1rlm_passwd(5)                  FreeRADIUS Module                 rlm_passwd(5)
2
3
4

NAME

6       rlm_passwd - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_passwd module provides authorization via files similar in for‐
10       mat to /etc/passwd.
11
12       This module allows you to retrieve any  account  information  from  any
13       files  with  passwd-like  format  (/etc/passwd,  /etc/group, smbpasswd,
14       .htpasswd, etc). Every field of the file may  be  mapped  to  a  RADIUS
15       attribute, with one of the fields used as a key.
16
17       The  module  reads the file when it initializes, and caches the data in
18       memory.  This makes it very fast, even  for  files  with  thousands  of
19       lines.  To  re-read  the  file the module will need to be reloaded with
20       radmin(8), or the server will need to be  sent  a  SIGHUP,  as  dynamic
21       updates are not supported.
22

CONFIGURATION

24       The configuration item(s):
25
26       allow_multiple_keys
27              If  set  to  'yes', and more than one record in file matches the
28              request, then the attributes from all records will be  used.  If
29              set  to 'no' (the default) the module will warn about duplicated
30              records.
31
32       delimiter = ":"
33              The character to use as a delimiter between fields.  The default
34              is ":"
35
36       filename
37              The path to the file.
38
39       format The  format  of the fields in the file, given as an example line
40              from the file, with the content of  the  fields  as  the  RADIUS
41              attributes  which the fields map to. The fields are separated by
42              the ':' character in the configuration (no matter what  is  con‐
43              figured for the 'delimiter' option).
44
45       hash_size
46              The  size of the hash table. A larger value means less probabil‐
47              ity of a collision so records  will  be  found  faster,  at  the
48              expense of greater memory usage. Having a hash_size in the range
49              of 30-100% of the number of passwd file records is reasonable.
50
51       ignore_empty
52              When set to "yes", the default, empty fields in the  input  will
53              be  skipped and the RADIUS attribute will not be added.  By set‐
54              ting this value to "no", all attributes in the format list  will
55              always be added, even if they have no value.
56
57       ignore_nislike
58              If  set  to 'yes', then all records from the file beginning with
59              the '+' sign will be ignored.  The default is 'no'.
60

FORMAT

62       The format option controls how lines are read from the file, and  which
63       fields are mapped to which RADIUS attributes.
64
65       The  key  field  is the field being searched for within the file. It is
66       normally signified by being preceded with a '*' character, which  indi‐
67       cates  that the field has only one key, like the /etc/passwd file.  The
68       key field may instead be preceded with '*,', which indicates  that  the
69       field  has multiple possible comma-separated keys, such as when search‐
70       ing the /etc/group file.
71
72       The other fields signify RADIUS attributes. By  default  they  will  be
73       added as a control attribute list.
74
75       To  add  an attribute to the RADIUS request (as though it had been sent
76       by the NAS), prefix the attribute name in the "format" string with  the
77       '~' character.
78
79       To  add  an attribute to the RADIUS reply (to be sent back to the NAS),
80       prefix the attribute name in the "format" string with the  '='  charac‐
81       ter.
82

EXAMPLES

84       format = "*User-Name:Crypt-Password:"
85
86              For  a  file  the looks similar to /etc/passwd. The first field,
87              User-Name, is the key to look up in the file. When the record is
88              found, a control attribute, 'Crypt-Password', will be added with
89              the contents of the second field. (Note this will not work  with
90              shadow passwords.)
91
92       format = "My-Group:::*,User-Name"
93
94              Parse a file similar to the /etc/group file.  An entry matches a
95              request when the name in a User-Name  attribute  exists  in  the
96              comma-separated  list  of  a  line  in  the file.  When an entry
97              matches, a "My-Group" attribute will be created and added to the
98              control items for the request.  The value of that attribute will
99              be taken from the first field of the matching line in the file.
100
101              The ":::" in the format string means that there  are  extra  two
102              fields  in  the line, in between the group name and list of user
103              names.  Those fields do not map to any RADIUS attribute, and are
104              therefore ignored.
105
106              For  this  example to work in practice, you will have to add the
107              My-Group attribute to the dictionary  file.   See  dictionary(5)
108              for details on how this may be done.
109
110       format = "~My-Group:::*,User-Name"
111
112              Similar  to the previous entry, except the My-Group attribute is
113              added to the request, as though it was sent by the NAS.
114

SECTIONS

116       authorize
117

FILES

119       /etc/raddb/mods-available/passwd
120

SEE ALSO

122       radiusd(8), radiusd.conf(5), radmin(8), dictionary(5), rlm_unix(5)
123

AUTHOR

125       Alan DeKok <aland@freeradius.org>, Matthew  Newton  <matthew@newtoncom‐
126       puting.co.uk>.
127
128
129
130
131                                20 January 2015                  rlm_passwd(5)
Impressum