[tac_plus] ldap auth
Asif Iqbal
vadud3 at gmail.com
Sun May 15 21:11:24 UTC 2011
Hi
I have the following scenario
user -- (ssh) ----> jumpstation --- (telnet) ----> router1-----> T+
-------> ldap server
- - - - > router2 - - - >
.....
routerN
so user *must* ssh into the jumpstation which is the only server that
allows telnet to routers with their tacacs+ account
the tacacs+ server using ldap auth in the backend.
so I have few questions about this setup.
- Is there a way to enable SSO, so the users don't have to put their
T+ / ldap password for every router they login
- Do the routers must enable ssh, so the ldap password from
jumpstation to router is not clear text?
- Is there a way to make sure T+ to ldap server communication *not*
clear text? I am assuming it is clear text now. probably
a question for ldap mailing lists. (sorry)
- If SSO possible if there is a way to keep the cookie (auth token)
valid for longer time so user won't fail to login, should the ldap
server
be unavailable temporarily. might be able to achieve it by stacking
the pams differently. hmm.. might be a question for pam mailing list.
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
More information about the tac_plus
mailing list