auth — format of auth component configuration


General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the auth component configuration.

Repeatable sections/items are marked by the '*' before section/item name.


Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in auth configuration directives:

obligation (see common(5))

lock-type (see ipc(5))

auth-method (name-usage obligatory)

Authentication Method.

This type is used to specify authentication method used by proxy.


Free access, no authentication needed.


Access controlled by password file.


Access controlled by radius client/server.


Access controlled by ldap client/server.


Access controlled by external utility.


Access controlled by out-of band authentication.

oob-authentication-method (name-usage obligatory)

Out-of-band authentication method.


A user fills in an authentication form in a web browser.


A list of authenticated users is provided by an external source, e.g., a Samba server.


Modifications of the list of authenticated users is controlled by an external source.

user-match-mode (name-usage obligatory)

ACL matching modes of authenticated usernames.


Only username w/o domainname/realm is being matched in ACLs.


Full username with domainname/realm is being matched in ACLs.


Configuration of auth library component consists of following prototypes:

* oob-auth name { ... }
  auth ... ;
  user-match ... ;


oob-auth name {

  method ... ;
  max-sessions ... ;
  max-user ... ;
  max-groups ... ;
  truncate-groups ... ;
  file ... ;
  lock ... ;


Parameters of OOB authentication.

Items & subsections:

method [html-form];

method external [ldap [even-no-group]];

method ext-mod [ldap [even-no-group]];

OOB authentication method

<branching element> (type: oob-authentication-method, optional, default: html-form)

ldap (type: name of ldap-client-auth, see ldap(5), optional, default: NULL)

Ask an LDAP server for a list of groups each user belongs to.

even-no-group (type: key, optional)

Add the users even if the ldap search fails for the user.

max-sessions [val];

Maximum number of simultaneously active OOB authentication sessions.

val (type: uint16, optional, default: 1500)


MAX-SESSIONS must be nonzero.

max-user [val];

Maximum length of a user name

val (type: uint16, optional, default: 48)


MAX-USER must be nonzero.

max-groups [val];

Maximum space used by a list of groups for a single user. Each group name of length L takes L+1 characters from this space.

val (type: uint16, optional, default: 2048)


MAX-GROUPS must be nonzero.


If used, a too long list of groups is truncated. If unused, the user cannot authenticate if its list of groups does not fit to space allocated according to MAX-GROUPS.

file [path];

OOB session table file.

path (type: str, optional, default: "/tmp/oob-auth")

lock none;

lock semaphore;

lock lock2 [path];

lock [multilock2] [path];

An alternative implemetation of locks.

<branching element> (type: lock-type, optional, default: multilock2)

path (type: str, optional, default: <NULL>)

If set to directory, file in that directory is created with name PREFIX.PID.XXXXXX, where PREFIX is a string defined by the proxy, PID is the proxy parent process ID and X is a random suffix. If not set, directory /tmp is assumed. Automatic generation of lock file name is strongly recommended, because each lock must have a unique name.

[End of section oob-auth description.]

auth none;

auth passwd file;

auth radius client;

auth ldap ldap;

auth ext file;

auth oob oob [mode [loose]];

Authentication method and attributes specification.

For more details, see auth(7).

<branching element> (type: auth-method)

file (type: str)

Password/utility file name.

client (type: name of radius-client, see radius(5))

RADIUS client configuration name.

ldap (type: name of ldap-client-auth, see ldap(5))

LDAP client configuration parameters.

oob (type: name of oob-auth, see above)

OOB authentication parameters.

mode (type: obligation, optional, default: required)

loose (type: key, optional)

user-match [mode];

ACL matching mode of authenticated usernames.

mode (type: user-match-mode, optional, default: short)


configuration(7), common(5), ipc(5), ldap(5), radius(5), auth(7)