Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
rlm_passwd(5)		       FreeRADIUS Module		 rlm_passwd(5)

NAME
       rlm_passwd - FreeRADIUS Module

DESCRIPTION
       The  rlm_passwd module provides authorization via files similar in for-
       mat to /etc/passwd.

       This module allows you to retrieve any  account	information  from  any
       files with passwd-like format (/etc/passwd, /etc/group, smbpasswd, .ht-
       passwd, etc). Every field of the	file may be mapped to a	RADIUS	attri-
       bute, with one of the fields used as a key.

       The  module  reads the file when	it initializes,	and caches the data in
       memory.	This makes it very fast, even  for  files  with	 thousands  of
       lines.  To  re-read  the	 file the module will need to be reloaded with
       radmin(8), or the server	will need to be	sent a SIGHUP, as dynamic  up-
       dates are not supported.

CONFIGURATION
       The configuration item(s):

       allow_multiple_keys
	      If  set  to  'yes', and more than	one record in file matches the
	      request, then the	attributes from	all records will be  used.  If
	      set  to 'no' (the	default) the module will warn about duplicated
	      records.

       delimiter = ":"
	      The character to use as a	delimiter between fields.  The default
	      is ":"

       filename
	      The path to the file.

       format The  format  of the fields in the	file, given as an example line
	      from the file, with the content of the fields as the RADIUS  at-
	      tributes	which  the  fields map to. The fields are separated by
	      the ':' character	in the configuration (no matter	what  is  con-
	      figured for the 'delimiter' option).

       hash_size
	      The  size	of the hash table. A larger value means	less probabil-
	      ity of a collision so records will be found faster, at  the  ex-
	      pense  of	 greater memory	usage. Having a	hash_size in the range
	      of 30-100% of the	number of passwd file records is reasonable.

       ignore_empty
	      When set to "yes", the default, empty fields in the  input  will
	      be  skipped and the RADIUS attribute will	not be added.  By set-
	      ting this	value to "no", all attributes in the format list  will
	      always be	added, even if they have no value.

       ignore_nislike
	      If  set  to 'yes', then all records from the file	beginning with
	      the '+' sign will	be ignored.  The default is 'no'.

FORMAT
       The format option controls how lines are	read from the file, and	 which
       fields are mapped to which RADIUS attributes.

       The  key	 field	is the field being searched for	within the file. It is
       normally	signified by being preceded with a '*' character, which	 indi-
       cates  that the field has only one key, like the	/etc/passwd file.  The
       key field may instead be	preceded with '*,', which indicates  that  the
       field  has multiple possible comma-separated keys, such as when search-
       ing the /etc/group file.

       The other fields	signify	RADIUS attributes. By  default	they  will  be
       added as	a control attribute list.

       To  add	an attribute to	the RADIUS request (as though it had been sent
       by the NAS), prefix the attribute name in the "format" string with  the
       '~' character.

       To  add	an attribute to	the RADIUS reply (to be	sent back to the NAS),
       prefix the attribute name in the	"format" string	with the  '='  charac-
       ter.

EXAMPLES
       format =	"*User-Name:Crypt-Password:"

	      For  a  file  the	looks similar to /etc/passwd. The first	field,
	      User-Name, is the	key to look up in the file. When the record is
	      found, a control attribute, 'Crypt-Password', will be added with
	      the contents of the second field.	(Note this will	not work  with
	      shadow passwords.)

       format =	"My-Group:::*,User-Name"

	      Parse a file similar to the /etc/group file.  An entry matches a
	      request when the name in a User-Name  attribute  exists  in  the
	      comma-separated  list  of	 a  line  in  the file.	 When an entry
	      matches, a "My-Group" attribute will be created and added	to the
	      control items for	the request.  The value	of that	attribute will
	      be taken from the	first field of the matching line in the	file.

	      The ":::"	in the format string means that	there  are  extra  two
	      fields  in  the line, in between the group name and list of user
	      names.  Those fields do not map to any RADIUS attribute, and are
	      therefore	ignored.

	      For  this	 example to work in practice, you will have to add the
	      My-Group attribute to the	dictionary  file.   See	 dictionary(5)
	      for details on how this may be done.

       format =	"~My-Group:::*,User-Name"

	      Similar  to the previous entry, except the My-Group attribute is
	      added to the request, as though it was sent by the NAS.

SECTIONS
       authorize

FILES
       /usr/local/share/examples/freeradius/raddb/mods-available/passwd

SEE ALSO
       radiusd(8), radiusd.conf(5), radmin(8), dictionary(5), rlm_unix(5)

AUTHOR
       Alan DeKok <aland@freeradius.org>, Matthew  Newton  <matthew@newtoncom-
       puting.co.uk>.

				20 January 2015			 rlm_passwd(5)

NAME | DESCRIPTION | CONFIGURATION | FORMAT | EXAMPLES | SECTIONS | FILES | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=rlm_passwd&sektion=5&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help