1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
# -*- text -*-
#
# $Id$
#
# This is a more general example of the execute module.
#
# This one is called "echo".
#
# Attribute-Name = `%{echo:/path/to/program args}`
#
# If you wish to execute an external program in more than
# one section (e.g. 'authorize', 'pre_proxy', etc), then it
# is probably best to define a different instance of the
# 'exec' module for every section.
#
# The return value of the program run determines the result
# of the exec instance call as follows:
# (See doc/configurable_failover for details)
#
# < 0 : fail the module failed
# = 0 : ok the module succeeded
# = 1 : reject the module rejected the user
# = 2 : fail the module failed
# = 3 : ok the module succeeded
# = 4 : handled the module has done everything to handle the request
# = 5 : invalid the user's configuration entry was invalid
# = 6 : userlock the user was locked out
# = 7 : notfound the user was not found
# = 8 : noop the module did nothing
# = 9 : updated the module updated information in the request
# > 9 : fail the module failed
#
exec echo {
#
# Wait for the program to finish.
#
# If we do NOT wait, then the program is "fire and
# forget", and any output attributes from it are ignored.
#
# If we are looking for the program to output
# attributes, and want to add those attributes to the
# request, then we MUST wait for the program to
# finish, and therefore set 'wait=yes'
#
# allowed values: {no, yes}
wait = yes
#
# The name of the program to execute, and it's
# arguments. Dynamic translation is done on this
# field, so things like the following example will
# work.
#
program = "/bin/echo %{User-Name}"
#
# The attributes which are placed into the
# environment variables for the program.
#
# Allowed values are:
#
# request attributes from the request
# config attributes from the configuration items list
# reply attributes from the reply
# proxy-request attributes from the proxy request
# proxy-reply attributes from the proxy reply
#
# Note that some attributes may not exist at some
# stages. e.g. There may be no proxy-reply
# attributes if this module is used in the
# 'authorize' section.
#
input_pairs = request
#
# Where to place the output attributes (if any) from
# the executed program. The values allowed, and the
# restrictions as to availability, are the same as
# for the input_pairs.
#
output_pairs = reply
#
# When to execute the program. If the packet
# type does NOT match what's listed here, then
# the module does NOT execute the program.
#
# For a list of allowed packet types, see
# the 'dictionary' file, and look for VALUEs
# of the Packet-Type attribute.
#
# By default, the module executes on ANY packet.
# Un-comment out the following line to tell the
# module to execute only if an Access-Accept is
# being sent to the NAS.
#
#packet_type = Access-Accept
#
# Should we escape the environment variables?
#
# If this is set, all the RADIUS attributes
# are capitalised and dashes replaced with
# underscores. Also, RADIUS values are surrounded
# with double-quotes.
#
# That is to say: User-Name=BobUser => USER_NAME="BobUser"
shell_escape = yes
#
# How long should we wait for the program to finish?
#
# Default is 10 seconds, which should be plenty for nearly
# anything. Range is 1 to 30 seconds. You are strongly
# encouraged to NOT increase this value. Decreasing can
# be used to cause authentication to fail sooner when you
# know it's going to fail anyway due to the time taken,
# thereby saving resources.
#
#timeout = 10
}
|
