Next: Using an External Filter, Up: Exec-Program-Wait [Contents][Index]
The command line can reference any attributes from both check and reply pairlists using attribute macros see Macro Substitution.
Before the execution of the program, radiusd switches to
uid and gid of the user daemon and the group daemon. You can
override these defaults by setting the variable exec-program-user
in the configuration file to a proper value.
See The option statement.
The daemon will wait until the program terminates. The return value of its execution determines whether the entry matches. If the program exits with a nonzero code, then the match fails. If it exits with a zero code, the match succeeds. In this case the standard output of the program is read and parsed as if it were a pairlist. The attributes thus obtained are added to the entry’s reply attributes.
Suppose the users file contains the following entry:
DEFAULT Auth-Type = System,
Simultaneous-Use = 1
Exec-Program-Wait = "/usr/local/sbin/telauth \
%C{User-Name} \
%C{Calling-Station-Id}"
Then, upon successful matching, the program
/usr/local/sbin/telauth will be executed. It will get as its
arguments the values of the User-Name and Calling-Station-Id
attributes from the request pairs.
The /usr/local/sbin/telauth can, for example, contain the following:
#! /bin/sh
DB=/var/db/userlist
if grep "$1:$2" $DB; then
echo "Service-Type = Login,"
echo "Session-Timeout = 1200"
exit 0
else
echo "Reply-Message = \
\"You are not authorized to log in\""
exit 1
fi
It is assumed that /var/db/userlist contains a list of
username:caller-id pairs for those users that are
authorized to use login service.