Our users authenticate with tokens through a 3rd party RADIUS server.
I created in the user profile a directory with local members who have access to a Windows 2008 TS.
Because I don't want to manually add all users, I want to use LDAP.
If the following scenario possible:
User logs in with username/hardware token (3rd party authentication, RADIUS) and gets webtop icon(s) based on AD OU membership.
I'm afraid that this scenario won't work because of the order of checking the repositories.
The order of checking is :
1. Local respository
2. LDAP respository
3. 3rd identity
And I don't want an user to log in with the AD credentials.
In general, what you're talking about is "third-party authentication (web authentication)" - that is, authentication is performed external to SGD, by the Apache webserver, and then the user is logged into SGD, using an identity established from, in your case, Active Directory.
Here's some documentation on this process: http://docs.oracle.com/cd/E26362_01/E26354/html/third-party-auth.html#web-auth
The specifics of how you configure Apache will depend on the token generation package you use - for example, RSA SecuriD has a Webagent you can install/configure for Apache, others have used a mod_auth module, such mod_auth_radius, dynamically loading the module into Apache.
The first point is to "protect" the SGD login url (/sgd) with some Apache ACL - once authenticated by whatever mechanism you choose, the user will see the SGD login page.
From there, you configure webserver authentication, so the REMOTE_USER environment variable can be passed to SGD to do a lookup of an identity using whatever directory service you have configured.