Man Linux: Main Page and Category List


       rlm_passwd - FreeRADIUS Module


       The  rlm_passwd  module  provides  authorization  via  files similar in
       format to /etc/passwd.

       The lm_passwd module allows you to  retrieve  any  account  information
       from  any  files  with  passwd-like  format  (/etc/passwd,  /etc/group,
       smbpasswd, .htpasswd, etc).  Every field of the file may be mapped to a
       RADIUS attribute, with one of the fields used as a key.

       The  module  reads the file when it initializes, and caches the data in
       memory.  As a result, it does not support dynamic updates of the  files
       (the  server has to be HUP’d), but it is very fast, even for files with
       thousands of lines.

       The configuration item(s):

              The path to the file.

       delimiter = ":"
              The character to use as a delimiter between fields.  The default
              is ":"

              The  size  of  the  hashtable.  If 0, then the passwords are not
              cached and the passwd file is parsed for every request.   We  do
              not  recommend  such  a  configuration.  A larger hashsize means
              less probability of collision and faster  search  in  hashtable.
              Having  a  hashsize  in  the  range  of 30-100% of the number of
              passwd file records is reasonable.

              If set to ’yes’, and more than one record in  file  matches  the
              request,  then  the attributes from all records will be used. If
              set to ’no’ (the default) the module will warn about  duplicated

              If  set  to ’yes’, then all records from the file beginning with
              the ’+’ sign will be ignored.  The default is ’no’.

       format The format of the fields in the file, given as an  example  line
              from  the  file,  with  the  content of the fields as the RADIUS
              attributes which the fields map to.  The fields are seperated by
              the ’:’ character.

       The  key  field  is  signified  by being preceded with a ’*’ character,
       which indicates that the field has only one key, like  the  /etc/passwd
       file.  The key field may instead be preceded with ’*,’, which indicates
       that the field has multiple possible keys, like the /etc/group file.

       The other fields signify RADIUS attributes which, by default, are added
       to the configuration items for a request.

       To  add an attribute to the request (as though it was sent by the NAS),
       prefix  the  attribute  name  in  the  "format"  string  with  the  ’~’

       To  add  an  attribute to the reply (to be sent back to the NAS) prefix
       the attribute name in the "format" string with the ’=’ character.

              This configuration item defaults to "yes".  If there is no value
              for  the attribute, then the attribute is not added.  By setting
              this value to "no", you can force the  attribute  to  be  added,
              even if there is no value.


              format = "My-Group:::*,User-Name"

              Parse a file similar to the /etc/group file.  An entry matches a
              request when the name in a User-Name  attribute  exists  in  the
              comma-seperated  list  of  a  line  in  the file.  When an entry
              matches, a "My-Group" attribute will be created and added to the
              configuration   items  for  the  request.   The  value  of  that
              attribute will be taken from the first  field  of  the  matching
              line in the file.

              The  ":::"  in  the format string means that there are extra two
              fields in the line, in between the group name and list  of  user
              names.  Those fields do not map to any RADIUS attribute, and are
              therefore ignored.

              For this example to work in practice, you will have to  add  the
              My-Group  attribute  to the dictionary file.  See the dictionary
              manual page for details on how this may be done.

              format = "~My-Group:::*,User-Name"

              Similar to the previous entry, except the My-Group attribute  is
              added to the request, as though it was sent by the NAS.






       radiusd(8), radiusd.conf(5) dictionary(5),


       Alan DeKok <>

                                 14 April 2004                   rlm_passwd(5)