RADIUS rlm_passwd (passwd-like files authorization module)
-0. Introduction
-
-rlm_passwd allows you to retrieve any account information from any
-files with passwd-like format (/etc/passwd, /etc/group, smbpasswd,
-.htpasswd, etc)
-
-
-1. What does it do
-
-rlm_passwd reads configuration from raddb/radiusd.conf which contains
-a description of the passwd file format. Every field of the passwd
-file may be mapped to some RADIUS attribute. One of fields is a key
-field. If the attribute mapped to the key field is found in the
-request, all other mapped attributes are added to configuration items
-(if record corresponding to key field is found in passwd file and
-fields mapped to attributes are not empty).
-
-rlm_passwd can cache information from the passwd file and use a
-hashtable for fast search, so it may be very effective for storing up
-to a few thousands of users accounts if these accounts are rarely
-changed.
-
-It's also helpfull if you need to store only few accounts, in this case
-you should probably disable caching.
-
-
-2. How you should build and configure it
-
-First, rlm_passwd is experimental and is not built by default. To compile
-it you should add rlm_passwd to src/modules/stable before running
-./configure script or add rlm_passwd to MODULES variable in Make.inc.
-
-Second, you should configure this module (you can have multiple instances
-for different and even for the same file).
-
-Config section parameters:
-
- filename = "string" (required)
-
- The path to the passwd file
-
-
- delimiter = "x" (default ":")
- The symbol to use as a delimiter of passwd file fields
-
-
- format = "string" (required)
-
- Describes the format of the passwd file fields. Fields are separated
- by the ':' sign. Each field may be empty, or may contain the name of
- a RADIUS attribute (in this case it's mapped to named attrbiute).
- Attribute name may be precided by '*' or '*,'. The '*' signifies a
- key attribute (usually key attribute for passwd file is User-Name).
- The '*,' shows that field may contain a comma-separated list of
- values for key attribute (like /etc/group does). For example, the
- description of /etc/group file format is: "Group-Name:::*,User-Name"
- in this example we ignore gid and group's password. If the request
- contains a User-Name attribute with value 'vlad', and the passwd file
- (/etc/group) contains following record: wheel:*:0:root,vlad,test
- Group-Name attribute will be added to configuration items list with value
- of "wheel".
- '=' mark can be used to add items for this field into reply-items instead
- of default configure-items. For example
- "*User-Name,Password,=Callback-Number"
- will add third field as a Callback-Number attribute to reply.
- You can also add attribute to request-items by adding '~' modificator.
-
-
- hashsize = n (default 0)
-
- The size of the hashtable. If 0, then the passwords are not cached
- and the passwd file is parsed for every request. A larger hashsize
- means less probability of collision and faster search in
- hashtable. Having hashsize in the range of 30-100% of the number of passwd
- file records is probably OK.
-
-
- authtype = "string"
-
- If key field is found in passwd file Auth-Type parameter will be replaced
- with one specified in in authtype.
-
-
- allowmultiplekeys = no (default)
- allowmultiplekeys = yes
-
- If allowmultiplekeys is set to yes, and few records in passwd file
- match the request, then the attributes from all records will be
- added. If allowmultiplekeys = no, then rlm_passwd will warn about
- duplicated records.
-
-
- ignorenislike = no (default)
- ignorenislike = yes
-
- If ignorenislike = yes all records from passwd file beginning with '+' sign
- will be ignored.
-
-4. FAQ
+FAQ
Q: Can I use rlm_passwd to authenticate user against Linux shadow password
file or BSD-style master.passwd?
5. Acknowlegements:
ZARAZA, <3APA3A@security.nnov.ru>
- Michael Chernyakhovsky <mike@mgn.ru> - reply-itmes support
+ Michael Chernyakhovsky <mike@mgn.ru> - reply-items support
--- /dev/null
+.TH rlm_passwd 5 "14 April 2004" "" "FreeRADIUS Module"
+.SH NAME
+rlm_passwd \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_passwd\fP module provides authorization via files similar
+in format to /etc/passwd.
+.PP
+The \frlm_passwd\fP module allows you to retrieve any account
+information from any files with passwd-like format (/etc/passwd,
+/etc/group, smbpasswd, .htpasswd, etc). Every field of the file may
+be mapped to a RADIUS attribute, with one of the fields used as a
+key.
+.PP
+The module reads the file when it initializes, and caches the data
+in memory. As a result, it does not support dynamic updates of the
+files (the server has to be HUP'd), but it is very fast, even for
+files with thousands of lines.
+.PP
+The configuration item(s):
+.IP filename
+The path to the file.
+.IP delimiter = ":"
+The character to use as a delimiter between fields. The default is
+":"
+.IP hashsize
+The size of the hashtable. If 0, then the passwords are not cached
+and the passwd file is parsed for every request. We do not recommend
+such a configuration. A larger hashsize means less probability of
+collision and faster search in hashtable. Having a hashsize in the range
+of 30-100% of the number of passwd file records is reasonable.
+.IP allowmultiplekeys
+If set to 'yes', and more than one record in file matches the request,
+then the attributes from all records will be used. If set to 'no' (the
+default) the module will warn about duplicated records.
+.IP ignorenislike
+If set to 'yes', then all records from the file beginning with the '+'
+sign will be ignored. The default is 'no'.
+.IP authtype
+If an entry matches, the Auth-Type for the request will be set to the
+one specified here.
+.IP format
+The format of the fields in the file, given as an example line from
+the file, with the content of the fields as the RADIUS attributes
+which the fields map to. The fields are seperated by the ':' character.
+.PP
+The key field is signified by being preceded with a '*' character,
+which indicates that the field has only one key, like the /etc/passwd
+file. The key field may instead be preceded with '*,', which
+indicates that the field has multiple possible keys, like the
+/etc/group file.
+.PP
+The other fields signify RADIUS attributes which, by default, are
+added to the configuration items for a request.
+.PP
+To add an attribute to the request (as though it was sent by the NAS),
+prefix the attribute name in the "format" string with the '~' character.
+.PP
+To add an attribute to the reply (to be sent back to the NAS) prefix
+the attribute name in the "format" string with the '=' character.
+
+.SH EXAMPLES
+.DS
+format = "My-Group:::*,User-Name"
+.DE
+.IP
+Parse a file similar to the /etc/group file. An entry matches a
+request when the name in a User-Name attribute exists in the
+comma-seperated list of a line in the file. When an entry matches,
+a "My-Group" attribute will be created and added to the configuration
+items for the request. The value of that attribute will be taken from
+the first field of the matching line in the file.
+.IP
+The ":::" in the format string means that there are extra two fields
+in the line, in betweem the group name and list of user names. Those
+fields do not map to any RADIUS attribute, and are therefore ignored.
+.IP
+For this example to work in practice, you will have to add the
+My-Group attribute to the dictionary file. See the dictionary manual
+page for details on how this may be done.
+.PP
+.DS
+format = "~My-Group:::*,User-Name"
+.DE
+.IP
+Similar to the previous entry, except the My-Group attribute is added
+to the request, as though it was sent by the NAS.
+.SH SECTIONS
+.BR authorize
+.PP
+.SH FILES
+.I /etc/raddb/radiusd.conf
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.BR dictionary (5),
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>
+
projects / freeradius.git / commitdiff