FreeRadius - ActiveDirectory authentication multiple domains

Kevin Boulain kevinboulain at gmail.com
Fri Aug 29 18:13:49 CEST 2014


Hi,

I previously had to allow Active Directory users to authenticate from some
domain with unqualified usernames.

I simply forked the LDAP module already present in FreeRADIUS, and removed
any authentication part, since it won't be used here.
The configuration of the forked module also contains a new "realm" variable.
The module already handle the search for you, so if the user was found, I
appended to the username @realm variable that was specified in the
configuration file.

Now that you have a qualified username, simply configure the FreeRADIUS to
proxy the users for that domain, and configure the NPS service on your
Active Directory.
The key part is to call the suffix module after the custom LDAP module, so
everything will go smoothly.

It was quite some time since I looked at the sources, and the "packaging"
of the module is not that nice, but here is the Github page if you are
interested:
https://github.com/ether42/freeradius-ldap-kerberos#rlm_ldap_forwarder

And here are the modules sources:
https://github.com/ether42/freeradius-ldap-kerberos/tree/master/radius/freeradius-server-3.1.0/src/modules/rlm_ldap_forwarder

If I remember correctly, you'll have to tune a bit the LDAP configuration
on the Active Directory or it will not respond in case of too much
connections.

PS: don't pay attention to the Kerberos part, the FreeRADIUS did have to
handle accounts that had MIT Kerberos profiles too, but that's not the
topic here =)

Regards.



2014-08-29 17:19 GMT+02:00 Phil Mayers <p.mayers at imperial.ac.uk>:

> On 29/08/14 13:41, Ricardo Esteves wrote:
>
>> Hi,
>>
>> 1 - The main goal is to authenticate Oracle Database users against
>> Active Directory ( i think oracle works as normal radius client)
>> 2 - The usernames are unqualified.
>> 3 - Users are unique across domains.
>>
>
> Ok, so broadly speaking do something like this:
>
> authorize {
>   ...
>   # run a script telling you which LDAP to query
>   update request {
>     Tmp-String-0 := "%{exec:/my/script %{User-Name}}"
>   }
>   # switch over the result
>   switch "%{Tmp-String-0}" {
>     case "mycompany" {
>       ldap_mycompany
>     }
>     case "branch1" {
>       ldap_branch1
>     }
>   }
>   ...
> }
>
> The script should be something like this:
>
> #!/bin/bash
>
> username="$1"
> domain=`some query $username`
> echo $domain
> exit 0
>
> You'll then need to define the LDAP modules:
>
> modules/myldap:
>
> ldap ldap_mycompany {
>   # ldap settings go here
> }
>
> ldap ldap_branch1 {
>   # ldap settings go here
> }
>
>
> Note that "authenticating" to LDAP has some subtleties. I would aim to get
> it working for one user in one domain first without any of the above, then
> replicate it out for N domains.
>
> Note also that running a shell script on every auth will be slow; if you
> can, consider using a SQL query or building a key/value file and getting
> the domain from rlm_passwd or similar.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140829/7e23b52a/attachment.html>


More information about the Freeradius-Users mailing list