Provided by: freeradius-common_2.1.10+dfsg-3build2_all bug


       rlm_passwd - FreeRADIUS Module


       The rlm_passwd module provides authorization via files similar in format to /etc/passwd.

       The  lm_passwd  module  allows you to retrieve any account information from any files with
       passwd-like format (/etc/passwd, /etc/group, smbpasswd, .htpasswd, etc).  Every  field  of
       the file may be mapped to a RADIUS attribute, with one of the fields used as a key.

       The  module  reads  the  file  when  it  initializes, and caches the data in memory.  As a
       result, it does not support dynamic updates of the files (the server has to be HUP'd), but
       it is very fast, even for files with thousands of lines.

       The configuration item(s):

              The path to the file.

       delimiter = ":"
              The character to use as a delimiter between fields.  The default is ":"

              The  size of the hashtable.  If 0, then the passwords are not cached and the passwd
              file is parsed for every request.  We do not recommend  such  a  configuration.   A
              larger hashsize means less probability of collision and faster search in hashtable.
              Having a hashsize in the range of 30-100% of the number of passwd file  records  is

              If  set  to  'yes',  and more than one record in file matches the request, then the
              attributes from all records will be used. If set to 'no' (the default)  the  module
              will warn about duplicated records.

              If set to 'yes', then all records from the file beginning with the '+' sign will be
              ignored.  The default is 'no'.

       format The format of the fields in the file, given as an example line from the file,  with
              the  content  of  the fields as the RADIUS attributes which the fields map to.  The
              fields are seperated by the ':' character.

       The key field is signified by being preceded with a '*' character,  which  indicates  that
       the  field  has  only  one  key,  like the /etc/passwd file.  The key field may instead be
       preceded with '*,', which indicates that the field has multiple possible  keys,  like  the
       /etc/group file.

       The  other  fields  signify  RADIUS  attributes  which,  by  default,  are  added  to  the
       configuration items for a request.

       To add an attribute to the request (as  though  it  was  sent  by  the  NAS),  prefix  the
       attribute name in the "format" string with the '~' character.

       To add an attribute to the reply (to be sent back to the NAS) prefix the attribute name in
       the "format" string with the '=' character.

              This configuration item defaults to "yes".  If there is no value for the attribute,
              then  the attribute is not added.  By setting this value to "no", you can force the
              attribute to be added, even if there is no value.


       format = "My-Group:::*,User-Name"

              Parse a file similar to the /etc/group file.  An entry matches a request  when  the
              name  in  a User-Name attribute exists in the comma-seperated list of a line in the
              file.  When an entry matches, a "My-Group" attribute will be created and  added  to
              the configuration items for the request.  The value of that attribute will be taken
              from the first field of the matching line in the file.

              The ":::" in the format string means that there are extra two fields in  the  line,
              in  between  the group name and list of user names.  Those fields do not map to any
              RADIUS attribute, and are therefore ignored.

              For this example to work in practice, you will have to add the  My-Group  attribute
              to the dictionary file.  See the dictionary manual page for details on how this may
              be done.

       format = "~My-Group:::*,User-Name"

              Similar to the previous entry, except  the  My-Group  attribute  is  added  to  the
              request, as though it was sent by the NAS.






       radiusd(8), radiusd.conf(5) dictionary(5),


       Alan DeKok <>

                                          14 April 2004                             rlm_passwd(5)