Multi-domain AD and Users Who Aren't So Bright

McNutt, Justin M. McNuttJ at missouri.edu
Fri Feb 10 15:50:47 CET 2012



Thoughts?  Opinions?  Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct "DOM\user"
format.
Or make 'em use their institutional email address. Easier to remember :)
Seems trivial but it might not be. At least in our case we have 3 kinds
of email addresses, referring to 2 domains. And the name before the '@'
sign might not be the same as the sAMAccountName.

I'm trying (with no luck :( ) to use
/usr/bin/net ads search -P "(mail=%{User-Name})" sAMAccountName|grep
sAMAccountName|sed "s/^[^ ]* //"
(maybe it's possible to do the same without using grep and sed, but it's
been just a quick test -- suggestions welcome).

Replacement is OK, but seems secrets.tdb can't be opened :( even if
permissions should be OK :-?

A limit of net ads search is that it searches only the default (joined)
domain, unless you specify another domain controller with -S or -I -- I
could easily do that based on the mail domain but in others setups it
could be harder.

A problem I'm having with that is the fact that we outsourced student e-mail (so they can continue to use that account after they graduate).  So the password for their e-mail account is not the same as the password for their AD account (possibly).

For the lookup, I'm betting that ldapsearch could be given a filter like (|(sAMAccountName=%{User-Name})(exchangeSMTPAliases=%{User-Name})) that would match any valid SMTP alias, but that's assuming that you're using Exchange and all of the aliases are visible in AD someplace.

Also, I'm finding that the callouts to scripts of any kind to run 'ldapsearch' are fairly slow.  I'm working on a way to run 'ldapsearch' daily and pre-populating an Oracle or MySQL database with the data that I want so that FR can look there first, and only go to an 'ldapsearch' script if that fails (maybe).  I'm pretty impressed with the way ldapsearch will failover to a second, third, fourth URI given at the command line, but the shell call takes a lot of time as the load ramps up.

--J




More information about the Freeradius-Users mailing list