From steve at steve.org.uk Sat Sep 1 06:24:24 2012 From: steve at steve.org.uk (Steve Kemp) Date: Sat, 1 Sep 2012 07:24:24 +0100 Subject: [tac_plus] plugin-loading: 3/3: more docs + sample plugins In-Reply-To: <20120822084644.GA27381@steve.org.uk> References: <20120822084432.GA27313@steve.org.uk> <20120822084644.GA27381@steve.org.uk> Message-ID: <20120901062424.GA31128@steve.org.uk> After submitting the patches & additions I've not received any further feedback. Is there anything I can do to increase the odds of this being accepted? More documentation, more examples? Different coding style, etc, etc? I have a second patch which changes the single plugin to being a linked list of N potential plugins, each called in turn, but that obviously requires the first bunch of changes to be applied. Steve -- From wieland at purdue.edu Fri Sep 7 18:55:59 2012 From: wieland at purdue.edu (Jeff Wieland) Date: Fri, 07 Sep 2012 14:55:59 -0400 Subject: [tac_plus] Mapping user name to another user name Message-ID: <504A433F.5030501@purdue.edu> We authenticate against the system shadow file. We have a user who has a certain login that cannot be changed, but for whom we need to use a different login for tacacs. Is there a way to do this? I'm not seeing an option in man page for tacacs+ for it. -- Jeff Wieland | Purdue University Network Systems Administrator | ITSO UNIX Platforms Voice: (765)496-8234 | 401 S. Grant Street FAX: (765)496-1380 | West Lafayette, IN 47907 From heas at shrubbery.net Sat Sep 8 00:13:14 2012 From: heas at shrubbery.net (heasley) Date: Sat, 8 Sep 2012 00:13:14 +0000 Subject: [tac_plus] Mapping user name to another user name In-Reply-To: <504A433F.5030501@purdue.edu> References: <504A433F.5030501@purdue.edu> Message-ID: <20120908001314.GL72966@shrubbery.net> Fri, Sep 07, 2012 at 02:55:59PM -0400, Jeff Wieland: > We authenticate against the system shadow file. We have a user > who has a certain login that cannot be changed, but for whom we > need to use a different login for tacacs. Is there a way to do > this? I'm not seeing an option in man page for tacacs+ for it. No, there is no manner of doing this in tacacs. it might be possible through PAM, but not that I know of. From javier.sanchezr at satec.es Fri Sep 14 15:23:02 2012 From: javier.sanchezr at satec.es (=?iso-8859-1?Q?Javier_S=E1nchez_Romero?=) Date: Fri, 14 Sep 2012 15:23:02 -0000 Subject: [tac_plus] Tac_plus integration with LDAP (Suse issues) Message-ID: <185F382A23AC5D45BC93908434B15CF9577050566D@MBXVS01.ihost.local> Hi there! I'm a newbie with PAM and I'm trying to integrate TACACS+ with a LDAP server. I've followed the great shrubbery tutorials for a Red Hat Installation but I need this integration in a Suse enviroment. When I check the /var/log/messages I can see several issues about PAM, but this issues are related with a libraries installed in the system. I don't know why the libraries are not found. /var/log/messages Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to dlopen(/lib64/security/pam_ldap.so): /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /lib64/libnsl.so.1) Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module: /lib64/security/pam_ldap.so Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM unable to dlopen(/lib64/security/pam_unix2.so): /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /lib64/libnsl.so.1) Sep 14 17:00:01 /usr/sbin/cron[30615]: PAM adding faulty module: /lib64/security/pam_unix2.so Sep 14 17:00:01 /usr/sbin/cron[30615]: Module is unknown This is my scenario: Suse 11 64 bits Modules installed: pam modules (devel, local, ldap, krb5 and 32 bits), nss_ldap, openldap, glibc and sasl. And the rest of the system packages /etc/pam.d/tac_plus ---------------------------- auth required pam_env.so debug auth sufficient pam_unix.so nullok try_first_pass debug auth requisite pam_succeed_if.so uid >= 500 quiet debug auth sufficient pam_ldap.so use_first_pass debug auth required pam_deny.so debug account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so /etc/nsswitch.conf -------------------------- passwd: files ldap group: files ldap shadow: files ldap hosts: files dns networks: files services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: nis publickey: files bootparams: files automount: files nis aliases: files /etc/ldap.conf -------------------- host x.x.x.x base dc=x,dc=x,dc=x ldap_version 3 binddn xxxx at x.x bindpw xxx port 389 nss_base_passwd OU=xx,?sub nss_base_shadow OU=xx,?sub nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute userPassword msSFUPassword nss_map_attribute homeDirectory msSFUHomeDirectory nss_map_objectclass posixGroup Group nss_map_attribute uniqueMember member nss_map_attribute cn sAMAccountName pam_login_attribute sAMAccountName pam_filter objectclass=user pam_password ad /lib/security ----------------- pam_access.so pam_exec.so pam_krb5 pam_mail.so pam_permit.so pam_shells.so pam_tty_audit.so pam_userdb.so pam_ck_connector.so pam_faildelay.so pam_krb5.so pam_make.so pam_pwcheck.so pam_smbpass.so pam_umask.so pam_warn.so pam_cracklib.so pam_filter.so pam_krb5afs.so pam_mkhomedir.so pam_pwhistory.so pam_stress.so pam_unix.so pam_wheel.so pam_cryptpass.so pam_ftp.so pam_lastlog.so pam_motd.so pam_rhosts.so pam_succeed_if.so pam_unix2.so pam_xauth.so pam_debug.so pam_group.so pam_limits.so pam_mount.so pam_rootok.so pam_tally.so pam_unix_acct.so pam_deny.so pam_homecheck.so pam_listfile.so pam_namespace.so pam_securetty.so pam_tally2.so pam_unix_auth.so pam_echo.so pam_issue.so pam_localuser.so pam_nologin.so pam_selinux.so pam_time.so pam_unix_passwd.so pam_env.so pam_keyinit.so pam_loginuid.so pam_opie.so pam_sepermit.so pam_timestamp.so pam_unix_session.so /lib64/security -------------------- pam_access.so pam_exec.so pam_keyinit.so pam_localuser.so pam_nologin.so pam_securetty.so pam_tally2.so pam_unix_auth.so pam_ck_connector.so pam_faildelay.so pam_krb5 pam_loginuid.so pam_opie.so pam_selinux.so pam_time.so pam_unix_passwd.so pam_cracklib.so pam_filter pam_krb5.so pam_mail.so pam_permit.so pam_sepermit.so pam_timestamp.so pam_unix_session.so pam_cryptpass.so pam_filter.so pam_krb5afs.so pam_make.so pam_pwcheck.so pam_shells.so pam_tty_audit.so pam_userdb.so pam_debug.so pam_ftp.so pam_lastlog.so pam_mkhomedir.so pam_pwhistory.so pam_smbpass.so pam_umask.so pam_warn.so pam_deny.so pam_group.so pam_ldap.so pam_motd.so pam_rhosts.so pam_stress.so pam_unix.so pam_wheel.so pam_echo.so pam_homecheck.so pam_limits.so pam_mount.so pam_rootok.so pam_succeed_if.so pam_unix2.so pam_xauth.so pam_env.so pam_issue.so pam_listfile.so pam_namespace.so pam_rpasswd.so pam_tally.so pam_unix_acct.so Anybody have a solution for this? Thanks a lot in advance Kind regards Javi