FreeRadius - ActiveDirectory authentication multiple domains
Hi, I need to setup a radius server in order to authenticate users against ActiveDirectory. But i've got one problem, my activedirectory has multiple domains, for example: company.com branch1.company.com branch2.company.com branch3.company.com Anyone has any idea on the best way to accomplish this task? Multiple LDAP configurations? For example with multiple ldap settings is there anyway to preprocess the autentication request with a script to find which domain the user belongs and then use the corresponding ldap configuration to that domain? Best regards, Ricardo Esteves.
On 29/08/14 12:10, Ricardo Esteves wrote:
Hi,
I need to setup a radius server in order to authenticate users against ActiveDirectory.
But i've got one problem, my activedirectory has multiple domains, for example:
company.com branch1.company.com branch2.company.com branch3.company.com
Anyone has any idea on the best way to accomplish this task? Multiple LDAP configurations?
For example with multiple ldap settings is there anyway to preprocess the autentication request with a script to find which domain the user belongs and then use the corresponding ldap configuration to that domain?
Your question is a bit vague, but the short (unhelpful) answer is yes. See the example config for the "exec" module, the documentation about defining module instances, and the if/switch/case statement in "man unlang". If you want more info, you'd need to give a bit more detail before people could help you, such as: 1. What authentication types (EAP, MSCHAP, PAP) 2. Will the usernames be qualified or unqualified 3. Are usernames unique across all domains Note also that AD LDAP will not expose passwords or password hashes. You can't authenticate against it except when doing plain PAP, which are proxied to LDAP binds. In particular you can't authenticate EAP/802.1x wireless or MSCHAP (common for VPNs) against AD LDAP. If AD LDAP isn't sufficient you'll end up needing to run multiple copies of Samba or deal with domain/forest trust issues, which gets complex quickly.
Hi, 1 - The main goal is to authenticate Oracle Database users against Active Directory ( i think oracle works as normal radius client) 2 - The usernames are unqualified. 3 - Users are unique across domains. Best regards, Ricardo Esteves. On 29-08-2014 12:33, Phil Mayers wrote:
On 29/08/14 12:10, Ricardo Esteves wrote:
Hi,
I need to setup a radius server in order to authenticate users against ActiveDirectory.
But i've got one problem, my activedirectory has multiple domains, for example:
company.com branch1.company.com branch2.company.com branch3.company.com
Anyone has any idea on the best way to accomplish this task? Multiple LDAP configurations?
For example with multiple ldap settings is there anyway to preprocess the autentication request with a script to find which domain the user belongs and then use the corresponding ldap configuration to that domain?
Your question is a bit vague, but the short (unhelpful) answer is yes. See the example config for the "exec" module, the documentation about defining module instances, and the if/switch/case statement in "man unlang".
If you want more info, you'd need to give a bit more detail before people could help you, such as:
1. What authentication types (EAP, MSCHAP, PAP) 2. Will the usernames be qualified or unqualified 3. Are usernames unique across all domains
Note also that AD LDAP will not expose passwords or password hashes. You can't authenticate against it except when doing plain PAP, which are proxied to LDAP binds. In particular you can't authenticate EAP/802.1x wireless or MSCHAP (common for VPNs) against AD LDAP.
If AD LDAP isn't sufficient you'll end up needing to run multiple copies of Samba or deal with domain/forest trust issues, which gets complex quickly. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ricardo Esteves wrote:
Hi,
1 - The main goal is to authenticate Oracle Database users against Active Directory ( i think oracle works as normal radius client) 2 - The usernames are unqualified.
If the users login with unqualified usernames, how can you tell which domain they're from?
3 - Users are unique across domains.
This is really an Active Directory question. Follow this guide: http://deployingradius.com/documents/configuration/active_directory.html If it doesn't work, blame Active Directory. And have the users login *with* domain names. Alan DeKok.
Isn't there a way to run a preprocess script that searches the user domain, and then with the result send the request to the right ldap server? On 29-08-2014 14:05, Alan DeKok wrote:
Ricardo Esteves wrote:
Hi,
1 - The main goal is to authenticate Oracle Database users against Active Directory ( i think oracle works as normal radius client) 2 - The usernames are unqualified. If the users login with unqualified usernames, how can you tell which domain they're from?
3 - Users are unique across domains. This is really an Active Directory question. Follow this guide:
http://deployingradius.com/documents/configuration/active_directory.html
If it doesn't work, blame Active Directory. And have the users login *with* domain names.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ricardo Esteves wrote:
Isn't there a way to run a preprocess script that searches the user domain, and then with the result send the request to the right ldap server?
That is a question for Active Directory. Can you write an LDAP query to find that information? If so... use that query in FreeRADIUS. Alan DeKok.
Yes, i can write that query (bash, perl, python), what i don't know is how to use it in FreeRadius. On 29-08-2014 15:20, Alan DeKok wrote:
Ricardo Esteves wrote:
Isn't there a way to run a preprocess script that searches the user domain, and then with the result send the request to the right ldap server? That is a question for Active Directory. Can you write an LDAP query to find that information? If so... use that query in FreeRADIUS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ricardo, You can configure the 'ldap' module with which you can do that search. That search can then be used with the LDAP bind-as-user method that Arran described earlier in the thread. :-) Stefan ________________________________________ From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] on behalf of Ricardo Esteves [maverick.pt@gmail.com] Sent: 29 August 2014 15:28 To: freeradius-users@lists.freeradius.org Subject: Re: FreeRadius - ActiveDirectory authentication multiple domains Yes, i can write that query (bash, perl, python), what i don't know is how to use it in FreeRadius. On 29-08-2014 15:20, Alan DeKok wrote:
Ricardo Esteves wrote:
Isn't there a way to run a preprocess script that searches the user domain, and then with the result send the request to the right ldap server? That is a question for Active Directory. Can you write an LDAP query to find that information? If so... use that query in FreeRADIUS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
Ricardo Esteves wrote:
Yes, i can write that query (bash, perl, python), what i don't know is how to use it in FreeRadius.
The point is you write an LDAP query. Using LDAP syntax. It's not about bash, Perl, or Python. It's about LDAP. Then, use the LDAP query in FreeRADIUS: update request { Realm := "%{ldap:... LDAP QUERY...}" } The LDAP query should return the domain for the user. The above example puts the domain into the "Realm" attribute. Then... use the Realm attribute in later queries. Alan DeKok.
On 29/08/14 13:41, Ricardo Esteves wrote:
Hi,
1 - The main goal is to authenticate Oracle Database users against Active Directory ( i think oracle works as normal radius client) 2 - The usernames are unqualified. 3 - Users are unique across domains.
Ok, so broadly speaking do something like this: authorize { ... # run a script telling you which LDAP to query update request { Tmp-String-0 := "%{exec:/my/script %{User-Name}}" } # switch over the result switch "%{Tmp-String-0}" { case "mycompany" { ldap_mycompany } case "branch1" { ldap_branch1 } } ... } The script should be something like this: #!/bin/bash username="$1" domain=`some query $username` echo $domain exit 0 You'll then need to define the LDAP modules: modules/myldap: ldap ldap_mycompany { # ldap settings go here } ldap ldap_branch1 { # ldap settings go here } Note that "authenticating" to LDAP has some subtleties. I would aim to get it working for one user in one domain first without any of the above, then replicate it out for N domains. Note also that running a shell script on every auth will be slow; if you can, consider using a SQL query or building a key/value file and getting the domain from rlm_passwd or similar.
Hi, I previously had to allow Active Directory users to authenticate from some domain with unqualified usernames. I simply forked the LDAP module already present in FreeRADIUS, and removed any authentication part, since it won't be used here. The configuration of the forked module also contains a new "realm" variable. The module already handle the search for you, so if the user was found, I appended to the username @realm variable that was specified in the configuration file. Now that you have a qualified username, simply configure the FreeRADIUS to proxy the users for that domain, and configure the NPS service on your Active Directory. The key part is to call the suffix module after the custom LDAP module, so everything will go smoothly. It was quite some time since I looked at the sources, and the "packaging" of the module is not that nice, but here is the Github page if you are interested: https://github.com/ether42/freeradius-ldap-kerberos#rlm_ldap_forwarder And here are the modules sources: https://github.com/ether42/freeradius-ldap-kerberos/tree/master/radius/freer... If I remember correctly, you'll have to tune a bit the LDAP configuration on the Active Directory or it will not respond in case of too much connections. PS: don't pay attention to the Kerberos part, the FreeRADIUS did have to handle accounts that had MIT Kerberos profiles too, but that's not the topic here =) Regards. 2014-08-29 17:19 GMT+02:00 Phil Mayers <p.mayers@imperial.ac.uk>:
On 29/08/14 13:41, Ricardo Esteves wrote:
Hi,
1 - The main goal is to authenticate Oracle Database users against Active Directory ( i think oracle works as normal radius client) 2 - The usernames are unqualified. 3 - Users are unique across domains.
Ok, so broadly speaking do something like this:
authorize { ... # run a script telling you which LDAP to query update request { Tmp-String-0 := "%{exec:/my/script %{User-Name}}" } # switch over the result switch "%{Tmp-String-0}" { case "mycompany" { ldap_mycompany } case "branch1" { ldap_branch1 } } ... }
The script should be something like this:
#!/bin/bash
username="$1" domain=`some query $username` echo $domain exit 0
You'll then need to define the LDAP modules:
modules/myldap:
ldap ldap_mycompany { # ldap settings go here }
ldap ldap_branch1 { # ldap settings go here }
Note that "authenticating" to LDAP has some subtleties. I would aim to get it working for one user in one domain first without any of the above, then replicate it out for N domains.
Note also that running a shell script on every auth will be slow; if you can, consider using a SQL query or building a key/value file and getting the domain from rlm_passwd or similar.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (5)
-
Alan DeKok -
Kevin Boulain -
Phil Mayers -
Ricardo Esteves -
Stefan Paetow