FreeRadius - ActiveDirectory authentication multiple domains
Ricardo Esteves
maverick.pt at gmail.com
Fri Aug 29 14:41:20 CEST 2014
Hi,
1 - The main goal is to authenticate Oracle Database users against
Active Directory ( i think oracle works as normal radius client)
2 - The usernames are unqualified.
3 - Users are unique across domains.
Best regards,
Ricardo Esteves.
On 29-08-2014 12:33, Phil Mayers wrote:
> On 29/08/14 12:10, Ricardo Esteves wrote:
>> Hi,
>>
>> I need to setup a radius server in order to authenticate users against
>> ActiveDirectory.
>>
>> But i've got one problem, my activedirectory has multiple domains, for
>> example:
>>
>> company.com
>> branch1.company.com
>> branch2.company.com
>> branch3.company.com
>>
>> Anyone has any idea on the best way to accomplish this task? Multiple
>> LDAP configurations?
>>
>> For example with multiple ldap settings is there anyway to preprocess
>> the autentication request with a script to find which domain the user
>> belongs and then use the corresponding ldap configuration to that
>> domain?
>
> Your question is a bit vague, but the short (unhelpful) answer is yes.
> See the example config for the "exec" module, the documentation about
> defining module instances, and the if/switch/case statement in "man
> unlang".
>
> If you want more info, you'd need to give a bit more detail before
> people could help you, such as:
>
> 1. What authentication types (EAP, MSCHAP, PAP)
> 2. Will the usernames be qualified or unqualified
> 3. Are usernames unique across all domains
>
> Note also that AD LDAP will not expose passwords or password hashes.
> You can't authenticate against it except when doing plain PAP, which
> are proxied to LDAP binds. In particular you can't authenticate
> EAP/802.1x wireless or MSCHAP (common for VPNs) against AD LDAP.
>
> If AD LDAP isn't sufficient you'll end up needing to run multiple
> copies of Samba or deal with domain/forest trust issues, which gets
> complex quickly.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list