Exec-Program-Wait not working

Gianni Costanzi gianni.costanzi at gmail.com
Wed Jun 19 22:00:23 CEST 2019

Il giorno mer 19 giu 2019 alle 21:34 Alan DeKok <aland at deployingradius.com>
ha scritto:

> On Jun 19, 2019, at 2:18 PM, Gianni Costanzi <gianni.costanzi at gmail.com>
> wrote:
> > Hi Alan, the user is accepted by realm Imp proxy, then I force an
> analysis
> > of users file even if the realm authentication succeeds, because there
> can
> > be a user that is authenticated by the realm but must not be accepted by
> > radius (you must be accepted by realm imp and be defined in the users
> file
> > in order to have an access accept).
>   Why not just check the "users" file *before* proxying?
> authorize {
>         ...
>         files
>         if (notfound) {
>                 reject
>         }
>         ...
> }
>   It's *always* better to reject as soon as possible, instead of accepting
> the user, and then going "whoops, they were supposed to be rejected!"
>   If the "users" file isn't well-suited for this, you can use any number
> of other modules to load users from databases or text files.
> > So if realm authentication returns access Accept and I don’t put a
> default
> > access reject for users with realm imp, every user authenticated by realm
> > imp would be accepted by radius even without being defined in users file.
>   See above.
>   Again, describing the problem *correctly* will let us help you.  Giving
> wrong or incomplete information is a waste of everyones time.
>   Right now, you're giving out information in bits and pieces.  Stop it.
> > When I put the exec-program-wait with := as you suggested the user entry
> is
> > matched but the program is not executed at all, otherwise I would get an
> > entry in /var/log/messages.
>   You'd also get a message in the debug output.  Which we recommend
> reading.
> > I gave a look at the echo example but I don’t understand how I should use
> > it in the way I was using exec-program-wait in release 2.0
>   You don't.  You can create a module.  You can control when modules are
> called through if / then / else conditions.
>   You're stuck on implementing a *particular* solution.  Which means
> you're ignoring alternative solutions.
> > (where it worked
> > even if not placed on the first line as a check condition and was invoked
> > correctly).
>   You've said that already.  We understand.
> > I need to invoke that program only for some specific users and
> > after having received an access accept by realm imp. Then I can return
> > access accept to the device that authenticated the user.
>   See above:
> a) reject users BEFORE proxying
> b) then run the program for ALL users on Access-Accept
> > Hope I have clarified a bit our configuration.
>   I sincerely hope that this is the last clarification.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

Let’s keep it simple: I can’t invoke the program for every user that is
found in users file, but only for some users, and the syntax I was using
with Exec-Program-Wait was perfectly well suited for our purpose. So it’s
perfectly fine to reject the user before proxying it as you suggested, but
then I still need to invoke the external program only for some selected

To avoid you being so acid (I don’t really understand why, I was quite
polite I think), you’ve told me how to call Exec-Program-Wait, with := and
on the first line as a check item. I’ve told you that it is not invoked
even when I do that. Can you explain me why? Where should I check if there
is an error? Is there some different requirement compared to previous
versions of freeradius server? I think you can answer me even without
further details on this point.

We’re in an open source community where everyone should help the others if
the others are polite and correct. I think I’ve been both, so I don’t
really understand why you answered in such a bad way.

Best regards
   Gianni Costanzi
--< Sent from GMail mobile >--
Find me on LinkedIn: http://it.linkedin.com/in/giannicostanzi My blog:
http://networkingpills.wordpress.com My best photos on 500px:
http://500px.com/GianniCostanzi PGP Key Fingerprint: 2404 1798 E01F F6BF
0FA3 AA07 B6D5 040F 2EDD 456A

More information about the Freeradius-Users mailing list