FreeRadius - ActiveDirectory authentication multiple domains
Phil Mayers
p.mayers at imperial.ac.uk
Fri Aug 29 13:33:43 CEST 2014
On 29/08/14 12:10, Ricardo Esteves wrote:
> Hi,
>
> I need to setup a radius server in order to authenticate users against
> ActiveDirectory.
>
> But i've got one problem, my activedirectory has multiple domains, for
> example:
>
> company.com
> branch1.company.com
> branch2.company.com
> branch3.company.com
>
> Anyone has any idea on the best way to accomplish this task? Multiple
> LDAP configurations?
>
> For example with multiple ldap settings is there anyway to preprocess
> the autentication request with a script to find which domain the user
> belongs and then use the corresponding ldap configuration to that domain?
Your question is a bit vague, but the short (unhelpful) answer is yes.
See the example config for the "exec" module, the documentation about
defining module instances, and the if/switch/case statement in "man unlang".
If you want more info, you'd need to give a bit more detail before
people could help you, such as:
1. What authentication types (EAP, MSCHAP, PAP)
2. Will the usernames be qualified or unqualified
3. Are usernames unique across all domains
Note also that AD LDAP will not expose passwords or password hashes. You
can't authenticate against it except when doing plain PAP, which are
proxied to LDAP binds. In particular you can't authenticate EAP/802.1x
wireless or MSCHAP (common for VPNs) against AD LDAP.
If AD LDAP isn't sufficient you'll end up needing to run multiple copies
of Samba or deal with domain/forest trust issues, which gets complex
quickly.
More information about the Freeradius-Users
mailing list