1
.TH rlm_passwd 5 "14 April 2004" "" "FreeRADIUS Module"
3
rlm_passwd \- FreeRADIUS Module
5
The \fIrlm_passwd\fP module provides authorization via files similar
6
in format to /etc/passwd.
8
The \frlm_passwd\fP module allows you to retrieve any account
9
information from any files with passwd-like format (/etc/passwd,
10
/etc/group, smbpasswd, .htpasswd, etc). Every field of the file may
11
be mapped to a RADIUS attribute, with one of the fields used as a
14
The module reads the file when it initializes, and caches the data
15
in memory. As a result, it does not support dynamic updates of the
16
files (the server has to be HUP'd), but it is very fast, even for
17
files with thousands of lines.
19
The configuration item(s):
23
The character to use as a delimiter between fields. The default is
26
The size of the hashtable. If 0, then the passwords are not cached
27
and the passwd file is parsed for every request. We do not recommend
28
such a configuration. A larger hashsize means less probability of
29
collision and faster search in hashtable. Having a hashsize in the range
30
of 30-100% of the number of passwd file records is reasonable.
32
If set to 'yes', and more than one record in file matches the request,
33
then the attributes from all records will be used. If set to 'no' (the
34
default) the module will warn about duplicated records.
36
If set to 'yes', then all records from the file beginning with the '+'
37
sign will be ignored. The default is 'no'.
39
If an entry matches, the Auth-Type for the request will be set to the
42
The format of the fields in the file, given as an example line from
43
the file, with the content of the fields as the RADIUS attributes
44
which the fields map to. The fields are seperated by the ':' character.
46
The key field is signified by being preceded with a '*' character,
47
which indicates that the field has only one key, like the /etc/passwd
48
file. The key field may instead be preceded with '*,', which
49
indicates that the field has multiple possible keys, like the
52
The other fields signify RADIUS attributes which, by default, are
53
added to the configuration items for a request.
55
To add an attribute to the request (as though it was sent by the NAS),
56
prefix the attribute name in the "format" string with the '~' character.
58
To add an attribute to the reply (to be sent back to the NAS) prefix
59
the attribute name in the "format" string with the '=' character.
63
format = "My-Group:::*,User-Name"
66
Parse a file similar to the /etc/group file. An entry matches a
67
request when the name in a User-Name attribute exists in the
68
comma-seperated list of a line in the file. When an entry matches,
69
a "My-Group" attribute will be created and added to the configuration
70
items for the request. The value of that attribute will be taken from
71
the first field of the matching line in the file.
73
The ":::" in the format string means that there are extra two fields
74
in the line, in between the group name and list of user names. Those
75
fields do not map to any RADIUS attribute, and are therefore ignored.
77
For this example to work in practice, you will have to add the
78
My-Group attribute to the dictionary file. See the dictionary manual
79
page for details on how this may be done.
82
format = "~My-Group:::*,User-Name"
85
Similar to the previous entry, except the My-Group attribute is added
86
to the request, as though it was sent by the NAS.
91
.I /etc/raddb/radiusd.conf
98
Alan DeKok <aland@freeradius.org>