1rlm_passwd(5) FreeRADIUS Module rlm_passwd(5)
2
6 rlm_passwd - FreeRADIUS Module
7
9 The rlm_passwd module provides authorization via files similar in for‐
10 mat to /etc/passwd.
11 The lm_passwd module allows you to retrieve any account information
13 from any files with passwd-like format (/etc/passwd, /etc/group, smb‐
14 passwd, .htpasswd, etc). Every field of the file may be mapped to a
15 RADIUS attribute, with one of the fields used as a key.
16 The module reads the file when it initializes, and caches the data in
18 memory. As a result, it does not support dynamic updates of the files
19 (the server has to be HUP'd), but it is very fast, even for files with
20 thousands of lines.
21 The configuration item(s):
23 filename
25 The path to the file.
26 delimiter = ":"
28 The character to use as a delimiter between fields. The default
29 is ":"
30 hashsize
32 The size of the hashtable. If 0, then the passwords are not
33 cached and the passwd file is parsed for every request. We do
34 not recommend such a configuration. A larger hashsize means
35 less probability of collision and faster search in hashtable.
36 Having a hashsize in the range of 30-100% of the number of
37 passwd file records is reasonable.
38 allowmultiplekeys
40 If set to 'yes', and more than one record in file matches the
41 request, then the attributes from all records will be used. If
42 set to 'no' (the default) the module will warn about duplicated
43 records.
44 ignorenislike
46 If set to 'yes', then all records from the file beginning with
47 the '+' sign will be ignored. The default is 'no'.
48 format The format of the fields in the file, given as an example line
50 from the file, with the content of the fields as the RADIUS
51 attributes which the fields map to. The fields are seperated by
52 the ':' character.
53 The key field is signified by being preceded with a '*' character,
55 which indicates that the field has only one key, like the /etc/passwd
56 file. The key field may instead be preceded with '*,', which indicates
57 that the field has multiple possible keys, like the /etc/group file.
58 The other fields signify RADIUS attributes which, by default, are added
60 to the configuration items for a request.
61 To add an attribute to the request (as though it was sent by the NAS),
63 prefix the attribute name in the "format" string with the '~' charac‐
64 ter.
65 To add an attribute to the reply (to be sent back to the NAS) prefix
67 the attribute name in the "format" string with the '=' character.
68 ignoreempty
70 This configuration item defaults to "yes". If there is no value
71 for the attribute, then the attribute is not added. By setting
72 this value to "no", you can force the attribute to be added,
73 even if there is no value.
74
77 format = "My-Group:::*,User-Name"
78 Parse a file similar to the /etc/group file. An entry matches a
80 request when the name in a User-Name attribute exists in the
81 comma-seperated list of a line in the file. When an entry
82 matches, a "My-Group" attribute will be created and added to the
83 configuration items for the request. The value of that
84 attribute will be taken from the first field of the matching
85 line in the file.
86 The ":::" in the format string means that there are extra two
88 fields in the line, in between the group name and list of user
89 names. Those fields do not map to any RADIUS attribute, and are
90 therefore ignored.
91 For this example to work in practice, you will have to add the
93 My-Group attribute to the dictionary file. See the dictionary
94 manual page for details on how this may be done.
95 format = "~My-Group:::*,User-Name"
97 Similar to the previous entry, except the My-Group attribute is
99 added to the request, as though it was sent by the NAS.
100
102 authorize
103
105 /etc/raddb/radiusd.conf
106
108 radiusd(8), radiusd.conf(5) dictionary(5),
109
111 Alan DeKok <aland@freeradius.org>
112 14 April 2004 rlm_passwd(5)