-.TH USERS 5 "05 August 2000" "" "FreeRADIUS user authorization file"
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH USERS 5 "04 Jan 2004" "" "FreeRADIUS user authorization file"
.SH NAME
users \- user authorization file for the FreeRADIUS server
.SH DESCRIPTION
-The \fBusers\fP file resides in the RADIUS database directory, by
-default \fB/etc/raddb\fP. It contains a series of configuration
-directives which are used by the \fIfiles\fP module to decide how to
-authorize and authenticate each user request.
+The \fBusers\fP files reside in the files module configuration directory,
+by default \fB/etc/raddb/mods-config/files/\fP. It contains a series
+of configuration directives which are used by the \fIfiles\fP
+module to decide how to authorize and authenticate each user request.
Every line starting with a hash sign
.RB (' # ')
with a tab, and a (possibly empty) list of reply items. Each item in
the check or reply item list is an attribute of the form \fBname =
value\fP. Multiple items may be placed on one line, in which case
-they must be seperated by commas. The reply items may be specified
+they must be separated by commas. The reply items may be specified
over multiple lines, in which case each line must end with a comma,
and the last line of the reply items must not end with a comma.
rejected.
.SH CAVEATS
-The special username \fBDEFAULT\fP matches any usernames.
+The special keyword \fBDEFAULT\fP matches any usernames.
The entries are processed in order, from the top of the \fBusers\fP file,
on down. If an entry contains the special item \fBFall-Through =
.TP 0.5i
.B "Attribute = Value"
-Not allowed as a check item.
+Not allowed as a check item for RADIUS protocol attributes. It is
+allowed for server configuration attributes (Auth-Type, etc), and sets
+the value of on attribute, only if there is no other item of the
+same attribute.
.br
As a reply item, it means "add the item
to the reply list, but only if there is no other item of the same
.TP 0.5i
.B "Attribute := Value"
-Always matches as a check item, and replaces in the request any
-attribute of the same name. If no attribute of that name appears in
-the request, then this attribute is added.
+Always matches as a check item, and replaces in the configuration
+items any attribute of the same name. If no attribute of that name
+appears in the request, then this attribute is added.
.br
As a reply item, it has an identical meaning, but for the reply items,
instead of the request items.
.TP 0.5i
.B "Attribute += Value"
Always matches as a check item, and adds the current attribute with
-value to the incoming request.
+value to the list of configuration items.
.br
As a reply item, it has an identical meaning, but the attribute is
added to the reply items.
Not allowed as a reply item.
.TP 0.5i
-.B "Attribute =~ Expression"
-As a check item, it matches if the request contains an attribute which
-matches the given regular expression. This operator may only be
-applied to string attributes.
+.B "Attribute =* Value"
+As a check item, it matches if the request contains the named
+attribute, no matter what the value is.
.br
Not allowed as a reply item.
.TP 0.5i
-.B "Attribute !~ Expression"
-As a check item, it matches if the request contains an attribute which
-does not match the given regular expression. This operator may only be
-applied to string attributes.
+.B "Attribute !* Value"
+As a check item, it matches if the request does not contain the named
+attribute, no matter what the value is.
.br
Not allowed as a reply item.
.SH EXAMPLES
.DS
-bob Auth-Type := Local, Password == "bob"
+bob Cleartext-Password := "hello"
.DE
.RS
Requests containing the User-Name attribute, with value "bob", will be
-authenticated using the local password "bob". There are no reply
-items, so the reply will be empty.
-.RE
-
-.DS
-DEFAULT Auth-Type := System
-.br
- Fall-Through = Yes
-
-.DE
-.RS
-For all users reaching this entry, perform authentication against the
-system. Also, process any following entries which may match.
+authenticated using the "known good" password "hello". There are no
+reply items, so the reply will be empty.
.RE
.DS
-DEFAULT Service-Type==Framed-User, Framed-Protocol==PPP
+DEFAULT Service-Type == Framed-User, Framed-Protocol == PPP
.br
Service-Type = Framed-User,
.br
Entries rejecting certain requests should go at the top of the file,
and should not have a Fall-Through item in their reply items. Entries
for specific users, who do not have a Fall-Through item, should come
-next. Any DEFAULT entries should come last.
+next. Any DEFAULT entries should usually come last, except as fall-through
+entries that set reply attributes.
.SH FILES
-/etc/raddb/users
+/etc/raddb/mods-config/files/
.SH "SEE ALSO"
.BR radclient (1),
.BR radiusd (8),
.BR dictionary (5),
-.BR naslist (5)
.SH AUTHOR
The FreeRADIUS team.
projects / freeradius.git / blobdiff