SOLVED Re: pseudo-newbie exec scripts and session-time

Charles Gregory cgregory at
Fri Jun 12 21:32:36 CEST 2009

On Fri, 12 Jun 2009, Ivan Kalik wrote:
> Work what out?

Finally got my 1.x Session-Time script working (as an exec module). The 
really strange thing is that it is working *exactly* as I first thought
I should be doing it!!! (see below) I can only guess that somewhere along 
the way I had a linux permissions issue with scripts or files, and 
thosee got fixed while I was changing things and testing....

Here's how it works for me:

I define the exec instance named 'timecalc'....
(I've line-wrapped the program line that belongs all on one line)

   exec timecalc {
      wait = yes
      program = "/usr/local/etc/radius_timecalc
      input_pairs = request
      output_pairs = reply

Note that the 'packet_type:' has NOT been specified. That
may have been one of the things blocking execution....

I then coded the command to execute it in post-auth....

   post-auth {

The 'timecalc' perl script prints "Session-Time := 200\n" to standard output. 
And I made sure the script was group-executable by the radius user.

Yes, that simple. Could have sworn I tried that combo already.


I did try to follow the oft-quoted (almost shoved down my throat) example, 
right from the comments within the config file....

postauth {
    Session-Timeout := `%{exec:/usr/local/etc/timecalc %{User-Name}}`

.... but I kept getting this:
ERROR: Cannot find a configuration entry for module "Session-Timeout".

So I'm not sure why this syntax is offered up as "what to use". At the 
very least, perhaps the instruction is missing on WHERE to put that code.
I would think a module should somehow be called in the appropriate section
of the config file, as I've finally done it, but maybe the above syntax 
belongs somewhere else, like in the users file?

And sorry, but that thread about 'refresh variable after exec module'
did not actually contain any clear syntax examples. It appears *his* 
solution was to use 'wait-program-exec', which, according to what I
read, is a really old/deprecated way of doing things. And I *knew* that
I could do what I wanted to do. It was just figuring the syntax and
getting it right.... :)

So there you have it. And I thank the people who were doing there best to 
help me out, but really, if someone had just posted "try this" and the two 
sections of code at the top of this post, I would have *known* that was 
what was *supposed* to work, and would have looked for whatever permission 
bug was obviously the true culprit. As John rightly points out, the exec 
engine hasn't changed in a long time, so version level made no difference. 
It was just a matter of getting things right.

I hope this summary benefits others with CentOS or FreeRADIUS 1.0.x...

- Charles

More information about the Freeradius-Users mailing list