Sophie

Sophie

distrib > Mandriva > 9.1 > i586 > by-pkgid > 452fb54f812d5eccac1ff636cca08676 > files > 242

freeradius-0.8.1-1mdk.i586.rpm

RADIUS rlm_passwd (passwd-like files authorization module)

0. Introduction

rlm_passwd allows you to retrieve any account information from any
files with passwd-like format (/etc/passwd, /etc/group, smbpasswd,
.htpasswd, etc)


1. What does it do

rlm_passwd reads configuration from raddb/radiusd.conf which contains
a description of the passwd file format.  Every field of the passwd
file may be mapped to some RADIUS attribute.  One of fields is a key
field.  If the attribute mapped to the key field is found in the
request, all other mapped attributes are added to configuration items
(if record corresponding to key field is found in passwd file and
fields mapped to attributes are not empty).

rlm_passwd can cache information from the passwd file and use a
hashtable for fast search, so it may be very effective for storing up
to a few thousands of users accounts if these accounts are rarely
changed.

It's also helpfull if you need to store only few accounts, in this case
you should probably disable caching.


2. How you should build and configure it

First, rlm_passwd is experimental and is not built by default. To compile
it you should add rlm_passwd to src/modules/stable before running
./configure script or add rlm_passwd to MODULES variable in Make.inc.

Second, you should configure this module (you can have multiple instances
for different and even for the same file).

Config section parameters:

   filename = "string" (required)

 The path to the passwd file


   delimiter = "x" (default ":")
 The symbol to use as a delimiter of passwd file fields


   format = "string" (required)

 Describes the format of the passwd file fields. Fields are separated
 by the ':' sign.  Each field may be empty, or may contain the name of
 a RADIUS attribute (in this case it's mapped to named attrbiute).
 Attribute name may be precided by '*' or '*,'.  The '*' signifies a
 key attribute (usually key attribute for passwd file is User-Name).
 The '*,' shows that field may contain a comma-separated list of
 values for key attribute (like /etc/group does).  For example, the
 description of /etc/group file format is: "Group-Name:::*,User-Name"
 in this example we ignore gid and group's password. If the request
 contains a User-Name attribute with value 'vlad', and the passwd file
 (/etc/group) contains following record: wheel:*:0:root,vlad,test
 Group-Name attribute will be added to configuration items list with value
 of "wheel".

   
  hashsize = n (default 0)

 The size of the hashtable.  If 0, then the passwords are not cached
 and the passwd file is parsed for every request.  A larger hashsize
 means less probability of collision and faster search in
 hashtable. Having hashsize in the range of 30-100% of the number of passwd
 file records is probably OK.


  authtype = "string"

 If key field is found in passwd file Auth-Type parameter will be replaced
 with one specified in in authtype.


  allowmultiplekeys = no (default)
  allowmultiplekeys = yes

 If allowmultiplekeys is set to yes, and few records in passwd file
 match the request, then the attributes from all records will be
 added. If allowmultiplekeys = no, then rlm_passwd will warn about
 duplicated records.


  ignorenislike = no (default)
  ignorenislike = yes

 If ignorenislike = yes all records from passwd file beginning with '+' sign
 will be ignored.

4. FAQ

Q: Can I use rlm_passwd to authenticate user against Linux shadow password
   file or BSD-style master.passwd?
A: Yes, but you need RADIUS running as root. Hint: use Crypt-Password
   attribute.  You probably don't want to use this module with
   FreeBSD to authenticate against system file, as it already takes care
   of caching passwd file entries, but it may be helpfull to authenticate
   against alternate file.

Q: Can I use rlm_passwd to authenticate user against SAMBA smbpasswd?
A: Yes, you can. Hint: use LM-Password/NT-Password attribute, set 
   authtype = MS-CHAP.

Q: Can I use rlm_password to authenticate user against BLA-BLA-BLApasswd?
A: Probably you can, if BLA-BLA-BLA stores password in some format supported
   by RADIUS, for example cleartext, NT/LM hashes, crypt, Netscape MD5 format.
   You have to set authtype to corresponding type, for example
    authtype = NS-MTA-MD5
   for Netscape MD5.

Q: Are where are differences between rlm_passwd and rlm_unix?
A: rlm_passwd supports passwd files in any format and may be used, for
   example, to parse FreeBSD's master.passwd or SAMBA smbpasswd files, but
   it can't perform system authentication (for example to authenticate
   NIS user, like rlm_unix does). If you need system authentication you
   need rlm_unix, if you have to authenticate against files only under
   BSD you need rlm_passwd, if you need to authenticate against files only
   under Linux, you can choose between rlm_unix and rlm_passwd, probably
   you will have nearly same results in performance (I hope :) ).

5. Acknowlegements:

   ZARAZA, <3APA3A@security.nnov.ru>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional