Fetching contributors…
Cannot retrieve contributors at this time
196 lines (137 sloc) 5.63 KB
Radius DBM module
rlm_dbm uses a Berkeley or GDBM <** database to store use information. It
is a lot faster than the files and passwd modules, takes less memory than
the fastusers module and does not require additional server software as
the LDAP and SQL modules does. In addition it supports groups, and of
course multiple entries per user or group.
Basically, it opens the file you specifies in radiusd.conf and authenticates
users out of it. The file has to be a Berkeley or GDBM <** file database,
and may be created by rlm_dbm_parse or by a custom program of your choice.
Put the module declaration in your radiusd.conf. It should in general look
like this:
dbm {
usersfile = ${confdir}/users.db
Note: some dbm libraries add .db suffix by itself.
Then put "dbm" in the "authorize {}" section of your radiusd.conf:
authorize {
The only option is "usersfile", which is the path and filename of the
database file you want rlm_dbm to look for users and groups in. This
file needs to be generated, either by the rlm_dbm_parse program or by
some custom program, for instance a Perl program using the DB_File or
GDBM_File <** modules.
rlm_dbm_cat: [-f file] [-w] [-i number] [-l number] [-v] [username ...]
rlm_dbm_cat simply lists the definition(s) of the username(s) or group
name(s), or the entire database. It takes the following options:
-f <filename>
The file name of the database to list.
Long lines should be wrapped
-i <number>
Set the left margin then wrapped.
-l <number>
How long line should be to be wrapped (wrap threshold)
Print the version number and exit.
rlm_dbm_parser [-c] [-d raddb] [-i inputfile] [-o outputfile] [-x]
[-v] [-q] [username ...]
rlm_dbm_parses reads a file of the syntax defined below, and writes
a database file usable by rlm_dbm or edits current database.
It takes the following options:
-i <file>
Use <file> as the input file. If not defined then use standard input.
Use <file> as the output file.
Create a new database (empty output file before writing)
Enable debug mode.
; Multiple x flag increase debug level
Do not print statistics (quiet).
Print the version and exit.
Remove a username or group name from the database.
rlm_dbm_parse reads a format similar to the one used by the files
module. In incomplete RFC2234 ABNF, it looks like this:
entries = *entry
entry = identifier TAB definition
identifier = username / group-name
username = +PCHAR
groupname = +PCHAR
definition = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF
check-item = AS IN FILES
reply-item = AS IN FILES
*** need definition of username and groupname ***
As an example, these are the standard files definitions (files module).
DEFAULT Service-Type == Framed-User
Framed-IP-Address =,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
#except who call from number 555-666
DEFAULT Auth-Type := Reject,Service-Type ==Framed-User,
Calling-Station-ID == "555-666"
#or call number 555-667
DEFAULT Auth-Type := Reject,Service-Type ==Framed-User,
Calling-Station-ID == "555-667"
To be a valid rlm_dbm input file, it should look like this:
DEFAULT Service-Type == Framed-User # (1)
Framed-IP-Address =, # comma, list cont'd
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes # \n, end of list
Auth-Type := Reject,Service-Type ==Framed-User, # (2)
Calling-Station-ID == "555-666"
; # ;, no reply items
Auth-Type := Reject,Service-Type ==Framed-User, # (3)
Calling-Station-ID == "555-667"
; # ditto
This user (the DEFAULT user) contains three entries, 1, 2 and 3. The
first entry has a list of reply items, terminated by a reply item
without a trailing comma. Entries 2 and 3 has empty reply lists, as
indicated by the semicolon. This is necessary to separate an empty
line (which is ignored) from the empty list.
Definition Fall-Through = Yes used in order to say module to check next
record. By default Fall-Through = Yes.
This is implemented with the special User-Category attribute. Simply
set this as a reply item, and rlm_dbm will include the groups definition
when evaluating the check and reply items of the user. The group defined
the same way as users. Here is a short example:
# group definitions
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=SANDY",
Framed-Protocol = PPP
locked Auth-Type := Reject
Reply-Message = "Your account has been disabled."
# user definitions
ssalex Auth-Type := Local, Password == "passs"
User-Category = "GenDialup"
ssmike Auth-Type := Local, Password == "pass1"
User-Category = "Locked"
Author - Andrei Koulik <>
Documentation - Bjørn Nordbø <>
8. Bug reports: