Provided by: freeradius-common_3.2.0+dfsg-1_all bug


       rlm_passwd - FreeRADIUS Module


       The rlm_passwd module provides authorization via files similar in format to /etc/passwd.

       This module allows you to retrieve any account information from any files with passwd-like
       format (/etc/passwd, /etc/group, smbpasswd, .htpasswd, etc). Every field of the  file  may
       be mapped to a RADIUS attribute, with one of the fields used as a key.

       The  module reads the file when it initializes, and caches the data in memory.  This makes
       it very fast, even for files with thousands of lines. To re-read the file the module  will
       need  to  be  reloaded  with  radmin(8),  or  the server will need to be sent a SIGHUP, as
       dynamic updates are not supported.


       The configuration item(s):

              If set to 'yes', and more than one record in file matches  the  request,  then  the
              attributes  from  all records will be used. If set to 'no' (the default) the module
              will warn about duplicated records.

       delimiter = ":"
              The character to use as a delimiter between fields.  The default is ":"

              The path to the file.

       format The format of the fields in the file, given as an example line from the file,  with
              the  content  of  the  fields as the RADIUS attributes which the fields map to. The
              fields are separated by the ':' character in the configuration (no matter  what  is
              configured for the 'delimiter' option).

              The size of the hash table. A larger value means less probability of a collision so
              records will be found faster, at the expense of  greater  memory  usage.  Having  a
              hash_size  in  the  range  of  30-100%  of  the  number  of  passwd file records is

              When set to "yes", the default, empty fields in the input will be skipped  and  the
              RADIUS  attribute will not be added.  By setting this value to "no", all attributes
              in the format list will always be added, even if they have no value.

              If set to 'yes', then all records from the file beginning with the '+' sign will be
              ignored.  The default is 'no'.


       The  format  option controls how lines are read from the file, and which fields are mapped
       to which RADIUS attributes.

       The key field is the field being searched for within the file. It is normally signified by
       being preceded with a '*' character, which indicates that the field has only one key, like
       the /etc/passwd file.  The key field may instead be preceded with  '*,',  which  indicates
       that  the  field  has  multiple  possible comma-separated keys, such as when searching the
       /etc/group file.

       The other fields signify RADIUS attributes. By default they will be  added  as  a  control
       attribute list.

       To  add an attribute to the RADIUS request (as though it had been sent by the NAS), prefix
       the attribute name in the "format" string with the '~' character.

       To add an attribute to the RADIUS reply (to be sent back to the NAS), prefix the attribute
       name in the "format" string with the '=' character.


       format = "*User-Name:Crypt-Password:"

              For a file the looks similar to /etc/passwd. The first field, User-Name, is the key
              to look up in the file. When the record is  found,  a  control  attribute,  'Crypt-
              Password', will be added with the contents of the second field. (Note this will not
              work with shadow passwords.)

       format = "My-Group:::*,User-Name"

              Parse a file similar to the /etc/group file.  An entry matches a request  when  the
              name  in  a User-Name attribute exists in the comma-separated list of a line in the
              file.  When an entry matches, a "My-Group" attribute will be created and  added  to
              the  control items for the request.  The value of that attribute will be taken from
              the first field of the matching line in the file.

              The ":::" in the format string means that there are extra two fields in  the  line,
              in  between  the group name and list of user names.  Those fields do not map to any
              RADIUS attribute, and are therefore ignored.

              For this example to work in practice, you will have to add the  My-Group  attribute
              to the dictionary file.  See dictionary(5) for details on how this may be done.

       format = "~My-Group:::*,User-Name"

              Similar  to  the  previous  entry,  except  the  My-Group attribute is added to the
              request, as though it was sent by the NAS.






       radiusd(8), radiusd.conf(5), radmin(8), dictionary(5), rlm_unix(5)


       Alan DeKok <>, Matthew Newton <>.

                                         20 January 2015                            rlm_passwd(5)