[tac_plus] Re: Query

Thu Apr 2 18:14:04 UTC 2009

Thu, Apr 02, 2009 at 08:56:43AM -0600, Schmidt, Daniel:
> Thank you for your reply and for your time. 
> 
> I found something like this that Ben Kennedy had tried (and failed) in
> 2007.  Attempting to use/modify/change this simple bash script was of no
> use - I could not make it work, I could not so much as login.  The exit
> values look correct and it echo's to stdout.  Can anybody see something
> wrong?

first, you MUST drain stdin, even if you do not want to use the data.
second, the output is AV pairs only.  this script is producing tacplus.conf
like output.

while read avp - ; do 
 :
done
echo avp=bar
exit 2

> <>
> 
> Here is an example of the config file:
> user = test {
>   after authorization "/etc/tac-plus/authen $user $address"
> }
> 
> Example of script:
> #!/bin/sh
> 
> if [ "$1" = 'test' ]
> then
>   if [ "$2" = 'X.X.X.X' ] #ip of switch
>   then
>      echo default service=permit
>      echo login=cleartext XXX
>      echo service=exec
>      echo {
>        echo priv-lvl=15
>      echo
>      echo cmd=arp
>      echo {
>      echo permit timeout
>      echo }
>      echo cmd=no
>      echo {
>      echo permit arp
>      echo }
>      echo cmd=show
>      echo {
>      echo permit run
>      echo permit start
>      echo }
>      echo cmd=configure
>      echo {
>      echo permit terminal
>      echo permit interface
>      echo deny .*
>      echo }
>    exit 2
>   fi
> fi
> exit 1
> 
> -----Original Message-----
> From: john heasley [mailto:heas at shrubbery.net] 
> Sent: Wednesday, April 01, 2009 4:23 PM
> To: Schmidt, Daniel
> Cc: john heasley; Lance Vermilion; tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Re: Query
> 
> Tue, Mar 31, 2009 at 03:44:01PM -0600, Schmidt, Daniel:
> > I've never been able to make it work... if anybody has a working
> example
> > they could provide, that would be greatly appreciated.  
> 
> you read all the AVPs on stdin
> then write the appropriate AVPs on stdout
> and/or finally exit with the appropriate exit code
> 
> there shouldnt be any voodoo.  its not something i do or test on a
> regular
> basis.  i suppose the daemon's handling could be broken, but doubt it.