rlm_files

Synopsis

This module implements a traditional Livingston-style users file.

In version 2 of the server, this was called the users file. In version 3, the default location has been changed to mods-config/files/authorize.

Default configuration

File Format

The files module reads files which have a special format.

Entries

Every line starting with a hash sign (#) is treated as comment and ignored.

Each entry of the file begins with a username, followed by a (possibly empty) list of check items, all on one line. The next line begins with a tab, and a (possibly empty) list of reply items. Each item in the check or reply item list is an attribute of the form name = value. Multiple items may be placed on one line, in which case they must be seperated by commas. The reply items may be specified over multiple lines, in which case each line must end with a comma, and the last line of the reply items must not end with a comma.

The check items are a list of attributes used to match the incoming request. If the key matches, and all of the check items match the incoming request, then the reply items are added to the list of attributes which will be used in the reply to that request. This process is repeated for all of the entries in the file.

Example entry

bob	 Framed-IP-Address == 192.0.2.32
	 Reply-Message := "hello"

This entry assumes that the default key is configured to be User-Name. It matches a packet that contains a Framed-IP-Address attribute, which has a value of 192.0.2.32. When a match is found, it adds the Reply-Message attribute to the reply list, with a value of hello.

Processing

The special username DEFAULT matches any key.

The entries are processed in order, from the top of the file to the bottom. If an entry contains the attribute Fall‐Through = No as a reply attribute, then the processing of the file stops, and no more entries are matched. Any reply item list without any Fall‐Through attribute is treated as though it included a Fall‐Through = No attribute.

If an entry contains the attribute Fall‐Through = Yes as a reply attribute, then the processing proceeds to the next entry in order.

Care should be taken when using Fall‐Through. The server should be tested in debugging mode with a number of test requests, in order to verify that the configured entries behave as expected.

The processing of this file is fairly limited. It is best suited for a simple database, where known users are matched to simple replies. Any complicated configuration should use the unlang language instead. The unlang configuration is much more flexible and more powerful than the limited capabilities of the files module.

Operators

Additional operators other than = may be used for the attributes in either the check item, or reply item list. The following is a list of operators and their meaning.

Attribute = Value: Not allowed as a check item for RADIUS protocol attributes. It is allowed for server configuration attributes (Auth‐Type, etc), and sets the value of on attribute, only if there is no other item of the same attribute.
: As a reply item, it means "add the item to the reply list, but only if there is no other item of the same attribute."
Attribute := Value: Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added.
: As a reply item, it has an identical meaning, but for the reply items, instead of the request items.
Attribute == Value: As a check item, it matches if the named attribute is present in the request, AND has the given value.
: Not allowed as a reply item.
Attribute += Value: Always matches as a check item, and adds the current attribute with value to the list of configuration items.
: As a reply item, it has an identical meaning, but the attribute is added to the reply items.
Attribute != Value: As a check item, matches if the given attribute is in the request, and does not have the given value.
: Not allowed as a reply item.
Attribute > Value: As a check item, it matches if the request contains an attribute with a value greater than the one given.
: Not allowed as a reply item.
Attribute >= Value: As a check item, it matches if the request contains an attribute with a value greater than, or equal to the one given.
: Not allowed as a reply item.
Attribute < Value: As a check item, it matches if the request contains an attribute with a value less than the one given.
: Not allowed as a reply item.
Attribute ⇐ Value: As a check item, it matches if the request contains an attribute with a value less than, or equal to the one given.
: Not allowed as a reply item.

Attribute =* Value

As a check item, it matches if the request contains the named attribute, no matter what the value is. :: Not allowed as a reply item.

Attribute !* Value: As a check item, it matches if the request does not contain the named attribute, no matter what the value is.
: Not allowed as a reply item.

Processing Sections

authorize

When listed in the authorize section, the files module processes packets through the file given by filename. The request attributes are used to match the first line of an entry. If an entry matches, the reply attributes from the entry are added to the reply list.

Return codes: noop The packet did not match any entry.
: fail The key could not be expanded.
: ok The packet matched at least one entry.

preacct

When listed in the preacct section, the files module processes packets through the file given by acctusersfile. The request attributes are used to match the first line of an entry. If an entry matches, the reply attributes from the entry are added to the reply list.

Return codes: See authorize, above.

pre-proxy

When listed in the pre-proxy section, the files module processes packets through the file given by preproxy_usersfile. The request attributes are used to match the first line of an entry. If an entry matches, the reply attributes from the entry are added to the proxy list.

Return codes: See authorize, above.

post-auth

When listed in the post-auth section, the files module processes packets through the file given by postauth_usersfile. The request attributes are used to match the first line of an entry. If an entry matches, the reply attributes from the entry are added to the reply list.

Return codes: See authorize, above.

post-proxy

When listed in the post-proxy section, the files module processes packets through the file given by postproxy_usersfile. The proxy-reply attributes are used to match the first line of an entry. If an entry matches, the reply attributes from the entry are added to the reply list.

Return codes: See authorize, above.

Expansions

None.

Directives

acctusersfile

Syntax: acctusersfile = filename
Default: ${confdir}/mods-config/files/accounting
Description: The file to process when receiving Access-Request packets.

filename

Syntax: filename = filename
Default: ${confdir}/mods-config/files/authorize
Description: The file to process when receiving Accounting-Request packets. .key
Syntax: key = string
Default: "%{Stripped-User-Name:-%{User-Name}}"
Description: The default attribute to use for matching an entry.

preproxy_usersfile

Syntax: preproxy_usersfile = filename
Default: ${confdir}/preproxy_users
Description: The file to process before proxying packets.

postproxy_usersfile

Syntax: postproxy_usersfile = filename
Default: none
Description: The file to process after receiving a proxy reply.

postauth_usersfile

Syntax: postauth_usersfile = filename
Default: none
Description: The file to process in the post-auth section.