Authentication with multiple AD

Pavel Klochan pavel.klochan at gmail.com
Wed Jan 25 11:19:43 CET 2012 

Hi. I need advise/help with my problem.
I'm trying to authenticate with 2 LDAP-servers from freeradius, but without
success.
I have two AD with different domains (e.g. domain1 and domain2, and they
are not linked). I'm trying to authenticate by UPN (username at domainX). I
thought it would be possible to regexp User-Name in Authenticate section
and substitute values of LDAP config, but it doesn't work. In
sites-enables/default Authenticate section:
if (User-Name =~ /domain1/i) {
    Server1
}
elsif (User-Name =~ /domain2/i) {
    Server2
}
in modules/ldap I have:
ldap Server1 {
        server = "x.x.x.x"
        identity = "user"
        password = pass
        basedn = "DC=example1,DC=com"
        filter = "(userPrincipalName=%{User-Name})"
        ldap_connections_number = 5
        timeout = 10
        timelimit = 3
        net_timeout = 1
        tls {
                start_tls = no
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
        groupname_attribute = cn
        groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
        groupmembership_attribute = memberOf
        chase_referrals = yes
        rebind = yes
}

ldap Server2 {
    server = "x.x.x.x"
    identity = "user"
    password = pass
    basedn = "DC=example2,DC=com"
        }
    filter = "(userPrincipalName=%{User-Name})"
    ldap_connections_number = 5
    timeout = 10
    timelimit = 3
    net_timeout = 1
    tls {
        start_tls = no
    }
    dictionary_mapping = ${confdir}/ldap.attrmap
    edir_account_policy_check = no
    groupname_attribute = cn
    groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
    groupmembership_attribute = memberOf
    chase_referrals = yes
    rebind = yes
#       ldap_debug = 0xFFFF
}

If user at domain1 (on any other) belongs to group "mobile" in AD - I send
Access-Accept.
When I start FreeRadius in debug mode - I don't see any regexp information.
With current config-file freeradius will use only ldap server2 to
authenticate users.
Is any way to te authenticate with multiple AD

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120125/6df93f7a/attachment.html>

More information about the Freeradius-Users mailing list