bionic (5) rlm_passwd.5.gz

Provided by: freeradius-common_3.0.16+dfsg-1ubuntu3.2_all bug

NAME

       rlm_passwd - FreeRADIUS Module

DESCRIPTION

       The rlm_passwd module provides authorization via files similar in format to /etc/passwd.

       This  module  allows  you  to  retrieve  any  account  information from any files with passwd-like format
       (/etc/passwd, /etc/group, smbpasswd, .htpasswd, etc). Every field of the file may be mapped to  a  RADIUS
       attribute, with one of the fields used as a key.

       The  module  reads the file when it initializes, and caches the data in memory.  This makes it very fast,
       even for files with thousands of lines. To re-read the file the module will  need  to  be  reloaded  with
       radmin(8), or the server will need to be sent a SIGHUP, as dynamic updates are not supported.

CONFIGURATION

       The configuration item(s):

       allow_multiple_keys
              If  set  to  'yes', and more than one record in file matches the request, then the attributes from
              all records will be used. If set to 'no' (the default)  the  module  will  warn  about  duplicated
              records.

       delimiter = ":"
              The character to use as a delimiter between fields.  The default is ":"

       filename
              The path to the file.

       format The  format of the fields in the file, given as an example line from the file, with the content of
              the fields as the RADIUS attributes which the fields map to. The fields are separated by  the  ':'
              character in the configuration (no matter what is configured for the 'delimiter' option).

       hash_size
              The  size  of the hash table. A larger value means less probability of a collision so records will
              be found faster, at the expense of greater memory usage.  Having  a  hash_size  in  the  range  of
              30-100% of the number of passwd file records is reasonable.

       ignore_empty
              When set to "yes", the default, empty fields in the input will be skipped and the RADIUS attribute
              will not be added.  By setting this value to "no", all attributes in the format list  will  always
              be added, even if they have no value.

       ignore_nislike
              If  set to 'yes', then all records from the file beginning with the '+' sign will be ignored.  The
              default is 'no'.

FORMAT

       The format option controls how lines are read from the file, and which fields are mapped to which  RADIUS
       attributes.

       The key field is the field being searched for within the file. It is normally signified by being preceded
       with a '*' character, which indicates that the field has only one key, like the  /etc/passwd  file.   The
       key  field may instead be preceded with '*,', which indicates that the field has multiple possible comma-
       separated keys, such as when searching the /etc/group file.

       The other fields signify RADIUS attributes. By default they will be added as a control attribute list.

       To add an attribute to the RADIUS request (as though it had been sent by the NAS), prefix  the  attribute
       name in the "format" string with the '~' character.

       To  add  an  attribute to the RADIUS reply (to be sent back to the NAS), prefix the attribute name in the
       "format" string with the '=' character.

EXAMPLES

       format = "*User-Name:Crypt-Password:"

              For a file the looks similar to /etc/passwd. The first field, User-Name, is the key to look up  in
              the  file. When the record is found, a control attribute, 'Crypt-Password', will be added with the
              contents of the second field. (Note this will not work with shadow passwords.)

       format = "My-Group:::*,User-Name"

              Parse a file similar to the /etc/group file.  An entry matches a request when the name in a  User-
              Name attribute exists in the comma-separated list of a line in the file.  When an entry matches, a
              "My-Group" attribute will be created and added to the control items for the request.  The value of
              that attribute will be taken from the first field of the matching line in the file.

              The  ":::"  in the format string means that there are extra two fields in the line, in between the
              group name and list of user names.  Those fields do not map  to  any  RADIUS  attribute,  and  are
              therefore ignored.

              For  this  example  to  work  in  practice,  you  will  have  to add the My-Group attribute to the
              dictionary file.  See dictionary(5) for details on how this may be done.

       format = "~My-Group:::*,User-Name"

              Similar to the previous entry, except the My-Group attribute is added to the request, as though it
              was sent by the NAS.

SECTIONS

       authorize

FILES

       /etc/freeradius/3.0/mods-available/passwd

SEE ALSO

       radiusd(8), radiusd.conf(5), radmin(8), dictionary(5), rlm_unix(5)

AUTHOR

       Alan DeKok <aland@freeradius.org>, Matthew Newton <matthew@newtoncomputing.co.uk>.

                                                 20 January 2015                                   rlm_passwd(5)