GNU Mailutils
	General-Purpose Mail Package	Official GNU Software

• Main
• Downloads
• Documentation
• Wiki

3.2.17 The radius Statement

Syntax

radius {
  # Set radius configuration directory.
  directory dir;
  # Radius request for authorization.
  auth request;
  # Radius request for getpwnam.
  getpwnam request;
  # Radius request for getpwuid.
  getpwuid request;
}

Description

The radius block statement configures RADIUS authentication and authorization.

Mailutils uses GNU Radius library, which is configured via raddb/client.conf file (see Client Configuration in GNU Radius Reference Manual). Its exact location depends on configuration settings that were used while compiling GNU Radius. Usually it is /usr/local/etc, or /etc. This default can also be changed at run time using directory statement:

Configuration: directory dir

Set full path name to the GNU Radius configuration directory.

It authorization is used, the Radius dictionary file must declare the the following attributes:

A dictionary file with appropriate definitions is included in the Mailutils distribution: examples/config/mailutils.dict. This file is not installed by default, you will have to manually copy it to the GNU Radius raddb/dict directory and include it in the main dictionary file raddb/dictionary by adding the following statement:

$INCLUDE dict/mailutils.dict

Requests to use for authentication and authorization are configured using three statements: auth, getpwnam and getpwuid. Each statement takes a single argument: a string, containing a comma-separated list of assignments. An assignment specifies a particular attribute-value pair (see RADIUS Attributes in GNU Radius Reference Manual) to send to the server. The left-hand side of the assignment is a symbolic attribute name, as defined in one of Radius dictionaries (see Dictionary of Attributes in GNU Radius Reference Manual). The value is specified by the right-hand side of assignment. For example:

"Service-Type = Authenticate-Only, NAS-Identifier = \"mail\""

The assignment may contain references to the following variables (see Variables):

user

The actual user name (for auth and getpwnam), or user ID (for getpwuid). For example:

User-Name = ${user}

passwd

User password. For examples:

User-Password = ${passwd}

Configuration: auth pairlist

Specifies the request to be sent to authenticate the user. For example:

auth "User-Name = ${user}, User-Password = ${passwd}";

The user is authenticated only if this request returns Access-Accept (see Access-Accept in GNU Radius Reference Manual). Any returned attribute-value pairs are ignored.

Configuration: getpwnam pairlist

Specifies the request that returns user information for the given user name. For example:

getpwnam "User-Name = ${user}, State = getpwnam, "
         "Service-Type = Authenticate-Only";

If the requested user account exists, the Radius server must return Access-Accept packet with the following attributes: GNU-MU-User-Name, GNU-MU-UID, GNU-MU-GID, GNU-MU-GECOS, GNU-MU-Dir, GNU-MU-Shell.

The attributes GNU-MU-Mailbox and GNU-MU-Quota are optional.

If GNU-MU-Mailbox is present, it must contain a valid mailbox URL (see URL). If GNU-MU-Mailbox is not present, Mailutils constructs the mailbox name using the settings from the mailbox configuration statement (see Mailbox Statement), or built-in defaults, if it is not present.

If GNU-MU-Quota is present, it specifies the maximum mailbox size for this user, in bytes. In the absence of this attribute, mailbox size is unlimited.

Configuration: getpwuid pairlist

Specifies the request that returns user information for the given user ID. In pairlist, the ‘user’ macro-variable is expanded to the numeric value of ID. For example:

getpwuid "User-Name = ${user}, State = getpwuid, "
         "Service-Type = Authenticate-Only";

The reply to getpwuid request is the same as to getpwnam request (see above).