[tac_plus] Redesign? (Was: Different privs for different devices?)
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Thu Jul 1 09:49:58 UTC 2010
> indeed he does. I hope to import them (possibly w/ some adjustment - sorry)
> once i get a better config parser completed.
What about lex and yacc? How portable would it be?
By the way.
IMHO using a relational database would be the most elegant
solution to store user attributes.
In this case arbitrary complex conditionals might be composed.
E.g. "user 'bill' will get level 15 privileges in worktime
logging in on the console port of certain 3 NAS-es but
level 1 in other cases".
The actual syntax of configuration file is established
by Lol Grant (Cisco Systems) in the mid 90s.
Its open source (and very simple) server side implementation
of the TACACS+ protocol is the base of all current open source
tac_plus daemons.
This config file is not suitable to express such a relations.
Maybe the whole concept could be redesigned.
SQL database would separate the process of configuration
and protocol implementation.
Daemon could be smaller and simpler as well as peoples
would develop simpler or spectacular configuration
frontends including brutal GUIs, CGIs and other (even platform
dependent!) utilities.
This is like iptables rules could be composed by various firewall
manegement programs independently of the way the kernel actually
executes them.
What is your opinion, guys?
Gabor
More information about the tac_plus
mailing list