Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
rlm_passwd(5)		       FreeRADIUS Module		 rlm_passwd(5)

       rlm_passwd - FreeRADIUS Module

       The  rlm_passwd module provides authorization via files similar in for-
       mat to /etc/passwd.

       This module allows you to retrieve any  account	information  from  any
       files with passwd-like format (/etc/passwd, /etc/group, smbpasswd, .ht-
       passwd, etc). Every field of the	file may be mapped to a	RADIUS	attri-
       bute, with one of the fields used as a key.

       The  module  reads the file when	it initializes,	and caches the data in
       memory.	This makes it very fast, even  for  files  with	 thousands  of
       lines.  To  re-read  the	 file the module will need to be reloaded with
       radmin(8), or the server	will need to be	sent a SIGHUP, as dynamic  up-
       dates are not supported.

       The configuration item(s):

	      If  set  to  'yes', and more than	one record in file matches the
	      request, then the	attributes from	all records will be  used.  If
	      set  to 'no' (the	default) the module will warn about duplicated

       delimiter = ":"
	      The character to use as a	delimiter between fields.  The default
	      is ":"

	      The path to the file.

       format The  format  of the fields in the	file, given as an example line
	      from the file, with the content of the fields as the RADIUS  at-
	      tributes	which  the  fields map to. The fields are separated by
	      the ':' character	in the configuration (no matter	what  is  con-
	      figured for the 'delimiter' option).

	      The  size	of the hash table. A larger value means	less probabil-
	      ity of a collision so records will be found faster, at  the  ex-
	      pense  of	 greater memory	usage. Having a	hash_size in the range
	      of 30-100% of the	number of passwd file records is reasonable.

	      When set to "yes", the default, empty fields in the  input  will
	      be  skipped and the RADIUS attribute will	not be added.  By set-
	      ting this	value to "no", all attributes in the format list  will
	      always be	added, even if they have no value.

	      If  set  to 'yes', then all records from the file	beginning with
	      the '+' sign will	be ignored.  The default is 'no'.

       The format option controls how lines are	read from the file, and	 which
       fields are mapped to which RADIUS attributes.

       The  key	 field	is the field being searched for	within the file. It is
       normally	signified by being preceded with a '*' character, which	 indi-
       cates  that the field has only one key, like the	/etc/passwd file.  The
       key field may instead be	preceded with '*,', which indicates  that  the
       field  has multiple possible comma-separated keys, such as when search-
       ing the /etc/group file.

       The other fields	signify	RADIUS attributes. By  default	they  will  be
       added as	a control attribute list.

       To  add	an attribute to	the RADIUS request (as though it had been sent
       by the NAS), prefix the attribute name in the "format" string with  the
       '~' character.

       To  add	an attribute to	the RADIUS reply (to be	sent back to the NAS),
       prefix the attribute name in the	"format" string	with the  '='  charac-

       format =	"*User-Name:Crypt-Password:"

	      For  a  file  the	looks similar to /etc/passwd. The first	field,
	      User-Name, is the	key to look up in the file. When the record is
	      found, a control attribute, 'Crypt-Password', will be added with
	      the contents of the second field.	(Note this will	not work  with
	      shadow passwords.)

       format =	"My-Group:::*,User-Name"

	      Parse a file similar to the /etc/group file.  An entry matches a
	      request when the name in a User-Name  attribute  exists  in  the
	      comma-separated  list  of	 a  line  in  the file.	 When an entry
	      matches, a "My-Group" attribute will be created and added	to the
	      control items for	the request.  The value	of that	attribute will
	      be taken from the	first field of the matching line in the	file.

	      The ":::"	in the format string means that	there  are  extra  two
	      fields  in  the line, in between the group name and list of user
	      names.  Those fields do not map to any RADIUS attribute, and are
	      therefore	ignored.

	      For  this	 example to work in practice, you will have to add the
	      My-Group attribute to the	dictionary  file.   See	 dictionary(5)
	      for details on how this may be done.

       format =	"~My-Group:::*,User-Name"

	      Similar  to the previous entry, except the My-Group attribute is
	      added to the request, as though it was sent by the NAS.



       radiusd(8), radiusd.conf(5), radmin(8), dictionary(5), rlm_unix(5)

       Alan DeKok <>, Matthew  Newton  <matthew@newtoncom->.

				20 January 2015			 rlm_passwd(5)


Want to link to this manual page? Use this URL:

home | help