ADC Home > Reference Library > Reference > Mac OS X > Mac OS X Man Pages

 

This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

This manual page is associated with Mac OS X Server. It is not available on standard Mac OS X (client) installations.

For more information about the manual page format, see the manual page for manpages(5).



rlm_passwd(5)                                 FreeRADIUS Module                                rlm_passwd(5)



NAME
       rlm_passwd - FreeRADIUS Module

DESCRIPTION
       The rlm_passwd module provides authorization via files similar in format to /etc/passwd.

       The  lm_passwd  module allows you to retrieve any account information from any files with passwd-like
       format (/etc/passwd, /etc/group, smbpasswd, .htpasswd, etc).  Every field of the file may  be  mapped
       to a RADIUS attribute, with one of the fields used as a key.

       The  module  reads the file when it initializes, and caches the data in memory.  As a result, it does
       not support dynamic updates of the files (the server has to be HUP'd), but it is very fast, even  for
       files with thousands of lines.

       The configuration item(s):

       filename
              The path to the file.

       delimiter = ":"
              The character to use as a delimiter between fields.  The default is ":"

       hashsize
              The  size  of  the  hashtable.  If 0, then the passwords are not cached and the passwd file is
              parsed for every request.  We do not recommend such a configuration.  A larger hashsize  means
              less  probability  of collision and faster search in hashtable. Having a hashsize in the range
              of 30-100% of the number of passwd file records is reasonable.

       allowmultiplekeys
              If set to 'yes', and more than one record in file matches the  request,  then  the  attributes
              from  all records will be used. If set to 'no' (the default) the module will warn about dupli-cated duplicated
              cated records.

       ignorenislike
              If set to 'yes', then all records from the file beginning with the '+' sign will  be  ignored.
              The default is 'no'.

       authtype
              If an entry matches, the Auth-Type for the request will be set to the one specified here.

       format The format of the fields in the file, given as an example line from the file, with the content
              of the fields as the RADIUS attributes which the fields map to.  The fields are  seperated  by
              the ':' character.

       The key field is signified by being preceded with a '*' character, which indicates that the field has
       only one key, like the /etc/passwd file.  The key field may instead  be  preceded  with  '*,',  which
       indicates that the field has multiple possible keys, like the /etc/group file.

       The  other  fields  signify RADIUS attributes which, by default, are added to the configuration items
       for a request.

       To add an attribute to the request (as though it was sent by the NAS), prefix the attribute  name  in
       the "format" string with the '~' character.

       To  add an attribute to the reply (to be sent back to the NAS) prefix the attribute name in the "for-mat" "format"
       mat" string with the '=' character.


EXAMPLES
       format = "My-Group:::*,User-Name"

              Parse a file similar to the /etc/group file.  An entry matches a request when the  name  in  a
              User-Name  attribute  exists in the comma-seperated list of a line in the file.  When an entry
              matches, a "My-Group" attribute will be created and added to the configuration items  for  the
              request.   The value of that attribute will be taken from the first field of the matching line
              in the file.

              The ":::" in the format string means that there are extra two fields in the line,  in  between
              the  group  name and list of user names.  Those fields do not map to any RADIUS attribute, and
              are therefore ignored.

              For this example to work in practice, you will have to add the My-Group attribute to the  dic-tionary dictionary
              tionary file.  See the dictionary manual page for details on how this may be done.

       format = "~My-Group:::*,User-Name"

              Similar  to  the  previous  entry,  except  the My-Group attribute is added to the request, as
              though it was sent by the NAS.

SECTIONS
       authorize


FILES
       /etc/raddb/radiusd.conf


SEE ALSO
       radiusd(8), radiusd.conf(5) dictionary(5),

AUTHOR
       Alan DeKok <aland@freeradius.org>




                                                14 April 2004                                  rlm_passwd(5)

Did this document help you?
Yes: Tell us what works for you.
It’s good, but: Report typos, inaccuracies, and so forth.
It wasn’t helpful: Tell us what would have helped.