[tac_plus] Should optional A/V pair be sent?

Mon Jan 23 19:57:42 UTC 2012

Mon, Jan 23, 2012 at 09:41:01AM -0800, Jathan McCollum:
> I am still having the exact same problem.
> 
> The tac_plus daemon is NOT sending optional a/v pairs over the wire at all.
> I had been in communication with Dan back in September about modifying
> do_auth.py to be able to append or remove a/v pairs. Currently do_auth.py
> is only able to replace existing pairs. I was going to try to contribute
> code to make do_auth.py do this, but it got de-prioritized until last week
> and I had to move onto something else. I am just now revisiting this issue.
> 
> Using this configuration:
> 
> group = admin {
>     default service = permit
>     service = exec {
        ^^^^^^^^^^^^^^
>         optional brcd-role = admin
>         priv-lvl = 15
>     }
> }
> user = jathan {
>     login = cleartext jathan
>     pap   = cleartext jathan
>     member = admin
> }
> 
> And running tac_plus with maximum debug output, you see this when I login
> to the device and it sends the authorization request:
> 
> Mon Jan 23 09:26:11 2012 [11716]: Start authorization request
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1
> attr=acl rec=1
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL
> Mon Jan 23 09:26:11 2012 [11716]: do_author: user='jathan'
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1
> attr=before rec=1
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL
> Mon Jan 23 09:26:11 2012 [11716]: user 'jathan' found
> Mon Jan 23 09:26:11 2012 [11716]: exec authorization request for jathan
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan
> N_svc_exec proto= svcname= rec=1
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto=
> svcname=
> Mon Jan 23 09:26:11 2012 [11716]: exec is explicitly permitted by line 6
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan
> N_svc_exec proto= svcname= rec=1
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto=
> svcname=
> Mon Jan 23 09:26:11 2012 [11716]: nas:service=shell (passed thru)
                                     ^^^^^^^^^^^^^^^^^