rlm_unix - FreeRADIUS Module

The rlm_unix module allows authentication against the system password, shadow, and group files. It also provides FreeRADIUS an interface into a radwtmp file (used by "radlast") when added to the accounting section.

The rlm_unix module provides the functionality for "Auth-Type = System", rather than "Auth-Type = Unix". The "System" name is used for historical reasons.

The main configuration items to be aware of are:

cache

This is a 'yes' or 'no' option. If set to yes, FreeRADIUS will read the system files into memory, rather than perform a system call to lookup the information. On *BSD systems, you should set this value to no. On other systems, if you have a very large passwd and shadow files, you can try setting this to yes, which may increase the servers performance. The default is no.

cache_reload

This is the number of seconds to wait between refreshing the cached files from the system. It has no effect unless you enable caching.

passwd

The path to the system passwd file. Usually /etc/passwd. If commented out, or not set, the server will retrieve the information via systemcalls.

shadow

The path to the system shadow file. Usually /etc/shadow. This is not set by default.

group

The path to the system group file. Usually /etc/group. This is not set by default.

radwtmp

The path to the system wtmp file to be used for keeping the database of online users as read by the 'radlast' program.

usegroup

This is a 'yes' or 'no' option. If set to 'yes' this allows the Group attribute to be used as a check item. Default is 'no'.

modules { ...

unix {

cache = no

cache_reload = 600

#passwd = /etc/passwd

#shadow = /etc/shadow

#group = /etc/group

usegroup = no

radwtmp = ${logdir}/radwtmp

}

...

}

authentication, accounting

/etc/raddb/radiusd.conf,

radiusd(8), radiusd.conf(5), radlast(1)

Chris Parker, cparker@segv.org