NAME

SYNOPSIS

DESCRIPTION

On startup, radmind changes directory to /var/radmind, creates command, file, special, tmp, tmp/file, tmp/transcript and transcript ( with permissions 0750 ) if they do not exist, and begins listening on the radmind port ( by default 6222 ) for incoming connections. With the -D option, radmind will use path as its working directory. Radmind forks a child for each connection. On receiving a SIGUSR1 signal, radmind will reread its TLS configuration.

The file config contains a list of known clients that can connect to radmind, one per line. Each line contains the CN, domain name or IP address of the client and the client's command file. The server checks each line of the config file, first checking to see if the connecting client's CN, domain name, and finally IP address match in that order. CNs and domain names are case insensitive. If the optional third field begins with a '#', it is ignored and treated as an in-line comment.

Lines that are blank or begin with '#' are ignored. There are several supported wildcard patterns similar to shell globbing. '*' will match any string. A number range can be given by "<min-max>" where min is the lower bound and max is the upper bound. '?' matches any single character. The square bracket character list, "[abcd]", will match any single character within the brackets. Comma-separated values contained in curly braces, "{riverrun,past,Eve}" will match the first whole string found. '\' can be used to escape any character.

A client is only given access to command files and transcripts listed in their base command file as determined by the config file.

/var/radmind/config can include other config files using the keyword "@include", which can be used in two ways. The first is a simple include of another file. If the path does not begin with a slash (/), the path is interpreted as being relative to /var/radmind. For example:

@include configs/ldap-servers.config

which would cause every connecting client to be checked against the contents of /var/radmind/configs/ldap-servers.config. The @include keyword can also take an optional third argument, a wildcard pattern limiting which clients will read the included config file. For example:

@include configs/kerberos-kdcs.config *.kerberos.example.edu

would cause only clients with FQDNs matching '*.kerberos.example.edu' to read the included file. The wildcard is checked, in order, against the client's certificate CN (if the client presents one), the client's fully-qualified domain name, and the client's IP address.

DIRECTORY STRUCTURE

command

Stores command files.

transcripts

Stores transcripts.

file

All files served from the radmind server are stored in the file directory. All files for a given transcript are stored in file/<transcript> where <transcript> is the name of the transcript. A file is stored in file/<transcript>/<path> where <path> is the file's path as listed in the transcript.

special

All special files are stored in special. The special files for a given host are stored in special/<key> where <key> is the client's CN, fully qualified domain name or IP address as matched in the config file. Individual special files are stored in special/<host>/<path> where <path> is the path of the special file as listed in the client's command file.

tmp/file

All files stored on the server using the STOR command are saved in tmp/file. Files for a given transcript are stored in tmp/transcript/<transcript> /<path> where <transcript> is the name of the transcript and <path> is the file's path as given in the STOR command.

tmp/transcript

All transcripts stored on the server using the STOR command are saved in tmp/transcript.

RADMIND ACCESS PROTOCOL

QUIT

terminate session

NOOP

do nothing

HELP

display helpful message

STAT

stat a transcript, command or special file. When statting a command file or transcript, the mode, UID and GID default to 0444, 0, and 0 respectively. If no command file is specified, the server returns information on the base command file as indicated in the config file.

Status of a special file is determined by a single transcript line listed in a file named special/<special-file-path>.T , where <special-file-path> is the full path to the special file. If that does not exist, a listing for the file in the transcript/special.T transcript in the transcript directory will be used. If neither of those exist, the defaults are returned.

RETR

retrieve a file, transcript command or special file. If no command file is specified, the server returns the base command file as indicated in the config file.

STOR

store a file or transcript. If user authentication is enabled, this command is only valid after the client sends a successful LOGI.

STAR

Start TLS. If the server is run with an authorization level of 2, this command must be given before a client can send a STAT, RETR, or STOR.

LOGI

Login user. This command is only valid after TLS has been started.

COMP

start compression

REPO

report a client status message. The daemon logs the message in the following format:

OPTIONS

-a bind-address

specifies the address on which the server should listen, e.g. 127.0.0.1. By default the server listens on all available interfaces (wildcard address).

-B

register daemon as a Bonjour service. Replaces deprecated -R option.

-b backlog

Defines the maximum queue of pending connections to listen(2), by default five.

-C crl-pem-file-or-dir

specifies either a single PEM-formatted file containing the CRL(s) or a directory that contains the CRL(s). Any CRLs in a directory must be in PEM format and the directory must have been processed with the openssl c_rehash utility.

-D path

specifies the radmind working directory, by default /var/radmind

-d

debug mode. Does not disassociate from controlling tty.

-F syslog-facility

specifies to which syslog facility to log messages.

-f

run in foreground

-L syslog-level

specifies at which syslog level to log messages.

-m max-connections

specifies the maximum number of simultaneous connections, by default 0. Value must be greater than or equal to 0 with 0 indicating no limit.

-p port

specifies the port of the radmind server, by default 6222.

-P ca-directory

specifies a directory that contains certificates to be used when verifying a client. Certificates must be in PEM format and the directory must have been processed with the openssl c_rehash utility.

-r

use random seed file $RANDFILE if that environment variable is set, $HOME/.rnd otherwise. See RAND_load_file(3o).

-u umask

specifies the umask the server uses to write files to the disk, defaulting to the user's umask.

-U

Turn on PAM user authentication. Requires auth-level > 0. radmind uses the PAM service name radmind.

-V

displays the version of radmind and exits.

-w auth-level

TLS authorization level, by default 0. 0 = no TLS, 1 = server verification, 2 = server and client verification, 3 = server and client verification with crl checking, 4 = server and client verification with full-chain crl checking.

-x ca-pem-file

Certificate authority's public certificate, by default /var/radmind/cert/ca.pem. The default is not used when -P is specified.

-y cert-pem-file

Server's public certificate, by default /var/radmind/cert/cert.pem.

-z private-key-file

Server's private key, by default /var/radmind/cert/cert.pem.

-Z max-compression-level

Offer compression to clients. If client requests compression, the server will compress all outbound data using using the lower value of max_compression_level or compression level set by client. max-compression-level can be between 0 and 9: 1 gives best speed, 9 gives best compression, 0 gives no compression at all (the input data is simply copied a block at a time).

EXAMPLES

#
# Client               command file	optional-comment
#
amber.umich.edu        apple.K		# mail server
josh.umich.edu         apple.K
ben.umich.edu          apple-test.K
oreo.umich.edu         solaris8.K
*.lab.umich.edu        lab.K
212.12.243.<1-50>      solaris8.K
mac<1-15>.umich.edu    apple.K

FILES

SEE ALSO

Also see the three Linux-PAM Guides, for System administrators, module developers, and application developers.