[tac_plus] Dynamic authentication plugins via shared libraries?

[Steve Kemp]

 Where we work we have an in-house authentication system which
is used for many things, and a few months ago we wished to
add Tacas+ to that list.

 Looking over the code there are various authentication methods
supported, each of which ultimately end up getting called with
a username/password:

    static int des_verify(char *, char *);
    static int pam_verify(char *, char *);

 (The only exception here is the etc_passwd_verify method which
takes an extra argument.)

 Rather than adding in our custom verification method directly
into the core, along with those, I ended up writing our custom
code to test a username/password in a small shared library,
and then updating tacacs+ code to load it dynamically at run-time
with this configuration file:

   ..
   accounting file = /var/log/tac_plus.acct
   sso_plugin      = /usr/local/lib/sso_plugin.so
   ..

   user = steve {
      member = our_company
      login = sso skemp
      name = "Steve Kemp"
   }

 When I then try to login the single method is called, via the
plugin file loaded with dlopen/dlsym/etc with username
"skemp":

    int sso_authenticate( char * sso_username, char *password )


 Assuming I cleaned up the code to rename the configuration
options, etc, would this be of interest in the main repository
and stand a chance of making it into the upstream releases of
the future?

 I'd expect something like:

    auth_plugin = /path/to/shared.so

    user = blah {
        login = plugin useraname [data1] [data2] ... [dataN]
    }

FWIW our code is currently based around F4.0.4.16, but will need
re-basing against something more recent in the near future anyway.


Steve
-- 
http://www.steve.org.uk/