rlm_passwd(5)		       FreeRADIUS Module		 rlm_passwd(5)



NAME
       rlm_passwd - FreeRADIUS Module

DESCRIPTION
       The  rlm_passwd module provides authorization via files similar in for-
       mat to /etc/passwd.

       This module allows you to retrieve any  account	information  from  any
       files with passwd-like format (/etc/passwd, /etc/group, smbpasswd, .ht-
       passwd, etc). Every field of the file may be mapped to a RADIUS	attri-
       bute, with one of the fields used as a key.

       The  module  reads the file when it initializes, and caches the data in
       memory.	This makes it very fast, even  for  files  with  thousands  of
       lines.  To  re-read  the  file the module will need to be reloaded with
       radmin(8), or the server will need to be sent a SIGHUP, as dynamic  up-
       dates are not supported.

CONFIGURATION
       The configuration item(s):

       allow_multiple_keys
	      If  set  to  'yes', and more than one record in file matches the
	      request, then the attributes from all records will be  used.  If
	      set  to 'no' (the default) the module will warn about duplicated
	      records.

       delimiter = ":"
	      The character to use as a delimiter between fields.  The default
	      is ":"

       filename
	      The path to the file.

       format The  format  of the fields in the file, given as an example line
	      from the file, with the content of the fields as the RADIUS  at-
	      tributes	which  the  fields map to. The fields are separated by
	      the ':' character in the configuration (no matter what  is  con-
	      figured for the 'delimiter' option).

       hash_size
	      The  size of the hash table. A larger value means less probabil-
	      ity of a collision so records will be found faster, at  the  ex-
	      pense  of  greater memory usage. Having a hash_size in the range
	      of 30-100% of the number of passwd file records is reasonable.

       ignore_empty
	      When set to "yes", the default, empty fields in the  input  will
	      be  skipped and the RADIUS attribute will not be added.  By set-
	      ting this value to "no", all attributes in the format list  will
	      always be added, even if they have no value.

       ignore_nislike
	      If  set  to 'yes', then all records from the file beginning with
	      the '+' sign will be ignored.  The default is 'no'.

FORMAT
       The format option controls how lines are read from the file, and  which
       fields are mapped to which RADIUS attributes.

       The  key  field	is the field being searched for within the file. It is
       normally signified by being preceded with a '*' character, which  indi-
       cates  that the field has only one key, like the /etc/passwd file.  The
       key field may instead be preceded with '*,', which indicates  that  the
       field  has multiple possible comma-separated keys, such as when search-
       ing the /etc/group file.

       The other fields signify RADIUS attributes. By  default	they  will  be
       added as a control attribute list.

       To  add	an attribute to the RADIUS request (as though it had been sent
       by the NAS), prefix the attribute name in the "format" string with  the
       '~' character.

       To  add	an attribute to the RADIUS reply (to be sent back to the NAS),
       prefix the attribute name in the "format" string with the  '='  charac-
       ter.

EXAMPLES
       format = "*User-Name:Crypt-Password:"

	      For  a  file  the looks similar to /etc/passwd. The first field,
	      User-Name, is the key to look up in the file. When the record is
	      found, a control attribute, 'Crypt-Password', will be added with
	      the contents of the second field. (Note this will not work  with
	      shadow passwords.)

       format = "My-Group:::*,User-Name"

	      Parse a file similar to the /etc/group file.  An entry matches a
	      request when the name in a User-Name  attribute  exists  in  the
	      comma-separated  list  of  a  line  in  the file.  When an entry
	      matches, a "My-Group" attribute will be created and added to the
	      control items for the request.  The value of that attribute will
	      be taken from the first field of the matching line in the file.

	      The ":::" in the format string means that there  are  extra  two
	      fields  in  the line, in between the group name and list of user
	      names.  Those fields do not map to any RADIUS attribute, and are
	      therefore ignored.

	      For  this  example to work in practice, you will have to add the
	      My-Group attribute to the dictionary  file.   See  dictionary(5)
	      for details on how this may be done.

       format = "~My-Group:::*,User-Name"

	      Similar  to the previous entry, except the My-Group attribute is
	      added to the request, as though it was sent by the NAS.

SECTIONS
       authorize

FILES
       /etc/raddb/mods-available/passwd

SEE ALSO
       radiusd(8), radiusd.conf(5), radmin(8), dictionary(5), rlm_unix(5)

AUTHOR
       Alan DeKok <aland@freeradius.org>, Matthew  Newton  <matthew@newtoncom-
       puting.co.uk>.




				20 January 2015 		 rlm_passwd(5)