Hi all,<br><br>I'm trying to set up tac_plus in CentOS 5.3. tac_plus has been compiled with pam and tcp_wrapper. I configured my switch as below:<br><br>aaa new-model<br>aaa authentication login default group tacacs+ local-case<br>
aaa authentication enable default group tacacs+ enable<br>aaa authorization exec default tacacs+<br>aaa accounting exec default start-stop tacacs+<br>aaa accounting network start-stop tacacs+<br>tacacs+ host 10.0.0.11<br>
tacacs+ key mykey<br><br>I configured /etc/tac_plus.conf to use local setting firstly. It worked. Then I tried to use pam with ldap to authenticate against the microsoft active directory. I snifferred the traffic and saw there was an error when my tacacs server was doing query against Active Directory. The error is <span style="visibility: visible;" id="main"><span style="visibility: visible;" id="search"><em>problem 2001</em> (<em>NO_OBJECT</em>)</span></span>.<br>
<br>Do you guys have similar problem when you set up this kind of authentication? I listed the main configuration files below:<br>**************************************************************<br>/etc/pam.d/tac_plus<br><pre>
#%PAM-1.0<br>auth include system-auth<br>account required pam_nologin.so<br>account include system-auth<br>password include system-auth<br>session optional pam_keyinit.so force revoke<br>
session include system-auth<br>session required pam_loginuid.so<br><br>*********************************************<br>/etc/pam.d/system-auth<br><br>#%PAM-1.0<br># This file is auto-generated.<br># User changes will be destroyed the next time authconfig is run.<br>
auth required pam_env.so<br>auth sufficient pam_unix.so nullok try_first_pass<br>auth requisite pam_succeed_if.so uid >= 500 quiet<br>auth sufficient pam_ldap.so use_first_pass<br>
auth required pam_deny.so<br><br>account required pam_unix.so broken_shadow<br>account sufficient pam_localuser.so<br>account sufficient pam_succeed_if.so uid < 500 quiet<br>account [default=bad success=ok user_unknown=ignore] pam_ldap.so<br>
account required pam_permit.so<br><br>password requisite pam_cracklib.so try_first_pass retry=3<br>password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok<br>password sufficient pam_ldap.so use_authtok<br>
password required pam_deny.so<br><br>session optional pam_keyinit.so revoke<br>session required pam_limits.so<br>session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid<br>
session required pam_unix.so<br>session required pam_mkhomedir.so skel=/etc/skel/ umask=0077<br>session optional pam_ldap.so<br><br>*******************************************************8<br>/etc/ldap.conf<br>
</pre><br><pre>host 10.0.0.100<br>base ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com<br>binddn cn=network services,ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com<br>#bindpw ohsosecret # no secret set<br>scope sub<br>
ssl no<br><br><br>nss_schema rfc2307bis<br>nss_base_passwd ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub<br>nss_base_shadow ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub<br>
nss_base_group ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub<br><br>referrals no # otherwise it goes freakishly slow<br></pre>I linked /etc/openldap/ldap.conf to /etc/ldap.conf. I didn't enable ssl for ldap.<br>
<br>I think the problem could be in the configuration of ldap.conf or it doesn't match the configuration in Active Directory. In my AD, I have "security groups" OU and in this OU I have "network services" group.<br>
Maybe the issue also stays in nss mapping? I searched some articles. It seems like nss mapping must be correct to authenticate through Linux box against Active Directory.<br><br>Another question about active directory is: Do I need create a separate OU to hold the user accounts who will have rights to login Cisco devices? I saw someone said the user account in tacacs server must not be in other groups. If the separate OU is needed and the user must be only in this new OU, it will lose the flexibility to use the current Active Directory which is already configured.<br>
<br>Please give me some help on this. Very appreciated.<br><br>Thanks.<br><br>Lou <br>