FreeRadius - ActiveDirectory authentication multiple domains

[Phil Mayers]

On 29/08/14 13:41, Ricardo Esteves wrote:
> Hi,
>
> 1 - The main goal is to authenticate Oracle Database users against
> Active Directory ( i think oracle works as normal radius client)
> 2 - The usernames are unqualified.
> 3 - Users are unique across domains.

Ok, so broadly speaking do something like this:

authorize {
   ...
   # run a script telling you which LDAP to query
   update request {
     Tmp-String-0 := "%{exec:/my/script %{User-Name}}"
   }
   # switch over the result
   switch "%{Tmp-String-0}" {
     case "mycompany" {
       ldap_mycompany
     }
     case "branch1" {
       ldap_branch1
     }
   }
   ...
}

The script should be something like this:

#!/bin/bash

username="$1"
domain=`some query $username`
echo $domain
exit 0

You'll then need to define the LDAP modules:

modules/myldap:

ldap ldap_mycompany {
   # ldap settings go here
}

ldap ldap_branch1 {
   # ldap settings go here
}


Note that "authenticating" to LDAP has some subtleties. I would aim to 
get it working for one user in one domain first without any of the 
above, then replicate it out for N domains.

Note also that running a shell script on every auth will be slow; if you 
can, consider using a SQL query or building a key/value file and getting 
the domain from rlm_passwd or similar.