I have a custom ubuntu container containing Freeradius within a kubernetes cluster. Due to how containers work, the normal SAMBA/Winbind method of Freeradius/AD integration is not an option, so I wrote a BASH script to authenticate user credentials, and I also have the LDAP module installed to authorize users for particular services based on group membership.
At the moment I've only been able to configure Freeradius to authorize based on group membership, without it basing its decision on the result of the script. I have tried a many different configurations of the authorize file, but I will show just a couple here. This one grants access even with a bad password:
DEFAULT Auth-Type = Accept
Exec-Program = "/path/to/script/auth.sh %{User-Name} %{User-Password}",
Fall-Through = Yes
DEFAULT Ldap-Group == "Admingroup", Auth-Type := Accept
Service-Type = Administrative-User,
cisco-avpair ='shell:priv-lvl=15'
DEFAULT Auth-Type := Reject
Reply-Message = "Authorization failed."
And this one denies access irrespective of the credentials supplied:
DEFAULT Ldap-Group == "Admingroup", Exec-Program = "/path/to/script/auth.sh %{User-Name} %{User-Password}", Auth-Type := Accept
Service-Type = Administrative-User,
cisco-avpair ='shell:priv-lvl=15'
DEFAULT Auth-Type := Reject
Reply-Message = "Authorization failed."
I know that my script works in and of itself since I have tested it independently of Freeradius, and I know that there is nothing wrong with the configuration of the LDAP module itself since it can connect to AD to test group membership. I primarily suspect that the configuration of the authorize file is the problem here, however feel free to ask about any of the other config files, I will say though that apart from radiusd.conf, clients.conf, and ldap, all other files will be in their default state from when they were installed.
Best Answer
I was able to resolve the problem. Here is the correct config for authorize:
Also, the exec module had to be modified at /etc/freeradius/3.0/mods-enabled/exec. The "wait" variable needs to be set to yes so that freeradius can use the exit code of the script to determine whether to accept or reject: