[tac_plus] Re: Different privs for different devices?
Alan McKinnon
alan.mckinnon at gmail.com
Wed Jun 30 22:16:48 UTC 2010
On Thursday 01 July 2010 00:04:37 john heasley wrote:
> > The reason for this is simple - conflict resolution. John mentioned as
> > much about 6 months ago and it's a horrible problem to solve (I'm
> > dealing with the same thing myself and reaching the same conclusion).
> > How do you resolve opposing conflicts in rights? John's approach is to
> > avoid the entire problem and guarantee it can't happen.
>
> I think that you make some more complex decisions by using external
> authorization scripts.
Of course! I forgot about that approach - I don't use it myself as my setup
has a very high number of requests per second and I'm not putting that at
risk. I considered an external daemon as well but rejected it as seeming just
too much work.
> > A sensible approach that cause you more work than you think proper but
> > leave you sane is to maintain two seperate group, acl and rights
> > definitions, even if they overlap to greater or lesser degree.
> >
> >
> >
> > Or, Gabor might drop by with a suggestion, he has some very useful
> > patches in his collection but I haven't tried them enough to comment.
>
> indeed he does. I hope to import them (possibly w/ some adjustment -
> sorry) once i get a better config parser completed.
I feel your pain :-)
I have similar things to solve in my auth setup (of which tacacs is a part) -
it gives me sleepless nights sometimes.
--
alan dot mckinnon at gmail dot com
More information about the tac_plus
mailing list