1 RADIUS rlm_passwd (passwd-like files authorization module)
5 rlm_passwd allows you to retrieve any account information from any
6 files with passwd-like format (/etc/passwd, /etc/group, smbpasswd,
12 rlm_passwd reads configuration from raddb/radiusd.conf which contains
13 a description of the passwd file format. Every field of the passwd
14 file may be mapped to some RADIUS attribute. One of fields is a key
15 field. If the attribute mapped to the key field is found in the
16 request, all other mapped attributes are added to configuration items
17 (if record corresponding to key field is found in passwd file and
18 fields mapped to attributes are not empty).
20 rlm_passwd can cache information from the passwd file and use a
21 hashtable for fast search, so it may be very effective for storing up
22 to a few thousands of users accounts if these accounts are rarely
25 It's also helpfull if you need to store only fa ew accounts, in this case
26 you should probably disable caching.
29 2. How you should build and configure it
31 First, rlm_passwd is experimental and is not built by default. To compile
32 it you should add rlm_passwd to src/modules/stable before running
33 ./configure script or add rlm_passwd to MODULES variable in Make.inc.
35 Second, you should configure this module (you can have multiple instances
36 for different and even for the same file).
38 Config section parameters:
40 filename = "string" (required)
42 The path to the passwd file
45 delimiter = "x" (default ":")
46 The symbol to use as a delimiter of passwd file fields
49 format = "string" (required)
51 Describes the format of the passwd file fields. Fields are separated
52 by the ':' sign. Each field may be empty, or may contain the name of
53 a RADIUS attribute (in this case it's mapped to named attrbiute).
54 Attribute name may be precided by '*' or '*,'. The '*' signifies a
55 key attribute (usually key attribute for passwd file is User-Name).
56 The '*,' shows that field may contain a comma-separated list of
57 values for key attribute (like /etc/group does). For example, the
58 description of /etc/group file format is: "Group-Name:::*,User-Name"
59 in this example we ignore gid and group's password. If the request
60 contains a User-Name attribute with value 'vlad', and the passwd file
61 (/etc/group) contains following record: wheel:*:0:root,vlad,test
62 Group-Name attribute will be added to configuration items list with value
66 hashsize = n (default 0)
68 The size of the hashtable. If 0, then the passwords are not cached
69 and the passwd file is parsed for every request. A larger hashsize
70 means less probability of collision and faster search in
71 hashtable. Having hashsize in the range of 30-100% of the number of passwd
72 file records is probably OK.
77 If key field is found in passwd file Auth-Type parameter will be replaced
78 with one specified in in authtype.
81 allowmultiplekeys = no (default)
82 allowmultiplekeys = yes
84 If allowmultiplekeys is set to yes, and few records in passwd file
85 match the request, then the attributes from all records will be
86 added. If allowmultiplekeys = no, then rlm_passwd will warn about
90 ignorenislike = no (default)
93 If ignorenislike = yes all records from passwd file beginning with '+' sign
98 Q: Can I use rlm_passwd to authenticate user against Linux shadow password
99 file or BSD-style master.passwd?
100 A: Yes, but you need RADIUS running as root. Hint: use Crypt-Password
101 attribute. You probably don't want to use this module with
102 FreeBSD, as it already takes care of caching passwd file entries.
104 Q: Can I use rlm_passwd to authenticate user against SAMBA smbpasswd?
105 A: Yes, you can. Hint: use LM-Password/NT-Password attribute, set
108 Q: Can I use rlm_password to authenticate user against BLA-BLA-BLApasswd?
109 A: Probably you can, if BLA-BLA-BLA stores password in some format supported
110 by RADIUS, for example cleartext, NT/LM hashes, crypt, Netscape MD5 format.
111 You have to set authtype to corresponding type, for example
112 authtype = NS-MTA-MD5
115 Q: Are where are differences between rlm_passwd and rlm_unix?
116 A: rlm_passwd supports passwd files in any format and may be used, for
117 example, to parse FreeBSD's master.passwd or SAMBA smbpasswd files, but
118 it can't perform system authentication (for example to authenticate
119 NIS user, like rlm_unix does). If you need system authentication you
120 need rlm_unix, if you have to authenticate against files only under
121 BSD you need rlm_passwd, if you need to authenticate against files only
122 under Linux, you can choose between rlm_unix and rlm_passwd, probably
123 you will have nearly same results in performance (I hope :) ).
127 ZARAZA, <3APA3A@security.nnov.ru>