src/modules/rlm_ldap_forwarder

If I remember correctly, you'll have to tune a bit the LDAP configuration on the Active Directory or it will not respond in case of too much connections.

PS: don't pay attention to the Kerberos part, the FreeRADIUS did have to handle accounts that had MIT Kerberos profiles too, but that's not the topic here =)

Regards.



2014-08-29 17:19 GMT+02:00 Phil Mayers <p.mayers@imperial.ac.uk>:
On 29/08/14 13:41, Ricardo Esteves wrote:
Hi,

1 - The main goal is to authenticate Oracle Database users against
Active Directory ( i think oracle works as normal radius client)
2 - The usernames are unqualified.
3 - Users are unique across domains.

Ok, so broadly speaking do something like this:

authorize {
  ...
  # run a script telling you which LDAP to query
  update request {
    Tmp-String-0 := "%{exec:/my/script %{User-Name}}"
  }
  # switch over the result
  switch "%{Tmp-String-0}" {
    case "mycompany" {
      ldap_mycompany
    }
    case "branch1" {
      ldap_branch1
    }
  }
  ...
}

The script should be something like this:

#!/bin/bash

username="$1"
domain=`some query $username`
echo $domain
exit 0

You'll then need to define the LDAP modules:

modules/myldap:

ldap ldap_mycompany {
  # ldap settings go here
}

ldap ldap_branch1 {
  # ldap settings go here
}


Note that "authenticating" to LDAP has some subtleties. I would aim to get it working for one user in one domain first without any of the above, then replicate it out for N domains.

Note also that running a shell script on every auth will be slow; if you can, consider using a SQL query or building a key/value file and getting the domain from rlm_passwd or similar.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html