On Thu, Dec 16, 2004 at 09:12:59AM +0000, Santiago Balaguer García wrote: > The action you proposed is create a new attribute, for instance, > Exec-Program-End, and insert in the radreply table. For example, if I have > this entries in this table: > +-----+----------+-------------------+----+------------------------------+ > | id | UserName | Attribute | op | Value | > +-----+----------+-------------------+----+------------------------------+ > | 168 | 11101 | Exec-Program-Wait | = | /home/blackbox/start_script.sh > %u %n | > | 169 | 11101 | Session-Timeout | := | | > | 170 | 11101 | Idle-Timeout | := | 300 | > > > The information for this user would be: > +-----+----------+-------------------+----+------------------------------+ > | id | UserName | Attribute | op | Value | > +-----+----------+-------------------+----+------------------------------+ > | 168 | 11101 | Exec-Program-Wait | = | /home/blackbox/start_script.sh > %u %n | > | 169 | 11101 | Session-Timeout | := | | > | 170 | 11101 | Idle-Timeout | := | 300 | > | 171 | 11101 | Exec-Program-End | = | /home/blackbox/finish_script.sh > %u %n |
I should point out that Exec-Program-Wait is executed at the end of authentication, not the start of accounting. It's probably fairly close though. > I locate the accounting section, but I unknown what I must modify. So I > attach my radius.conf. Here's what I meant: This won't quite work, since the contents of radreply doesn't go into accounting packet responses. But this should give you the idea... You might be better off using the acct_users file to set the Exec-Program-End attribute, if it's as generic as the above. _Or_ unify your scripts into one script for every user, and use the parameters to determine what to do. > # > # This is a more general example of the execute module. > # > # If you wish to execute an external program in more than > # one section (e.g. 'authorize', 'pre_proxy', etc), then it > # is probably best to define a different instance of the > # 'exec' module for every section. > # > exec echo { > # > # Wait for the program to finish. > # > # If we do NOT wait, then the program is "fire and > # forget", and any output attributes from it are ignored. > # > # If we are looking for the program to output > # attributes, and want to add those attributes to the > # request, then we MUST wait for the program to > # finish, and therefore set 'wait=yes' > # > # allowed values: {no, yes} > wait = yes > > # > # The name of the program to execute, and it's > # arguments. Dynamic translation is done on this > # field, so things like the following example will > # work. > # > program = "/bin/echo %{User-Name}" > > # > # The attributes which are placed into the > # environment variables for the program. > # > # Allowed values are: > # > # request attributes from the request > # reply attributes from the reply > # proxy-request attributes from the proxy request > # proxy-reply attributes from the proxy reply > # > # Note that some attributes may not exist at some > # stages. e.g. There may be no proxy-reply > # attributes if this module is used in the > # 'authorize' section. > # > input_pairs = request > > # > # Where to place the output attributes (if any) from > # the executed program. The values allowed, and the > # restrictions as to availability, are the same as > # for the input_pairs. > # > output_pairs = reply > > # > # When to execute the program. If the packet > # type does NOT match what's listed here, then > # the module does NOT execute the program. > # > # For a list of allowed packet types, see > # the 'dictionary' file, and look for VALUEs > # of the Packet-Type attribute. > # > # By default, the module executes on ANY packet. > # Un-comment out the following line to tell the > # module to execute only if an Access-Accept is > # being sent to the NAS. > # > #packet_type = Access-Accept > } exec endofacct { wait = no program = "%{Exec-Program-End}" input_pairs = request output_pairs = none } # The _or_ above would replace that with: exec endofacct { wait = no program = "/home/blackbox/finish_script.sh %u %n" input_pairs = request output_pairs = none } > # > # Accounting. Log the accounting data. > # > accounting { > # > # Ensure that we have a semi-unique identifier for every > # request, and many NAS boxes are broken. > acct_unique > > # > # Create a 'detail'ed log of the packets. > # Note that accounting requests which are proxied > # are also logged in the detail file. > detail > # daily > > unix # wtmp file > sql > # > # For Simultaneous-Use tracking. > # > # Due to packet losses in the network, the data here > # may be incorrect. There's little we can do about it. > radutmp > # sradutmp > > # Return an address to the IP Pool when we see a stop record. > # main_pool # Run the endofacct instance of the exec module at the end of # accounting. endofacct > } Since the original thread has been lost from the email, I can only surmise what you're trying to do. If you're trying to run a script at Acct-Start and Acct-Stop, you probably actually want that to be a single script, which checks the packet type and whatnot in its variables and acts appropriately. -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html