[tac_plus] Re: Tac_plus authentication and Active Directory group

Tue Jun 8 00:47:20 UTC 2010

In regards to Active Directory groups being used to control access to
NASs, there isn't a "native" way to do that that I know of.  You have to
define the groups in the tac_plus.conf and apply ACLs to them.  I'm
using winbind for pam and nss.  I'm using the Samba RID backend to do
UID/GID mapping, though tac_plus doesn't care. I believe you will need
to use the --enable-acls argument with configure when you compile
tac_plus.  Here are some configuration scraps:

# User definition
user = some.user {
        login = PAM
        member = network_admin
}

# Group definition
group = network_admin {
        default service = permit
        service = exec {
                priv-lvl = 15
        }
        acl = network_admin
}

# Network Administration ACL
acl = network_admin {
        permit = ^10\.0\.0\.1$
        permit = ^10\.0\.1\.1$
        deny = .*
}

Admittedly, this leaves some work on the tac_plus server configuration,
but at least it gets you out of the business of password changes and
expiration.

Best,

   --Bruce

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Charly COYETTE
Sent: Friday, May 28, 2010 8:07 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Tac_plus authentication and Active Directory group

Hello,

I'm currently installing a TACACS+ Server with Tac_plus that
authenticate users with an active directory.

I need to give different rights to users regarding the different groups
in the active directory.

I don't know how to indicate this in the configuration file.

Another question: Is there a way to do "default authentication = PAM"? I
always have an error: "Error: expecting 'file' but found 'pam' on line
16"

Here is the configuration file I currently use:

                key = ...

accounting file = /var/log/tacacs/accounting

                group = admin {

default service = permit

login = PAM

enable = des "..."

}

group = user {

default service = deny

login = PAM

enable = des "..."

cmd = enable {

permit ".*"

}

cmd = show {

permit "ip .*"

deny ".*"

}

cmd = disable {

permit ".*"

}

cmd = exit {

permit ".*"

}

}

user administrator {

member = admin

}

user toto {

                member = user

}

Regards,

Charly COYETTE | Network and System department

Mail : ccoyette at devanlay.fr

DEVANLAY SA : 19bis, rue des Gayettes - BP 503 - 10083 TROYES - FRANCE

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f
2/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1175 bytes
Desc: image001.gif
Url :
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f
2/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2657 bytes
Desc: image002.gif
Url :
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f
2/attachment-0001.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2645 bytes
Desc: image003.gif
Url :
http://www.shrubbery.net/pipermail/tac_plus/attachments/20100528/c349a8f
2/attachment-0002.gif 
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus