[tac_plus] Re: TAC-PLUS/AD

[adam]

Joel Bicalho wrote:
> Hey guys,
> 
> I have a couple of cisco switchs, a linux server and a windows 2003 with
> active directory.
> I want to install the tac-plus in my linux server and then tie it into the
> windows 2003 (AD) using PAM/kerberos.
> I want to use the Active directory to authenticate the users.
> The problem is, I dont know how to do it....
> Would you have any step-by-step to do it? our could show me where to find
> it??
> I couldnt find it on google.......
> thank you in advance!!!
> 
> 

Here are instructions I posted for pam_ldap in January for RHEL5. You 
should be able to mostly replace pam_ldap with pam_krb5, and skip step 
10 below. I'm not really a kerberos expert, but I assume on top of these 
instructions, you should get your /etc/krb5.conf set up, as well as your 
service principals and such...


1. Install the pam-devel package and tcp_wrappers via yum:

      yum install pam-devel tcp_wrappers

2. Obtain the latest tac_plus from ftp://ftp.shrubbery.net/pub/tac_plus/
I used version F4.0.4.15

3. unpack tac_plus:

      tar xfz tacacs+-<your version here>

4. Run configure:

      ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin
--localstatedir=/var/local/tacacs --sysconfdir=/etc
--with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid
--with-acctfile=/var/log/tacacs/acctfile

Note that the above configure choices were my own, you can choose
whatever values you want.

5. Make sure the pam libraries were found. Look at the output of
configure for a line that looks like this:

      checking for pam_start in -lpam... yes

If that says yes, then the daemon will compile with pam support. If it
says no, then configure is unable to find your pam libraries. Make sure
you performed Step 1.

6. compile tac_plus:

      make

7. install tac_plus

      make install

8. Configure tac_plus. While there are many more configurations to be
done to make tac_plus work as a whole, the pam specific configuration is
as follows:

      Edit the tac_plus conf file, and define your users as such:

      user = <ldap user id> {
        login = PAM
        <other options>
      }

Currently, tac_plus only allows authentication using pam (since pam is
only used for authentication anyway). Authorizations are still
configured within the conf file, no ldap groups allowed :(

9. Define a pam stack for tac_plus.

      cd /etc/pam.d

      vi tac_plus

My pam stack config is as follows:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Note that this config also works well for system-auth. If you want all
authentication for your server to use ldap (graphical login, ssh, etc.),
you can place the above into system-auth, and the define tac_plus as
follows:

auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

10. Configure your ldap.conf. This is where you define your ldap server,
binddn, attribute maps, etc. Note that on RHEL5, there are two ldap.conf
files. One is in /etc/openldap and the other is just in /etc. PAM will
stat both files upon invocation, and the second one it stats will
override the first. I usually modify /etc/openldap/ldap.conf, and then
symlink /etc/ldap.conf to it.

That's it. At this point, assuming you have everything setup right, you
should be able to use your LDAP server for authentication. To
troubleshoot, I normally run the tacacs daemon in the foreground with
debugging on:

tac_plus -C /path/to/tac_plus.conf -L -p 49 -d16 -g

and then try to authenticate.

So far, I have found a couple caveats that will make life very sad.
First, if you decide to run tac_plus from xinetd in linux (which I
suggest you do, to utilize tcp wrappers properly), then you should set
up your /etc/xinetd.d/tacacs conf file as follows:

service tacacs
{
          socket_type             = stream
          protocol                = tcp
          wait                    = no
          disable                 = no
          user                    = root
          server                  = /path/to/tac_plus
          server_args             = -C /path/to/tac_plus.conf -L -p 49 -i
-d 16
          cps                     = 50 10
          flags                   = IPv4
}

The server must be run as root. Because you are talking to PAM, then you
must have root privileges, or else it will not work.

Secondly, if you are using xinetd, in your ldap.conf file, turn off
debugging. When run from xinetd with ldap debugging on, the ldap libs
will output debug code to stderr. Since you are running the daemon from
within xinetd, there is no stderr to output to, and the tac_plus daemon
upon discovering this broken pipe will fail and exit. Whether this is a
tac_plus or xinetd problem I'm not sure, but it's there all the same.

You can use the -g option to run in the foreground to test your ldap
conf if you wish, but once you start to use xinetd, make sure that the
debug directive in your ldap.conf is off.