Provided by: freeradius_1.1.7-1build4_i386 bug


       rlm_passwd - FreeRADIUS Module


       The  rlm_passwd  module  provides  authorization  via  files similar in
       format to /etc/passwd.

       The lm_passwd module allows you to  retrieve  any  account  information
       from  any  files  with  passwd-like  format  (/etc/passwd,  /etc/group,
       smbpasswd, .htpasswd, etc).  Every field of the file may be mapped to a
       RADIUS attribute, with one of the fields used as a key.

       The  module  reads the file when it initializes, and caches the data in
       memory.  As a result, it does not support dynamic updates of the  files
       (the  server has to be HUP’d), but it is very fast, even for files with
       thousands of lines.

       The configuration item(s):

              The path to the file.

       delimiter = ":"
              The character to use as a delimiter between fields.  The default
              is ":"

              The  size  of  the  hashtable.  If 0, then the passwords are not
              cached and the passwd file is parsed for every request.   We  do
              not  recommend  such  a  configuration.  A larger hashsize means
              less probability of collision and faster  search  in  hashtable.
              Having  a  hashsize  in  the  range  of 30-100% of the number of
              passwd file records is reasonable.

              If set to ’yes’, and more than one record in  file  matches  the
              request,  then  the attributes from all records will be used. If
              set to ’no’ (the default) the module will warn about  duplicated

              If  set  to ’yes’, then all records from the file beginning with
              the ’+’ sign will be ignored.  The default is ’no’.

              If an entry matches, the Auth-Type for the request will  be  set
              to the one specified here.

       format The  format  of the fields in the file, given as an example line
              from the file, with the content of  the  fields  as  the  RADIUS
              attributes which the fields map to.  The fields are seperated by
              the ’:’ character.

       The key field is signified by being  preceded  with  a  ’*’  character,
       which  indicates  that the field has only one key, like the /etc/passwd
       file.  The key field may instead be preceded with ’*,’, which indicates
       that the field has multiple possible keys, like the /etc/group file.

       The other fields signify RADIUS attributes which, by default, are added
       to the configuration items for a request.

       To add an attribute to the request (as though it was sent by the  NAS),
       prefix  the  attribute  name  in  the  "format"  string  with  the  ’~’

       To add an attribute to the reply (to be sent back to  the  NAS)  prefix
       the attribute name in the "format" string with the ’=’ character.


       format = "My-Group:::*,User-Name"

              Parse a file similar to the /etc/group file.  An entry matches a
              request when the name in a User-Name  attribute  exists  in  the
              comma-seperated  list  of  a  line  in  the file.  When an entry
              matches, a "My-Group" attribute will be created and added to the
              configuration   items  for  the  request.   The  value  of  that
              attribute will be taken from the first  field  of  the  matching
              line in the file.

              The  ":::"  in  the format string means that there are extra two
              fields in the line, in between the group name and list  of  user
              names.  Those fields do not map to any RADIUS attribute, and are
              therefore ignored.

              For this example to work in practice, you will have to  add  the
              My-Group  attribute  to the dictionary file.  See the dictionary
              manual page for details on how this may be done.

       format = "~My-Group:::*,User-Name"

              Similar to the previous entry, except the My-Group attribute  is
              added to the request, as though it was sent by the NAS.






       radiusd(8), radiusd.conf(5) dictionary(5),


       Alan DeKok <>

                                 14 April 2004                   rlm_passwd(5)