FreeRadius - ActiveDirectory authentication multiple domains

[Ricardo Esteves]

Hi,

1 - The main goal is to authenticate Oracle Database users against 
Active Directory ( i think oracle works as normal radius client)
2 - The usernames are unqualified.
3 - Users are unique across domains.

Best regards,
Ricardo Esteves.

On 29-08-2014 12:33, Phil Mayers wrote:
> On 29/08/14 12:10, Ricardo Esteves wrote:
>> Hi,
>>
>> I need to setup a radius server in order to authenticate users against
>> ActiveDirectory.
>>
>> But i've got one problem, my activedirectory has multiple domains, for
>> example:
>>
>> company.com
>> branch1.company.com
>> branch2.company.com
>> branch3.company.com
>>
>> Anyone has any idea on the best way to accomplish this task? Multiple
>> LDAP configurations?
>>
>> For example with multiple ldap settings is there anyway to preprocess
>> the autentication request with a script to find which domain the user
>> belongs and then use the corresponding ldap configuration to that 
>> domain?
>
> Your question is a bit vague, but the short (unhelpful) answer is yes. 
> See the example config for the "exec" module, the documentation about 
> defining module instances, and the if/switch/case statement in "man 
> unlang".
>
> If you want more info, you'd need to give a bit more detail before 
> people could help you, such as:
>
>  1. What authentication types (EAP, MSCHAP, PAP)
>  2. Will the usernames be qualified or unqualified
>  3. Are usernames unique across all domains
>
> Note also that AD LDAP will not expose passwords or password hashes. 
> You can't authenticate against it except when doing plain PAP, which 
> are proxied to LDAP binds. In particular you can't authenticate 
> EAP/802.1x wireless or MSCHAP (common for VPNs) against AD LDAP.
>
> If AD LDAP isn't sufficient you'll end up needing to run multiple 
> copies of Samba or deal with domain/forest trust issues, which gets 
> complex quickly.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html