When the external command is run, all the attributes in the
request will be formatted and passed to its standard input (stdin), one
per line, in the format:
<tab> Attribute-Name = attribute_value
Each
line output by the command on stdout is interpreted as a list of comma
separated attribute-value pairs in the format:
Attribute-Name = attribute_value
and
are returned in the reply message (if any). Any output lines that cannot
be interpreted in that form are put in a Reply-Message attribute and
returned in the reply message (if any). (This last behaviour is for
backwards compatibility only and will not be supported
indefinitely).
The exit status of the external command determines
what type of reply is to be sent in response to the request:
- 0 means reply with an acceptance. For Access-Requests, an
Access-Accept will be sent. For Accounting-Requests, an
Accounting-Response will be sent.
- 1 means reply with a rejection. For Access-Requests, an
Access-Reject is sent. For Accounting-Requests, no response is
sent.
- 2 means do not send any reply. This will also make the Realm fall
through to the next AuthBy module if you specified more than one for
this Realm. For more information, see Section 3.38.1. AuthByPolicy.
- 3 means reply with an Access-Challenge for Access-Request. For
Accounting- Requests, no response is sent.
- Any other value means that no reply is sent and no further action
is taken.
<AuthBy EXTERNAL> will wait for the external process to
complete before handling more requests, so you should use this carefully,
and avoid using long-running commands. If you cannot avoid long-running
EXTERNAL commands, you can use the Fork parameter to force <AuthBy
EXTERNAL> to fork before calling the external command. This may improve
performance.
