not logged in | [Login]

Table of Contents

FreeRADIUS DBM module (rlm_dbm)

rlm_dbm uses a Berkeley or GDBM database to store use information. It is a lot faster than the files and passwd modules, takes less memory than the fastusers module and does not require additional server software as the LDAP and SQL modules does. In addition it supports groups, and of course multiple entries per user or group.


Basically, it opens the file you specify in radiusd.conf and authenticates users out of it. The file has to be a Berkeley or GDBM <** file database, and may be created by rlm_dbm_parse or by a custom program of your choice.


Put the module declaration in your radiusd.conf. It should in general look like this:

dbm {
usersfile = ${confdir}/users.db
Note: some dbm libraries add .db suffix by itself. Then put "dbm" in the "authorize {}" section of your radiusd.conf:
authorize {


The only option is "usersfile", which is the path and filename of the database file you want rlm_dbm to look for users and groups in. This file needs to be generated, either by the rlm_dbm_parse program or by some custom program, for instance a Perl program using the DB_File or GDBM_File <** modules.



rlm_dbm_cat simply lists the definition(s) of the username(s) or group name(s), or the entire database.

rlm_dbm_cat: [-f] [-w] [-i] [-l] [-v] [username]
-f <filename> : The file name of the database to list.
-w : Long lines should be wrapped
-i <number> : Set the left margin then wrapped.
-l <number> : How long line should be to be wrapped (wrap threshold)
-v : Print the version number and exit.


rlm_dbm_parser reads a file of the syntax defined below, and writes a database file usable by rlm_dbm or edits current database.

rlm_dbm_parser [-c] [-d] [-i] [-o] [-x] [-v] [-q] [username]
-i <file> : Use <file> as the input file. If not defined then use standard input.
-o <file> : Use <file> as the output file.
-c : Create a new database (empty output file before writing)
-x : Enable debug mode. Multiple x flag increase debug level
-q : Do not print statistics (quiet).
-v : Print the version and exit.
-r : Remove a username or group name from the database.


rlm_dbm_parse reads a format similar to the one used by the files module. In incomplete RFC 2234 ABNF, it looks like this:

  entries     = *entry
  entry       = identifier TAB definition
  identifier  = username / group-name
  username    = +PCHAR
  groupname   = +PCHAR
  definition  = (check-item ",")* LF ( *( reply-item ",") / ";" ) LF
  check-item  = AS IN FILES
  reply-item  = AS IN FILES
  *need definition of username and groupname

As an example, these are the standard files definitions (files module):

 DEFAULT  Service-Type == Framed-User
    Framed-IP-Address =,
    Framed-MTU = 576,
    Fall-Through = Yes
  #except who call from number 555-666
  DEFAULT  Auth-Type := Reject, Service-Type == Framed-User, Calling-Station-ID ==
  #or call number 555-667
  DEFAULT  Auth-Type := Reject, Service-Type == Framed-User, Calling-Station-ID ==

To be a valid rlm_dbm input file, it should look like:

  DEFAULT   Service-Type == Framed-User                     # (1)
            Framed-IP-Address =,            # comma, list cont'd
            Framed-MTU = 576,
            Service-Type = Framed-User,
            Fall-Through =  Yes                             # \n, end of list
            Auth-Type := Reject,Service-Type ==Framed-User, # (2)
            Calling-Station-ID == "555-666"
            ;                                               # ;, no reply items
            Auth-Type := Reject,Service-Type ==Framed-User, # (3)
            Calling-Station-ID == "555-667"
            ;                                               # ditto

This user (the DEFAULT user) contains three entries, 1, 2 and 3. The first entry has a list of reply items, terminated by a reply item without a trailing comma. Entries 2 and 3 has empty reply lists, as indicated by the semicolon. This is necessary to separate an empty line (which is ignored) from the empty list. Definition Fall-Through = Yes used in order to say module to check next record. By default Fall-Through = Yes.


This is implemented with the special User-Category attribute. Simply set this as a reply item, and rlm_dbm will include the groups definition when evaluating the check and reply items of the user. The group defined the same way as users. Here is a short example:

 # group definitions
     Service-Type = Framed-User,
     Cisco-AVPair += "ip:addr-pool=SANDY",
     Framed-Protocol = PPP
 locked      Auth-Type := Reject
     Reply-Message = "Your account has been disabled."
 # user definitions
 ssalex  Cleartext-Password := "passs"
   User-Category = "GenDialup"
 ssmike  Cleartext-Password := "pass1"
    User-Category = "Locked"