FreeRadius - ActiveDirectory authentication multiple domains

Phil Mayers p.mayers at
Fri Aug 29 17:19:44 CEST 2014

On 29/08/14 13:41, Ricardo Esteves wrote:
> Hi,
> 1 - The main goal is to authenticate Oracle Database users against
> Active Directory ( i think oracle works as normal radius client)
> 2 - The usernames are unqualified.
> 3 - Users are unique across domains.

Ok, so broadly speaking do something like this:

authorize {
   # run a script telling you which LDAP to query
   update request {
     Tmp-String-0 := "%{exec:/my/script %{User-Name}}"
   # switch over the result
   switch "%{Tmp-String-0}" {
     case "mycompany" {
     case "branch1" {

The script should be something like this:


domain=`some query $username`
echo $domain
exit 0

You'll then need to define the LDAP modules:


ldap ldap_mycompany {
   # ldap settings go here

ldap ldap_branch1 {
   # ldap settings go here

Note that "authenticating" to LDAP has some subtleties. I would aim to 
get it working for one user in one domain first without any of the 
above, then replicate it out for N domains.

Note also that running a shell script on every auth will be slow; if you 
can, consider using a SQL query or building a key/value file and getting 
the domain from rlm_passwd or similar.

More information about the Freeradius-Users mailing list