[tac_plus] Re: Multiple groups, multiple ACL-s

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Wed Mar 31 14:17:27 UTC 2010


> It seems ACL match, group match, racc1 working as expected but things are not 
> correct with edge1. For edge1 I am expecting to be able to run any command 
> with "show ..." as it is in group definition. Am I missing anything?

At first sight I cannot figure out what is the problem.
What can we see if you run tac_plus with "-d 128" options?

BTW. Do you have config line
ip tacacs source-interface Loopback0
in edge1? :-)

[... after reading some docs ...]

Manual writes:
       acl    If compiled with acl  support  (--enable-acls),  Access  Control
              Lists  can  be defined to limit user's (or group's) login and/or
              enable access by daemon client IP address or hostname.

Actually I don't remember if my patch extends this acl usability or not.
If not (i.e. ACLs are effective at exec only) the behavior descibed by
you is quite clear. Daemon does not care with ACL when authorizing
commands so when searching "cmd = show ..." in the config tree
its stops in group net-staff-r.

Could you swap your two memberships then run the tests again?
I the above theory is correct then both racc1 and edge1 will
allow any "show" commands.

Within two months I will port my patch to the current tac_plus
version. Then I could think over extending ACL effect.

Gabor


More information about the tac_plus mailing list