Hi Jeroen,<br><br>I did ldapsearch before and it seems successful to bind to my testing user and I can see all of the users' information returned back. It should work anyway.<br><br>All,<br><br>Believe it or not. It works now. I just modified my /etc/pam.d/tac_plus file to the simplest one after reading the pam manual. I think I only need pam_ldap for my tac_plus:<br>
<br>auth required pam_ldap.so<br>account required pam_ldap.so<br>password required pam_ldap.so<br>session required pam_ldap.so<br><br><div class="gmail_quote">On Tue, Nov 24, 2009 at 2:05 PM, Jeroen Nijhof <span dir="ltr"><<a href="mailto:jeroen@nijhofnet.nl">jeroen@nijhofnet.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Lou,<br>
<br>
That's not right indeed. You should get something like:<br>
jeroen@tux:~$ getent passwd jeroen<br>
jeroen:x:1000:1000:Jeroen Nijhof,,,:/home/jeroen:/bin/bash<br>
<br>
You should first try with ldapsearch and the binddn you use if you can<br>
find any users...<br>
If the users exist directly below the ou=User<br>
Accounts,dc=hq,dc=corp,dc=mycompany,dc=org tree use ?one and not ?sub.<br>
Are you sure that the group objects exist in the same tree as the<br>
users?? Normally you have something like ou=Group,dc=hq,...etc.<br>
<br>
Hmm and it seems like you are missing the uid and gid mappings:<br>
<br>
nss_map_attribute uidNumber .....<br>
nss_map_attribute gidNumber .....<br>
<br>
Regards,<br>
<font color="#888888">Jeroen Nijhof<br>
</font><div><div></div><div class="h5"><br>
On Tue, 2009-11-24 at 11:38 -0600, Hailu Meng wrote:<br>
> Hi Jeroen,<br>
><br>
> I issued the command "getent passwd myusername". It just came back<br>
> with<br>
> request done: ld 0x8e124f8 msgid 1<br>
> request done: ld 0x8e124f8 msgid 2<br>
><br>
> I think this is not right. I did see this kind of message in tacacs<br>
> log when I tried to log in my router. So I guess something is still<br>
> wrong with my /etc/ldap.conf<br>
> here is my current configuration for ldap.conf, the other<br>
> file /etc/openldap/ldap.conf will point to this file too. I think I<br>
> have all needed configuration here. Even I put the debug and log<br>
> configuration here, I still can't get my log show up in the specified<br>
> directory. Weird. Please help me check this setting. Is there anything<br>
> wrong with nss mapping? I think that part could be something wrong.<br>
> Thanks a lot.<br>
><br>
> ***********************************************************<br>
> host myadserverIP<br>
> base ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org<br>
> ldap_version 3<br>
> scope sub<br>
> binddn CN=testuser,OU=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org<br>
> bindpw passwdfortest<br>
> rootbinddn dc=hq,dc=corp,dc=mycompany,dc=org<br>
> # The port.<br>
> # Optional: default is 389. SSL LDAP Port 636<br>
> port 389<br>
> # RFC2307bis naming contexts<br>
> nss_base_passwd ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub<br>
> nss_base_shadow ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub<br>
> nss_base_group ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub<br>
> # RFC 2307 (AD) mappings<br>
> nss_map_objectclass posixAccount User<br>
> nss_map_objectclass shadowAccount User<br>
> nss_map_attribute uid sAMAccountName<br>
> nss_map_attribute homeDirectory unixHomeDirectory<br>
> nss_map_attribute gecos cn<br>
> nss_map_attribute shadowLastChange pwdLastSet<br>
> nss_map_objectclass posixGroup group<br>
> nss_map_attribute uniqueMember member<br>
><br>
><br>
> # Disable SASL security layers. This is needed for AD.<br>
> sasl_secprops maxssf=0<br>
><br>
> # PAM_LDAP options<br>
> pam_login_attribute sAMAccountName<br>
> pam_filter objectclass=User<br>
> pam_password ad<br>
> logdir /var/log/ldap<br>
> debug 1024<br>
> ssl no<br>
> timelimit 30<br>
> bind_timelimit 30<br>
><br>
><br>
> On Tue, Nov 24, 2009 at 9:19 AM, Jeroen Nijhof <<a href="mailto:jeroen@nijhofnet.nl">jeroen@nijhofnet.nl</a>><br>
> wrote:<br>
><br>
> Hi Lou,<br>
><br>
> Check with 'getent passwd <username>' if you get the right<br>
> user with<br>
> the right information from your AD via ldap.<br>
> If not then you should probably check your /etc/ldap.conf for<br>
> the right<br>
> search scope and atrribute mappings.<br>
> Nss_ldap and pam_ldap uses the /etc/ldap.conf file so if it<br>
> works with a<br>
> nss lookup via getent it should work for pam_ldap as well.<br>
> You can define a debug level as well in the /etc/ldap.conf<br>
> file for<br>
> logging.<br>
> It's logging to /var/log/auth.log for me..<br>
><br>
><br>
> Regards,<br>
> Jeroen<br>
><br>
> Op 24/11/2009 schreef "Hailu Meng" <<a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>>:<br>
><br>
><br>
> >Hi Jeroen,<br>
> ><br>
> >I see the packets sent back from AD for the search request<br>
> have 4 attributes<br>
> >included:<br>
> >objectclass<br>
> >cn<br>
> >description<br>
> >sAMAccountName<br>
> ><br>
> >And these attributes values are correct. sAMAccountName is my<br>
> login user id.<br>
> >cn is my Full Name, objectclass is 4 items (top, person,<br>
> >organizationalperson , user)<br>
> ><br>
> >I'm not sure is it enough for PAM to go to the next step? But<br>
> it did give us<br>
> >error message "Unknown User". I observed that when I input<br>
> the password in<br>
> >my router and hit ENTER, my wireshark captured two search<br>
> requests from<br>
> >TACACS and two responses from AD. Same contents as the<br>
> previous one when I<br>
> >input my user name in the router. I'm not sure is that<br>
> possible that TACACS<br>
> >didn't find the information it wants from AD although AD<br>
> respond something<br>
> >(4 attributes values)<br>
> ><br>
> >By the way, I can't find any log information about PAM. I<br>
> think it should be<br>
> >in /var/log/secure. But nothing in this file. Do you know how<br>
> to find these<br>
> >log or turn it on?<br>
> ><br>
> >Thanks for the help.<br>
> ><br>
> >Lou<br>
> ><br>
> >On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof<br>
> <<a href="mailto:jeroen@nijhofnet.nl">jeroen@nijhofnet.nl</a>> wrote:<br>
> ><br>
> >><br>
> >> Hi Lou,<br>
> >><br>
> >> Yes, most server application's check if a user exist by<br>
> looking up the<br>
> >> uid via nss before doing any authentication (i.e. sshd).<br>
> >><br>
> >> Regards,<br>
> >> Jeroen<br>
> >><br>
> >> Op 23/11/2009 schreef "Hailu Meng" <<a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>>:<br>
> >><br>
> >> >Hi Jeroen,<br>
> >> ><br>
> >> >Thanks for helping. I modified the nssswitch.conf as<br>
> below:<br>
> >> >passwd: files ldap<br>
> >> >shadow: files ldap<br>
> >> >group: files ldap<br>
> >> ><br>
> >> >And leave the other settings as default.<br>
> >> ><br>
> >> >the user attributes you are talking about are the<br>
> attributes retrieving<br>
> >> from<br>
> >> >AD? I do see the packets from AD server told my tacacs+<br>
> server the user<br>
> >> >attributes including homedir.<br>
> >> ><br>
> >> >Thanks.<br>
> >> ><br>
> >> >Lou<br>
> >> ><br>
> >> ><br>
> >> >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof<br>
> <<a href="mailto:jeroen@nijhofnet.nl">jeroen@nijhofnet.nl</a>><br>
> >> wrote:<br>
> >> ><br>
> >> >> Hi,<br>
> >> >><br>
> >> >> Did you setup the nsswitch.conf as well on your tac_plus<br>
> server?<br>
> >> >> Your tac_plus server needs to lookup the user attributes<br>
> like homedir<br>
> >> >> etc, otherwise pam will fail.<br>
> >> >><br>
> >> >> Regards,<br>
> >> >> Jeroen Nijhof<br>
> >> >><br>
> >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote:<br>
> >> >> > Ok. With -d 32, I got some more info about pam as red<br>
> color log.<br>
> >> >> ><br>
> >> >> > There is "Unknown user" log info following the input<br>
> of my user<br>
> >> password.<br>
> >> >> > Feel confused since ldap is able to get user info from<br>
> Active<br>
> >> directory,<br>
> >> >> why<br>
> >> >> > it turns out "Unknown user" here.<br>
> >> >> ><br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT<br>
> size=23<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0),<br>
> type 1, seq no 3,<br>
> >> >> flags<br>
> >> >> > 0x1<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252<br>
> (0xbe977644),<br>
> >> Data<br>
> >> >> > length 11 (0xb)<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6),<br>
> user_data_len 0<br>
> >> >> (0x0)<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: User msg:<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: myusername<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: User data:<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose<br>
> default_fn<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: Calling<br>
> authentication function<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1<br>
> pam_messages<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89<br>
> tty0:<br>
> >> >> PAM_PROMPT_ECHO_OFF<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: Writing<br>
> AUTHEN/GETPASS size=28<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0),<br>
> type 1, seq no 4,<br>
> >> >> flags<br>
> >> >> > 0x1<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252<br>
> (0xbe977644),<br>
> >> Data<br>
> >> >> > length 16 (0x10)<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5<br>
> (AUTHEN/GETPASS)<br>
> >> >> > flags=0x1<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10,<br>
> data_len=0<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg:<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: Password:<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: data:<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet<br>
> >> >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT<br>
> size=30<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0),<br>
> type 1, seq no 5,<br>
> >> >> flags<br>
> >> >> > 0x1<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252<br>
> (0xbe977644),<br>
> >> Data<br>
> >> >> > length 18 (0x12)<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: End header<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13<br>
> (0xd), user_data_len<br>
> >> 0<br>
> >> >> > (0x0)<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: User msg:<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: User data:<br>
> >> >> > Mon Nov 23 15:21:21 2009 [3806]: End packet<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: login query for<br>
> 'myusername' tty0<br>
> >> from<br>
> >> >> > 10.1.69.89 rejected<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: login failure:<br>
> myusername10.1.69.89<br>
> >> >> > (10.1.69.89) tty0<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL<br>
> size=18<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0),<br>
> type 1, seq no 6,<br>
> >> >> flags<br>
> >> >> > 0x1<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252<br>
> (0xbe977644),<br>
> >> Data<br>
> >> >> > length 6 (0x6)<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: End header<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2<br>
> (AUTHEN/FAIL)<br>
> >> >> > flags=0x0<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg:<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: data:<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: End packet<br>
> >> >> > Mon Nov 23 15:21:22 2009 [3806]: <a href="http://10.1.69.89" target="_blank">10.1.69.89</a>:<br>
> disconnect<br>
> >> >> ><br>
> >> >> ><br>
> >> >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley<br>
> <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>><br>
> >> >> wrote:<br>
> >> >> ><br>
> >> >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng:<br>
> >> >> > > > I just saw some posts saying pam_krb winbind could<br>
> be needed to<br>
> >> get<br>
> >> >> pam<br>
> >> >> > > work<br>
> >> >> > > > against active directory. Is this true? The post I<br>
> was following<br>
> >> >> actually<br>
> >> >> > > is<br>
> >> >> > > > for a LDAP server not Active Directory.<br>
> >> >> > ><br>
> >> >> > > i dont know; each pam implementation seems to be [at<br>
> least] slightly<br>
> >> >> > > different. seems silly to need kerberos for ldap.<br>
> >> >> > ><br>
> >> >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng<br>
> <<a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>><br>
> >> >> wrote:<br>
> >> >> > > ><br>
> >> >> > > > > I think I need put my pam configuration here:<br>
> >> >> > > > ><br>
> >> >> > > > > I followed this post<br>
> >> >> > > > ><br>
> >> >><br>
> <a href="http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto</a><br>
> >> >> > > > > configure my pam module:<br>
> >> >> > > > ><br>
> >> >> > > > > /etc/pam.d/tacacs<br>
> >> >> > > > ><br>
> >> >> > > > > auth include system-auth<br>
> >> >> > > > > account required pam_nologin.so<br>
> >> >> > > > > account include system-auth<br>
> >> >> > > > > password include system-auth<br>
> >> >> > > > > session optional pam_keyinit.so force<br>
> revoke<br>
> >> >> > > > > session include system-auth<br>
> >> >> > > > > session required pam_loginuid.so<br>
> >> >> > > > ><br>
> >> >> > > > > /etc/pam.d/system-auth<br>
> >> >> > > > > #%PAM-1.0<br>
> >> >> > > > > # This file is auto-generated.<br>
> >> >> > > > > # User changes will be destroyed the next time<br>
> authconfig is<br>
> >> run.<br>
> >> >> > > > > auth required pam_env.so<br>
> >> >> > > > > auth sufficient pam_unix.so nullok<br>
> try_first_pass<br>
> >> >> > > > > auth requisite pam_succeed_if.so uid<br>
> >= 500 quiet<br>
> >> >> > > > > auth sufficient pam_ldap.so<br>
> use_first_pass<br>
> >> >> > > > > auth required pam_deny.so<br>
> >> >> > > > ><br>
> >> >> > > > > account required pam_unix.so<br>
> broken_shadow<br>
> >> >> > > > > account sufficient pam_succeed_if.so uid<br>
> < 500 quiet<br>
> >> >> > > > ><br>
> >> >> > > > > account [default=bad success=ok<br>
> user_unknown=ignore]<br>
> >> >> pam_ldap.so<br>
> >> >> > > > > account required pam_permit.so<br>
> >> >> > > > ><br>
> >> >> > > > > password requisite pam_cracklib.so<br>
> try_first_pass retry=3<br>
> >> >> > > > > password sufficient pam_unix.so md5 shadow<br>
> nullok<br>
> >> >> try_first_pass<br>
> >> >> > > > > use_authtok<br>
> >> >> > > > > password sufficient pam_ldap.so<br>
> use_authtok<br>
> >> >> > > > > password required pam_deny.so<br>
> >> >> > > > ><br>
> >> >> > > > > session optional pam_keyinit.so revoke<br>
> >> >> > > > > session required pam_limits.so<br>
> >> >> > > > > session [success=1 default=ignore]<br>
> pam_succeed_if.so service<br>
> >> in<br>
> >> >> > > crond<br>
> >> >> > > > > quiet use_uid<br>
> >> >> > > > > session required pam_unix.so<br>
> >> >> > > > > session optional pam_ldap.so<br>
> >> >> > > > ><br>
> >> >> > > > ><br>
> >> >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng <<br>
> >> <a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>><br>
> >> >> > > wrote:<br>
> >> >> > > > ><br>
> >> >> > > > >> Hi John,<br>
> >> >> > > > >><br>
> >> >> > > > >> You mean issue commands like tac_plus<br>
> -C /etct/tac_plus.conf -L<br>
> >> -p<br>
> >> >> 49<br>
> >> >> > > -d<br>
> >> >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It<br>
> didn't make any<br>
> >> >> change. I<br>
> >> >> > > got<br>
> >> >> > > > >> same log info. By the way, I also saw the log<br>
> info in<br>
> >> >> > > /var/log/message:<br>
> >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading<br>
> config<br>
> >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version<br>
> F4.0.4.19<br>
> >> Initialized<br>
> >> >> 1<br>
> >> >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect<br>
> from 10.1.69.89<br>
> >> >> > > [10.1.69.89]<br>
> >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query<br>
> for 'myuser'<br>
> >> tty0<br>
> >> >> from<br>
> >> >> > > > >> 10.1.69.89 rejected<br>
> >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login<br>
> failure: myuser<br>
> >> >> 10.1.69.89<br>
> >> >> > > > >> (10.1.69.89) tty0<br>
> >> >> > > > >><br>
> >> >> > > > >> Do we have option to see the log about PAM? I<br>
> haven't found<br>
> >> where<br>
> >> >> it<br>
> >> >> > > is.<br>
> >> >> > > > >> if we can check the log of PAM, then we could<br>
> find something<br>
> >> >> useful.<br>
> >> >> > > Right<br>
> >> >> > > > >> now the log of tac_plus didn't tell too much<br>
> about why login<br>
> >> got<br>
> >> >> > > failure.<br>
> >> >> > ><br>
> >> >> > > add -d 32. -d x -d y ... will be logically OR'd<br>
> together.<br>
> >> >> > ><br>
> >> >> > > > >> Lou<br>
> >> >> > > > >><br>
> >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley <<br>
> >> <a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a><br>
> >> >> ><br>
> >> >> > > wrote:<br>
> >> >> > > > >><br>
> >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu<br>
> Meng:<br>
> >> >> > > > >>> > Thanks John for helping me check this issue.<br>
> >> >> > > > >>> ><br>
> >> >> > > > >>> > I just run tac_plus<br>
> -C /path/to/tac_plus.conf -L -p 49 -d256<br>
> >> -g<br>
> >> >> to<br>
> >> >> > > see<br>
> >> >> > > > >>> the<br>
> >> >> > > > >>><br>
> >> >> > > > >>> try -d 16 -d 256. which i think will log the<br>
> pwd that pam<br>
> >> >> received<br>
> >> >> > > from<br>
> >> >> > > > >>> the device. make its correct. the logs below<br>
> do appear to be<br>
> >> a<br>
> >> >> > > > >>> reject/fail<br>
> >> >> > > > >>> returned from pam.<br>
> >> >> > > > >>><br>
> >> >> > > > >>> > log in stdout and in log file. I can't see<br>
> any suspicious<br>
> >> log<br>
> >> >> > > > >>> information<br>
> >> >> > > > >>> > here. I paste the log below:<br>
> >> >> > > > >>> ><br>
> >> >> > > > >>> ><br>
> >> >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for<br>
> packet<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read<br>
> AUTHEN/CONT size=23<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET:<br>
> key=mykey<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192<br>
> (0xc0), type 1,<br>
> >> >> seq no<br>
> >> >> > > 5,<br>
> >> >> > > > >>> flags<br>
> >> >> > > > >>> > 0x1<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id<br>
> 3295176910<br>
> >> >> > > (0xc46868ce),<br>
> >> >> > > > >>> Data<br>
> >> >> > > > >>> > length<br>
> >> >> > > > >>> > 11 (0xb)<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]:<br>
> type=AUTHEN/CONT<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]:<br>
> user_msg_len 6 (0x6),<br>
> >> >> > > user_data_len 0<br>
> >> >> > > > >>> (0x0)<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]:<br>
> choose_authen chose<br>
> >> default_fn<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling<br>
> authentication<br>
> >> >> function<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing<br>
> AUTHEN/GETPASS<br>
> >> size=28<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET:<br>
> key=mykey<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192<br>
> (0xc0), type 1,<br>
> >> >> seq no<br>
> >> >> > > 6,<br>
> >> >> > > > >>> flags<br>
> >> >> > > > >>> > 0x1<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id<br>
> 3295176910<br>
> >> >> > > (0xc46868ce),<br>
> >> >> > > > >>> Data<br>
> >> >> > > > >>> > length<br>
> >> >> > > > >>> > 16 (0x10)<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN<br>
> status=5<br>
> >> >> > > (AUTHEN/GETPASS)<br>
> >> >> > > > >>> > flags=0x1<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10,<br>
> data_len=0<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet<br>
> >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for<br>
> packet<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read<br>
> AUTHEN/CONT size=30<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET:<br>
> key=mykey<br>
> >> >> > > > >>><br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192<br>
> (0xc0), type 1,<br>
> >> >> seq no<br>
> >> >> > > 7,<br>
> >> >> > > > >>> flags<br>
> >> >> > > > >>> > 0x1<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id<br>
> 3295176910<br>
> >> >> > > (0xc46868ce),<br>
> >> >> > > > >>> Data<br>
> >> >> > > > >>> > length<br>
> >> >> > > > >>> > 18 (0x12)<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]:<br>
> type=AUTHEN/CONT<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]:<br>
> user_msg_len 13 (0xd),<br>
> >> >> > > user_data_len 0<br>
> >> >> > > > >>> > (0x0)<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query<br>
> for<br>
> >> 'myusername'<br>
> >> >> tty0<br>
> >> >> > > from<br>
> >> >> > > > >>> > 10.1.69.89 r<br>
> >> >> > > > >>> > ejected<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login<br>
> failure: myusername<br>
> >> >> > > 10.1.69.89<br>
> >> >> > > > >>> > (10.1.69.89) t<br>
> >> >> > > > >>> > ty0<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing<br>
> AUTHEN/FAIL size=18<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET:<br>
> key=mykey<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192<br>
> (0xc0), type 1,<br>
> >> >> seq no<br>
> >> >> > > 8,<br>
> >> >> > > > >>> flags<br>
> >> >> > > > >>> > 0x1<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id<br>
> 3295176910<br>
> >> >> > > (0xc46868ce),<br>
> >> >> > > > >>> Data<br>
> >> >> > > > >>> > length<br>
> >> >> > > > >>> > 6 (0x6)<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN<br>
> status=2<br>
> >> >> (AUTHEN/FAIL)<br>
> >> >> > > > >>> > flags=0x0<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0,<br>
> data_len=0<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data:<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet<br>
> >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: <a href="http://10.1.69.89" target="_blank">10.1.69.89</a>:<br>
> disconnect<br>
> >> >> > > > >>> ><br>
> >> >> > > > >>> ><br>
> >> >> > > > >>> ><br>
> >> >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john<br>
> heasley <<br>
> >> >> <a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a><br>
> >> >> > > ><br>
> >> >> > > > >>> wrote:<br>
> >> >> > > > >>> ><br>
> >> >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600,<br>
> Hailu Meng:<br>
> >> >> > > > >>> > > > Hi Adam,<br>
> >> >> > > > >>> > > ><br>
> >> >> > > > >>> > > > If the ldapsearch -D "" -w "" runs<br>
> successfully, what do<br>
> >> we<br>
> >> >> > > suppose<br>
> >> >> > > > >>> to<br>
> >> >> > > > >>> > > get<br>
> >> >> > > > >>> > > > from the output? I just got all of the<br>
> user information<br>
> >> in<br>
> >> >> that<br>
> >> >> > > > >>> group.<br>
> >> >> > > > >>> > > Does<br>
> >> >> > > > >>> > > > that means my password and username got<br>
> authenticated<br>
> >> >> > > successfully<br>
> >> >> > > > >>> > > against<br>
> >> >> > > > >>> > > > AD?<br>
> >> >> > > > >>> > > ><br>
> >> >> > > > >>> > > > This thing drives me crazy. I need solve<br>
> it through this<br>
> >> >> week<br>
> >> >> > > > >>> before the<br>
> >> >> > > > >>> > > > holiday...<br>
> >> >> > > > >>> > ><br>
> >> >> > > > >>> > > i havent followed this thread, as i know<br>
> nearly zero about<br>
> >> >> ldap.<br>
> >> >> > > > >>> but,<br>
> >> >> > > > >>> > > have you enabled authentication debugging<br>
> in the tacacas<br>
> >> >> daemon<br>
> >> >> > > and<br>
> >> >> > > > >>> > > checked the logs to determine what is<br>
> coming back from<br>
> >> pam?<br>
> >> >> it<br>
> >> >> > > very<br>
> >> >> > > > >>> > > well may be that the ldap client is<br>
> working just fine, but<br>
> >> >> there<br>
> >> >> > > is a<br>
> >> >> > > > >>> > > pam module bug or a bug in the tacplus<br>
> daemon or that your<br>
> >> >> device<br>
> >> >> > > > >>> > > simply doesnt like something about the<br>
> replies.<br>
> >> >> > > > >>> > ><br>
> >> >> > > > >>> > > > Thanks a lot for the help.<br>
> >> >> > > > >>> > > ><br>
> >> >> > > > >>> > > > Lou<br>
> >> >> > > > >>> > > ><br>
> >> >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu<br>
> Meng <<br>
> >> >> > > <a href="mailto:hailumeng@gmail.com">hailumeng@gmail.com</a>><br>
> >> >> > > > >>> wrote:<br>
> >> >> > > > >>> > > ><br>
> >> >> > > > >>> > > > > Still no clue how to turn on the log.<br>
> binding seems<br>
> >> good.<br>
> >> >> See<br>
> >> >> > > my<br>
> >> >> > > > >>> > > findings<br>
> >> >> > > > >>> > > > > below. Thanks a lot.<br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam<br>
> <<br>
> >> >> > > <a href="mailto:prozaconstilts@gmail.com">prozaconstilts@gmail.com</a>><br>
> >> >> > > > >>> > > wrote:<br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > >> Hailu Meng wrote:<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >>> Adam,<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >>> I tried the su - "userid" in my<br>
> tacacs+ server but I<br>
> >> >> don't<br>
> >> >> > > have<br>
> >> >> > > > >>> that<br>
> >> >> > > > >>> > > > >>> userid in CentOS. So the CentOS just<br>
> don't want me<br>
> >> log<br>
> >> >> in.<br>
> >> >> > > I<br>
> >> >> > > > >>> think<br>
> >> >> > > > >>> > > this will<br>
> >> >> > > > >>> > > > >>> not ask tacacs server to<br>
> authenticate against AD.<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> You shouldn't need to have to define<br>
> the user in<br>
> >> CentOS,<br>
> >> >> > > that's<br>
> >> >> > > > >>> the<br>
> >> >> > > > >>> > > point<br>
> >> >> > > > >>> > > > >> of using ldap for authentication. The<br>
> user is defined<br>
> >> in<br>
> >> >> > > ldap,<br>
> >> >> > > > >>> not in<br>
> >> >> > > > >>> > > > >> CentOS. Now that I think about it, su<br>
> - <user><br>
> >> probably<br>
> >> >> > > wouldn't<br>
> >> >> > > > >>> work<br>
> >> >> > > > >>> > > > >> anyway, as AD doesn't by default have<br>
> the data needed<br>
> >> by<br>
> >> >> a<br>
> >> >> > > linux<br>
> >> >> > > > >>> box<br>
> >> >> > > > >>> > > to<br>
> >> >> > > > >>> > > > >> allow login...but see below for more<br>
> options.<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >>> Is there any other way to test ldap<br>
> authentication<br>
> >> >> against<br>
> >> >> > > AD<br>
> >> >> > > > >>> with<br>
> >> >> > > > >>> > > the<br>
> >> >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It<br>
> did find my<br>
> >> user<br>
> >> >> id<br>
> >> >> > > > >>> without<br>
> >> >> > > > >>> > > problem.<br>
> >> >> > > > >>> > > > >>> But I haven't found any option to<br>
> try with password<br>
> >> and<br>
> >> >> > > > >>> authenticate<br>
> >> >> > > > >>> > > against<br>
> >> >> > > > >>> > > > >>> AD.<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> Try using -D:<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> from `man ldapsearch`:<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> -D binddn<br>
> >> >> > > > >>> > > > >> Use the Distinguished Name binddn to<br>
> bind to the<br>
> >> LDAP<br>
> >> >> > > > >>> directory.<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc<br>
> should let you<br>
> >> try<br>
> >> >> to<br>
> >> >> > > > >>> authenticate<br>
> >> >> > > > >>> > > > >> using whatever user you want to<br>
> define. Just check<br>
> >> and<br>
> >> >> > > double<br>
> >> >> > > > >>> check<br>
> >> >> > > > >>> > > you get<br>
> >> >> > > > >>> > > > >> the right path in that dn.<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> I tried -D "<br>
> cn=username,ou=my_ou,dc=my_dc " but it<br>
> >> just<br>
> >> >> > > > >>> returned lots<br>
> >> >> > > > >>> > > of<br>
> >> >> > > > >>> > > > > users' information. It means<br>
> successful?<br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > >> Do you have ldap server setup or<br>
> only the openldap<br>
> >> >> library<br>
> >> >> > > and<br>
> >> >> > > > >>> > > openldap<br>
> >> >> > > > >>> > > > >>> client? I don't understand why the<br>
> log is not turned<br>
> >> >> on.<br>
> >> >> > > There<br>
> >> >> > > > >>> must<br>
> >> >> > > > >>> > > be some<br>
> >> >> > > > >>> > > > >>> debugging info in the log which can<br>
> help solve this<br>
> >> >> issue.<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> only the libs and client. You should<br>
> not need the<br>
> >> >> server. In<br>
> >> >> > > the<br>
> >> >> > > > >>> > > > >> ldapsearch, you can use -d <integer><br>
> to get debugging<br>
> >> >> info<br>
> >> >> > > for<br>
> >> >> > > > >>> that<br>
> >> >> > > > >>> > > search.<br>
> >> >> > > > >>> > > > >> As before, higher number = more debug<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> If the user can authenticate, does<br>
> ethereal capture<br>
> >> >> some<br>
> >> >> > > > >>> packets<br>
> >> >> > > > >>> > > about<br>
> >> >> > > > >>> > > > >>> password verification? Right now I<br>
> only see the<br>
> >> packets<br>
> >> >> > > when<br>
> >> >> > > > >>> ldap<br>
> >> >> > > > >>> > > search for<br>
> >> >> > > > >>> > > > >>> my user id and gets results back<br>
> from AD.<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> Ethereal should catch all data<br>
> flowing between the<br>
> >> >> client<br>
> >> >> > > and<br>
> >> >> > > > >>> server.<br>
> >> >> > > > >>> > > If<br>
> >> >> > > > >>> > > > >> you can search out the user in your<br>
> AD right now,<br>
> >> then<br>
> >> >> one<br>
> >> >> > > of<br>
> >> >> > > > >>> two<br>
> >> >> > > > >>> > > things is<br>
> >> >> > > > >>> > > > >> happening:<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> 1. You are performing anonymous<br>
> searches. In this<br>
> >> case,<br>
> >> >> no<br>
> >> >> > > > >>> username<br>
> >> >> > > > >>> > > and pw<br>
> >> >> > > > >>> > > > >> is provided, and your AD is happy to<br>
> hand over info<br>
> >> to<br>
> >> >> > > anyone<br>
> >> >> > > > >>> who asks<br>
> >> >> > > > >>> > > for<br>
> >> >> > > > >>> > > > >> it. If this is the case, you will<br>
> _not_ see<br>
> >> >> authentication<br>
> >> >> > > > >>> > > information. The<br>
> >> >> > > > >>> > > > >> following MS KB article should<br>
> probably help you<br>
> >> >> determine<br>
> >> >> > > on<br>
> >> >> > > > >>> your AD<br>
> >> >> > > > >>> > > if<br>
> >> >> > > > >>> > > > >> anonymous queries are allowed:<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> <a href="http://support.microsoft.com/kb/320528" target="_blank">http://support.microsoft.com/kb/320528</a><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> It has exact instructions for how to<br>
> get it going,<br>
> >> but<br>
> >> >> you<br>
> >> >> > > can<br>
> >> >> > > > >>> follow<br>
> >> >> > > > >>> > > > >> along with it to check your current<br>
> settings without<br>
> >> >> making<br>
> >> >> > > any<br>
> >> >> > > > >>> > > changes.<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > > I checked our setting. Permission type<br>
> for normal user<br>
> >> is<br>
> >> >> > > "Read &<br>
> >> >> > > > >>> > > Execute".<br>
> >> >> > > > >>> > > > > I click edit to check the detail about<br>
> permission. I<br>
> >> >> think it<br>
> >> >> > > > >>> only<br>
> >> >> > > > >>> > > allow the<br>
> >> >> > > > >>> > > > > user to read the attributes,<br>
> permission something and<br>
> >> >> can't<br>
> >> >> > > > >>> modify the<br>
> >> >> > > > >>> > > > > AD.There is "Everyone" setting is also<br>
> set as "Read &<br>
> >> >> > > Execute".<br>
> >> >> > > > >>> By the<br>
> >> >> > > > >>> > > way,<br>
> >> >> > > > >>> > > > > the AD is Win2003 R2.<br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> 2. Authentication is happening. It<br>
> will be the _very_<br>
> >> >> first<br>
> >> >> > > > >>> thing the<br>
> >> >> > > > >>> > > > >> client and server perform, after<br>
> basic connection<br>
> >> >> > > establishment.<br>
> >> >> > > > >>> Look<br>
> >> >> > > > >>> > > for it<br>
> >> >> > > > >>> > > > >> at the very beginning of a dump.<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >> Also, it's a bit overkill, but the<br>
> following article<br>
> >> is<br>
> >> >> > > > >>> extremely<br>
> >> >> > > > >>> > > > >> informative about all the different<br>
> ways you can plug<br>
> >> >> linux<br>
> >> >> > > into<br>
> >> >> > > > >>> AD<br>
> >> >> > > > >>> > > for<br>
> >> >> > > > >>> > > > >> authentication. It might offer some<br>
> hints...<br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf<br>
> more. If you have<br>
> >> any<br>
> >> >> idea,<br>
> >> >> > > let<br>
> >> >> > > > >>> me<br>
> >> >> > > > >>> > > know.<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >>> Thank you very much.<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >>> Lou<br>
> >> >> > > > >>> > > > >>><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > >><br>
> >> >> > > > >>> > > > ><br>
> >> >> > > > >>> > > > -------------- next part --------------<br>
> >> >> > > > >>> > > > An HTML attachment was scrubbed...<br>
> >> >> > > > >>> > > > URL:<br>
> >> >> > > > >>> > ><br>
> >> >> > > > >>><br>
> >> >> > ><br>
> >> >><br>
> >><br>
> <a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html</a><br>
> >> >> > > > >>> > > ><br>
> _______________________________________________<br>
> >> >> > > > >>> > > > tac_plus mailing list<br>
> >> >> > > > >>> > > > <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> >> >> > > > >>> > > ><br>
> <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
> >> >> > > > >>> > ><br>
> >> >> > > > >>><br>
> >> >> > > > >><br>
> >> >> > > > >><br>
> >> >> > > > ><br>
> >> >> > ><br>
> >> >> > -------------- next part --------------<br>
> >> >> > An HTML attachment was scrubbed...<br>
> >> >> > URL:<br>
> >> >><br>
> >><br>
> <a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html</a><br>
> >> >> > _______________________________________________<br>
> >> >> > tac_plus mailing list<br>
> >> >> > <a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
> >> >> > <a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
> >> >><br>
> >> >><br>
> >> >><br>
> >><br>
><br>
><br>
<br>
<br>
</div></div></blockquote></div><br>