<div dir="ltr">Not exactly the direction I was talking about. My idea: Standardize your tac_plus.conf with a DEFAULT user, member of do_auth_access, and login = PAM and you will never need to change it. Auth your users via PAM and authorize them in do_auth. Call config parser to add/remove them, perhaps based on an external database. <div>
<br>Admittedly, it might not get all the services you need, I'm just saying it's much easier to call a pre-made config parser than trying to write you own as you are doing now. </div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Thu, May 22, 2014 at 2:56 PM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="">On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Put users in do_auth and manage them there instead. Import ConfigParser to add/remove users as needed. Can even cross reference a database if needed. </div>
</blockquote><div><br><br></div></div><div>That is the direction I am heading. But I need to normalize the existing users into rows for the database and then it will easier to convert that<br>into ini type file to work with do_auth.<br>
<br></div><div>I am pretty close to complete.<br><br></div><div>So far I got this far<br><br>import re<br><br>f = open('tac_plus.conf').read()<br><br>pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}'<br><br>users = re.findall(pattern,f,re.DOTALL|re.MULTILINE)<br>
<br></div><div>which outputs like this<br><br>('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')<br>('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')<br>('aa56743', '\n\tlogin = PAM\n\tmember = oobrs')<br>
('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden')<br>('ssarepts', '\n #login = des qwASvuPKw\n login = file /etc/tacacs-passwd\n cmd = terminal {\n permit "length"\n deny .*\n }\n cmd = show {\n permit "interfaces|policy-map interface"\n deny .*\n }\n\tcmd = exit {\n\t\tpermit .*\n\t}')<br>
('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb')<br>('aa60589', '\n login = PAM\n member = opsdb')<br>('aa92589', '\n login = PAM\n member = opsdb')<br>
<br></div><div>I am still working on to clean up more. <br><br></div><div>There are only 6 users with cmd = {..} inside. So I will just convert those into new groups and just use member = newgroup. <br><br></div><div>So not much work left to clean up.<br>
<br><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>
On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal <span dir="ltr"><<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div>
<div><div>On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal <<a href="mailto:vadud3@gmail.com" target="_blank">vadud3@gmail.com</a>> wrote:<br>
<br>
><br>
><br>
><br>
> On Thu, May 22, 2014 at 12:27 PM, heasley <<a href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>> wrote:<br>
><br>
>> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal:<br>
>> > Any one has tool to manage user accounts on tac_plus.conf?<br>
>> ><br>
>> > Looking for adding/deleting multiple users.<br>
>> ><br>
>> > Adding/Modifying/Deleting them manually with an editor is painful.<br>
>><br>
>> why not do it in a database/elsewhere and export it to the config file?<br>
>><br>
><br>
> I would go with mysql then.<br>
><br>
> Most of them are like below.<br>
> user = vtt2440 {<br>
> login = PAM<br>
> member = opsdb<br>
> }<br>
><br>
> So creating a schema and inserting these data would be pretty simple<br>
><br>
> CREATE TABLE Users (<br>
> user varchar(20) primary key,<br>
> login varchar(20),<br>
> member varchar(20)<br>
> );<br>
><br>
> INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM",<br>
> "opsdb");<br>
><br>
> But I will need some help with parsing this into a txt file and then just<br>
> LOAD DATA INFILE<br>
> would save lot of time with ~2000 users.<br>
><br>
><br>
> However, how would I manage stanza like this? Should I just move those<br>
> cmds inside group<br>
> definition?<br>
><br>
> user = ssarepts {<br>
> login = file /etc/tacacs-passwd<br>
> cmd = terminal {<br>
> permit "length"<br>
> deny .*<br>
> }<br>
> cmd = show {<br>
> permit "interfaces|policy-map interface"<br>
> deny .*<br>
> }<br>
> cmd = exit {<br>
> permit .*<br>
> }<br>
> }<br>
><br>
> So looks like really need help with parsing these and normalize to rows,<br>
> before I can insert them into database.<br>
><br>
> Thanks for any help with parsing.<br>
><br>
<br>
<br>
</div></div>So, so far I managed to parse most of the users<br>
<br>
import re<br>
f = open ('tac_plus.conf','rb').read()<br>
<br>
regex =<br>
re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE)<br>
<br>
users = regex.findall(f)<br>
<br>
for f in users:<br>
print f<br>
<br>
So this gets me 1532 users out of 1760 users. I still need to improve the<br>
regex and could use some help.<br>
<br>
Thanks<br>
</div></div><div><div><div><br>
<br>
<br>
><br>
> --<br>
> Asif Iqbal<br>
> PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
> A: Because it messes up the order in which people normally read text.<br>
> Q: Why is top-posting such a bad thing?<br>
><br>
><br>
<br>
<br>
--<br>
Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br></div></div>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
</div>URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html</a>><br>
<div><div>_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</div></div></blockquote></div><br></div>
</div></div><pre>E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
</pre></blockquote></div><div class=""><br><br clear="all"><br>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br><br>
</div></div></div>
</blockquote></div><br></div>
<pre>
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.