FreeRadius - ActiveDirectory authentication multiple domains
maverick.pt at gmail.com
Fri Aug 29 14:41:20 CEST 2014
1 - The main goal is to authenticate Oracle Database users against
Active Directory ( i think oracle works as normal radius client)
2 - The usernames are unqualified.
3 - Users are unique across domains.
On 29-08-2014 12:33, Phil Mayers wrote:
> On 29/08/14 12:10, Ricardo Esteves wrote:
>> I need to setup a radius server in order to authenticate users against
>> But i've got one problem, my activedirectory has multiple domains, for
>> Anyone has any idea on the best way to accomplish this task? Multiple
>> LDAP configurations?
>> For example with multiple ldap settings is there anyway to preprocess
>> the autentication request with a script to find which domain the user
>> belongs and then use the corresponding ldap configuration to that
> Your question is a bit vague, but the short (unhelpful) answer is yes.
> See the example config for the "exec" module, the documentation about
> defining module instances, and the if/switch/case statement in "man
> If you want more info, you'd need to give a bit more detail before
> people could help you, such as:
> 1. What authentication types (EAP, MSCHAP, PAP)
> 2. Will the usernames be qualified or unqualified
> 3. Are usernames unique across all domains
> Note also that AD LDAP will not expose passwords or password hashes.
> You can't authenticate against it except when doing plain PAP, which
> are proxied to LDAP binds. In particular you can't authenticate
> EAP/802.1x wireless or MSCHAP (common for VPNs) against AD LDAP.
> If AD LDAP isn't sufficient you'll end up needing to run multiple
> copies of Samba or deal with domain/forest trust issues, which gets
> complex quickly.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users