On Thu, Dec 16, 2004 at 09:12:59AM +0000, Santiago Balaguer García wrote:
> The action you proposed is create a new attribute, for instance,
> Exec-Program-End, and insert in the radreply table. For example, if I have
> this entries in this table:
> +-----+----------+-------------------+----+------------------------------+
> | id | UserName | Attribute | op | Value |
> +-----+----------+-------------------+----+------------------------------+
> | 168 | 11101 | Exec-Program-Wait | = | /home/blackbox/start_script.sh
> %u %n |
> | 169 | 11101 | Session-Timeout | := | |
> | 170 | 11101 | Idle-Timeout | := | 300 |
>
>
> The information for this user would be:
> +-----+----------+-------------------+----+------------------------------+
> | id | UserName | Attribute | op | Value |
> +-----+----------+-------------------+----+------------------------------+
> | 168 | 11101 | Exec-Program-Wait | = | /home/blackbox/start_script.sh
> %u %n |
> | 169 | 11101 | Session-Timeout | := | |
> | 170 | 11101 | Idle-Timeout | := | 300 |
> | 171 | 11101 | Exec-Program-End | = | /home/blackbox/finish_script.sh
> %u %n |
I should point out that Exec-Program-Wait is executed at the end of
authentication, not the start of accounting. It's probably fairly close
though.
> I locate the accounting section, but I unknown what I must modify. So I
> attach my radius.conf.
Here's what I meant:
This won't quite work, since the contents of radreply doesn't go into
accounting packet responses. But this should give you the idea... You
might be better off using the acct_users file to set the
Exec-Program-End attribute, if it's as generic as the above.
_Or_ unify your scripts into one script for every user, and use the
parameters to determine what to do.
> #
> # This is a more general example of the execute module.
> #
> # If you wish to execute an external program in more than
> # one section (e.g. 'authorize', 'pre_proxy', etc), then it
> # is probably best to define a different instance of the
> # 'exec' module for every section.
> #
> exec echo {
> #
> # Wait for the program to finish.
> #
> # If we do NOT wait, then the program is "fire and
> # forget", and any output attributes from it are ignored.
> #
> # If we are looking for the program to output
> # attributes, and want to add those attributes to the
> # request, then we MUST wait for the program to
> # finish, and therefore set 'wait=yes'
> #
> # allowed values: {no, yes}
> wait = yes
>
> #
> # The name of the program to execute, and it's
> # arguments. Dynamic translation is done on this
> # field, so things like the following example will
> # work.
> #
> program = "/bin/echo %{User-Name}"
>
> #
> # The attributes which are placed into the
> # environment variables for the program.
> #
> # Allowed values are:
> #
> # request attributes from the request
> # reply attributes from the reply
> # proxy-request attributes from the proxy request
> # proxy-reply attributes from the proxy reply
> #
> # Note that some attributes may not exist at some
> # stages. e.g. There may be no proxy-reply
> # attributes if this module is used in the
> # 'authorize' section.
> #
> input_pairs = request
>
> #
> # Where to place the output attributes (if any) from
> # the executed program. The values allowed, and the
> # restrictions as to availability, are the same as
> # for the input_pairs.
> #
> output_pairs = reply
>
> #
> # When to execute the program. If the packet
> # type does NOT match what's listed here, then
> # the module does NOT execute the program.
> #
> # For a list of allowed packet types, see
> # the 'dictionary' file, and look for VALUEs
> # of the Packet-Type attribute.
> #
> # By default, the module executes on ANY packet.
> # Un-comment out the following line to tell the
> # module to execute only if an Access-Accept is
> # being sent to the NAS.
> #
> #packet_type = Access-Accept
> }
exec endofacct {
wait = no
program = "%{Exec-Program-End}"
input_pairs = request
output_pairs = none
}
# The _or_ above would replace that with:
exec endofacct {
wait = no
program = "/home/blackbox/finish_script.sh %u %n"
input_pairs = request
output_pairs = none
}
> #
> # Accounting. Log the accounting data.
> #
> accounting {
> #
> # Ensure that we have a semi-unique identifier for every
> # request, and many NAS boxes are broken.
> acct_unique
>
> #
> # Create a 'detail'ed log of the packets.
> # Note that accounting requests which are proxied
> # are also logged in the detail file.
> detail
> # daily
>
> unix # wtmp file
> sql
> #
> # For Simultaneous-Use tracking.
> #
> # Due to packet losses in the network, the data here
> # may be incorrect. There's little we can do about it.
> radutmp
> # sradutmp
>
> # Return an address to the IP Pool when we see a stop record.
> # main_pool
# Run the endofacct instance of the exec module at the end of
# accounting.
endofacct
> }
Since the original thread has been lost from the email, I can only
surmise what you're trying to do. If you're trying to run a script
at Acct-Start and Acct-Stop, you probably actually want that to be
a single script, which checks the packet type and whatnot in its
variables and acts appropriately.
--
Paul "TBBle" Hampson, on an alternate email client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
