NAME¶
rlm_passwd - FreeRADIUS Module
DESCRIPTION¶
The
rlm_passwd module provides authorization via files similar in format
to /etc/passwd.
The lm_passwd module allows you to retrieve any account information from any
files with passwd-like format (/etc/passwd, /etc/group, smbpasswd, .htpasswd,
etc). Every field of the file may be mapped to a RADIUS attribute, with one of
the fields used as a key.
The module reads the file when it initializes, and caches the data in memory. As
a result, it does not support dynamic updates of the files (the server has to
be HUP'd), but it is very fast, even for files with thousands of lines.
The configuration item(s):
- filename
- The path to the file.
- delimiter = ":"
- The character to use as a delimiter between fields. The
default is ":"
- hashsize
- The size of the hashtable. If 0, then the passwords are not
cached and the passwd file is parsed for every request. We do not
recommend such a configuration. A larger hashsize means less probability
of collision and faster search in hashtable. Having a hashsize in the
range of 30-100% of the number of passwd file records is reasonable.
- allowmultiplekeys
- If set to 'yes', and more than one record in file matches
the request, then the attributes from all records will be used. If set to
'no' (the default) the module will warn about duplicated records.
- ignorenislike
- If set to 'yes', then all records from the file beginning
with the '+' sign will be ignored. The default is 'no'.
- format
- The format of the fields in the file, given as an example
line from the file, with the content of the fields as the RADIUS
attributes which the fields map to. The fields are seperated by the ':'
character.
The key field is signified by being preceded with a '*' character, which
indicates that the field has only one key, like the /etc/passwd file. The key
field may instead be preceded with '*,', which indicates that the field has
multiple possible keys, like the /etc/group file.
The other fields signify RADIUS attributes which, by default, are added to the
configuration items for a request.
To add an attribute to the request (as though it was sent by the NAS), prefix
the attribute name in the "format" string with the '~' character.
To add an attribute to the reply (to be sent back to the NAS) prefix the
attribute name in the "format" string with the '=' character.
- ignoreempty
- This configuration item defaults to "yes". If
there is no value for the attribute, then the attribute is not added. By
setting this value to "no", you can force the attribute to be
added, even if there is no value.
EXAMPLES¶
format = "My-Group:::*,User-Name"
- Parse a file similar to the /etc/group file. An entry
matches a request when the name in a User-Name attribute exists in the
comma-seperated list of a line in the file. When an entry matches, a
"My-Group" attribute will be created and added to the
configuration items for the request. The value of that attribute will be
taken from the first field of the matching line in the file.
- The ":::" in the format string means that there
are extra two fields in the line, in between the group name and list of
user names. Those fields do not map to any RADIUS attribute, and are
therefore ignored.
- For this example to work in practice, you will have to add
the My-Group attribute to the dictionary file. See the dictionary manual
page for details on how this may be done.
format = "~My-Group:::*,User-Name"
- Similar to the previous entry, except the My-Group
attribute is added to the request, as though it was sent by the NAS.
SECTIONS¶
authorize
FILES¶
/etc/raddb/radiusd.conf
SEE ALSO¶
radiusd(8),
radiusd.conf(5) dictionary(5),
AUTHOR¶
Alan DeKok <aland@freeradius.org>