raddbm Command

Purpose

Modifies entries in the local database of RADIUS user-authentication information.

Syntax

raddbm [ -a Command ] [ -d Database_filename ] [ -e EAP_type ] [ -i Config_filename ] [ -l Load_filename] [ -n ] [ -p ] [ -t pwd_expire_wks ] [ -u User_ID ] [ -w ]

Description

The raddbm command is used to create and modify a local database of user-authentication information. The RADIUS server can be configured to use this database as the source of information it uses to authenticate users.

The local database is stored in a file. Data in the file is in a binary tree format to make searches faster. The database file name is specified in the RADIUS /etc/radius/radiusd.conf configuration file and has the default value of dbdata.bin. You can modify the file name by editing radiusd.conf through SMIT.

Each entry has the following fields:
Item Description
USERID Specifies the user's ID.
PASSWORD Specifies the user's password.
PASSWORD_EXPIRATION Specifies the password expiration time in number of weeks.
EAP_TYPE Specifies the EAP type allowed for authentication.

Passwords in the database file are not stored in clear text in order to prevent simple password compromise, but the algorithm used to hide the passwords is not considered to be cryptographically secure. The file, dbdata.bin, is protected by root: security as the owner and group.

Several operations on the local database are supported by the raddbm command, including the following:
  • Add a user to the database.
    To add a user, the command form is: 
    raddbm -a ADD -u User_ID -e EAP_type -t pwd_expire_wks
    The user's password is prompted from standard input.

    The -e and -t flags are optional. If no value for the -e flag is entered, the default value of none is used for EAP_TYPE, meaning EAP packets are ignored for this user. If no value for the -t flag is entered, the default value of 0 is used for PASSWORD_EXPIRATION, meaning that password expiration is never checked. The -p flag is optional since the raddbm command always prompts for a new password when adding a new user.

  • Change a user in the database.
    To change the user's information in the local database, type the following: 
    raddbm -a CHANGE -u User_ID -p -e EAP_type -t pwd_expire_wks
    The -e, -p, and -t flags are optional, but at least one must be specified. If the -p flag is used, the raddbm command will prompt for the password.
  • Delete a user from the database.
    To delete a user's entry from the database, type the following: 
    raddbm -a DELETE -u User_ID
  • List users in the database.
    To list a user's entries in the database, type the following: 
    raddbm -a LIST
raddbm -a LIST -u User_ID
raddbm -a LIST -u User_ID -w

    The -w and -u flags are optional. If the -w flag is specified, all fields in the user's entry are displayed (except the password, which for security reasons is never displayed).

    If the -u flag is specified, the user's information is displayed in colon-separated format. If the -u flag is not specified, all entries in the database are displayed in column format.

  • Create a new database.
    The RADIUS server ships an empty database in /etc/radius/dbdata.bin. If a user wants to create a new database, at least one user must be added at the time of creation. The form of the command is the following: 
    raddbm -a ADD -u User_ID -e EAP_type -t pwd_expire_wks -n

    The user's password is prompted from standard input.

    The -e and -t flags are optional. They default to EAP_type=NONE and no password expiration checking.

  • Load a list of users into the database.
    A list of users can be loaded directly into the database using the -l flag. A file must be created for each user that has records in it of the form: 
    "userid" "password"
    The double quotes must be present.
    The file can then be used with the -l flag in the following way: 
    raddbm -l filename
    Placing user passwords in plain text format in a file is strongly discouraged. This option is provided mainly for testing purposes.

Flags

Item Description
? Displays the help screen.
-a Command Specifies the action to perform. Values are ADD, LIST, DELETE, or CHANGE.
-d Database_filename Specifies the database file name. Used to override the default database file specified in the radiusd.conf RADIUS configuration file.
-e EAP_type Specifies the EAP type the user is allowed to use for authentication. Currently, only EAP-TLS, MD5-challenge, or none is supported. The default is none.
-i Config_filename Specifies the RADIUS configuration file name. Used to override the default /etc/radius/radiusd.conf configuration file .
-l Load_filename Specifies the file name of the user name and password file to load.
-n Creates a new database file. Valid only with the ADD command option. If this option is used, all previous information in the database is lost.
-p Indicates that the user's password is to be changed. For security reasons, the password is prompted from standard input instead of read from the command line.
-t pwd_expire_wks Specifies the number of weeks the user's password is valid. This flag is valid with the ADD and CHANGE commands. The default is 0, indicating no password expiration. Valid values are from 0 to 52.
-u User_ID Specifies the user's ID. A valid user ID must be less than 253 characters in length, and can contain letters, numbers, and some special characters. It cannot contain blanks. Duplicate user IDs are not allowed.
-w Generates a long listing of user information.

Exit Status

This command has the following exit values:

Item Description
0 The command completed successfully.
>0 An error occurred.

Security

Only the root user or a member of the security group can execute this command.

Examples

  1. To create a new local RADIUS database, you must add at least one user. To create the database, type the following: 
    raddbm -a ADD -u user01 -n
    Note: The -n option will overwrite the existing database, destroying the previous contents. The database file created will be named the default name as specified in the /etc/radius/radiusd.conf RADIUS configuration file.
  2. To add a user to the database, type the following: 
    raddbm -a ADD -u user01
    The default values of EAP_TYPE = "none" and PASSWORD_EXPIRATION = "0" are used.
  3. To delete a user from the database, type the following: 
    raddbm -a DELETE -u user01
  4. To change a user's password, type the following: 
    raddbm -a CHANGE -u user01 -p
    The command prompts for the new password.
  5. To display a long listing of all entries in the default database, type the following: 
    raddbm -a LIST -w
    Passwords are not displayed.
  6. To display a particular user's database entry, type the following: 
    raddbm -a LIST -u user01 -w
  7. To add a list of users from a file, first create the file of users and passwords that has one entry per line and has the form: 
    "userid"  "password"
    Then type the following: 
    raddbm -l Load_filename

Restrictions

The RADIUS daemon must be stopped before the raddbm command is run. Use the radiusctl stop command to stop the daemon. After you have modified the database, restart the daemon with the radiusctl start command.

Implementation Specifics

This command is part of the radius.base fileset.

Location

/usr/radius/bin/raddbm

Standard Input

For security reasons, when a user is added to the database, the user's password is read from standard input instead of from the command line.

Standard Error

If the call to the raddbm command fails, an information message is written to standard error.

Files

Item Description
/usr/radius/bin/raddbm Location of the raddbm command.
/etc/radius/raddbm.bin The default database file as specified in the radiusd.conf file.
/etc/radius/radiusd.conf Specifies the RADIUS configuration values, including the default database file name.