rlm_passwd(5) FreeRADIUS Module rlm_passwd(5)
NAME
rlm_passwd - FreeRADIUS Module
DESCRIPTION
The rlm_passwd module provides authorization via files similar in format to /etc/passwd.
The lm_passwd module allows you to retrieve any account information from any files with passwd-like
format (/etc/passwd, /etc/group, smbpasswd, .htpasswd, etc). Every field of the file may be mapped
to a RADIUS attribute, with one of the fields used as a key.
The module reads the file when it initializes, and caches the data in memory. As a result, it does
not support dynamic updates of the files (the server has to be HUP'd), but it is very fast, even for
files with thousands of lines.
The configuration item(s):
filename
The path to the file.
delimiter = ":"
The character to use as a delimiter between fields. The default is ":"
hashsize
The size of the hashtable. If 0, then the passwords are not cached and the passwd file is
parsed for every request. We do not recommend such a configuration. A larger hashsize means
less probability of collision and faster search in hashtable. Having a hashsize in the range
of 30-100% of the number of passwd file records is reasonable.
allowmultiplekeys
If set to 'yes', and more than one record in file matches the request, then the attributes
from all records will be used. If set to 'no' (the default) the module will warn about dupli-cated duplicated
cated records.
ignorenislike
If set to 'yes', then all records from the file beginning with the '+' sign will be ignored.
The default is 'no'.
authtype
If an entry matches, the Auth-Type for the request will be set to the one specified here.
format The format of the fields in the file, given as an example line from the file, with the content
of the fields as the RADIUS attributes which the fields map to. The fields are seperated by
the ':' character.
The key field is signified by being preceded with a '*' character, which indicates that the field has
only one key, like the /etc/passwd file. The key field may instead be preceded with '*,', which
indicates that the field has multiple possible keys, like the /etc/group file.
The other fields signify RADIUS attributes which, by default, are added to the configuration items
for a request.
To add an attribute to the request (as though it was sent by the NAS), prefix the attribute name in
the "format" string with the '~' character.
To add an attribute to the reply (to be sent back to the NAS) prefix the attribute name in the "for-mat" "format"
mat" string with the '=' character.
EXAMPLES
format = "My-Group:::*,User-Name"
Parse a file similar to the /etc/group file. An entry matches a request when the name in a
User-Name attribute exists in the comma-seperated list of a line in the file. When an entry
matches, a "My-Group" attribute will be created and added to the configuration items for the
request. The value of that attribute will be taken from the first field of the matching line
in the file.
The ":::" in the format string means that there are extra two fields in the line, in between
the group name and list of user names. Those fields do not map to any RADIUS attribute, and
are therefore ignored.
For this example to work in practice, you will have to add the My-Group attribute to the dic-tionary dictionary
tionary file. See the dictionary manual page for details on how this may be done.
format = "~My-Group:::*,User-Name"
Similar to the previous entry, except the My-Group attribute is added to the request, as
though it was sent by the NAS.
SECTIONS
authorize
FILES
/etc/raddb/radiusd.conf
SEE ALSO
radiusd(8), radiusd.conf(5) dictionary(5),
AUTHOR
Alan DeKok <aland@freeradius.org>
14 April 2004 rlm_passwd(5)
|