[tac_plus] Let's discuss some new features

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Wed Apr 30 08:54:14 UTC 2008


Dear folks,

I plan to do some enhancements of tac_plus daemon.
It would be lovely if network manager can assign individual
attributes based not only on username but
- host (NAS) address/name
- terminal line (console, async/modem, vty etc.)
- connection time (workdays, weekend, day and night etc.)

However this requires more sophisticated database backend practically
speaking a relational database. Sqlite seems to be a good choice.
Configure script would accept --with-sqlite option on systems
where libsqlite is available. At startup or when catching HUP signal
daemon read the usual configuration file and fills database
with approprate record. Database could be in memory entirely (i.e. no
external file) so daemon would be acting as a black box that
cannot be distinguish from the current one.
Lookout is the same but there is a V8 engine under the hood. :-)

Moreover I wish to keep backward compaibility of config file.
So I'm thinking on some new syntax elements that could describe
the above functionality.

I mean somethink like this:

-----------------------------------
acl = local_net_acl {
	permit = ^172\.16\.192\.
}

user = melany_local {
	ifhost = local_net_acl {
		service = exec {
			priv-lvl = 15
		}
	}
	service = exec {
		priv-lvl = 2
	}
	member = working_girl
}

time = business_hours {
	permit = Mo-Fr,8-15:30
}

group = working_girl {
	iftime = business_hours {
		default service = permit
	}
	default service = deny
}
-----------------------------------

What is your opinion?

Gabor


More information about the tac_plus mailing list