From vadud3 at gmail.com Thu Aug 1 15:36:33 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 1 Aug 2013 11:36:33 -0400 Subject: [tac_plus] rename the binary tac_plus Message-ID: I need to point tac_plus to two different pam library pam_ldap and pam_radius. The only way I can think of doing it is by renaming the binary to ``foo'' and create a new file /etc/pam.d/foo. But it does not work, like ssh does. So, I need to rename it during compile. Any suggestion on how to do that? I tried to modify the bin_PROGRAMS, but then make fails with No rule for the target. Thanks for your help. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Sun Aug 4 16:05:37 2013 From: heas at shrubbery.net (heasley) Date: Sun, 4 Aug 2013 16:05:37 +0000 Subject: [tac_plus] tac plus and ipv6 server support In-Reply-To: <5081C118.8050906@telekenex.com> References: <5081C118.8050906@telekenex.com> Message-ID: <20130804160537.GA33998@shrubbery.net> Fri, Oct 19, 2012 at 02:07:36PM -0700, Andrew Cassidy: > Hello, > > I have been happily using tac_plus for some time but recently we have > been running > down our list of management access softwares which are ipv6 capable and > tac_plus > does not seem to be one of them. Please let me know if I am incorrect > but googling > around and poking through the source does not show v6 server support. long time since...but, I've had a go at adding v6 support. I havent the ability to test this extensively ATM, so i'm calling it "alpha". But, please try it and lmk if there are problems. it will accept a v6 address as the -B argument and will by default listen on both v4 and v6 if the system returns both via getnameinfo(3). ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.27a.tar.gz From heas at shrubbery.net Sun Aug 4 16:28:29 2013 From: heas at shrubbery.net (heasley) Date: Sun, 4 Aug 2013 16:28:29 +0000 Subject: [tac_plus] linux pam and ldap - or just linux pam Message-ID: <20130804162829.GF33998@shrubbery.net> If you're a user of tac_plus on linux with pam, I'd like to see your pam configuration to add to documentation to help others. I do not use linux or ldap, but others request configuration help often. TIA. From vadud3 at gmail.com Mon Aug 5 19:54:05 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 5 Aug 2013 15:54:05 -0400 Subject: [tac_plus] linux pam and ldap - or just linux pam In-Reply-To: <20130804162829.GF33998@shrubbery.net> References: <20130804162829.GF33998@shrubbery.net> Message-ID: This is how we setup our tac_plus with libpam_ldap on ubuntu # sudo apt-get install build-essential libpam0g-dev gcc flex bison libwrap0-dev libpam-ldap # (compile tac_plus and it should find pam libraries) # cat /etc/pam.d/tac_plus auth sufficient pam_ldap.so # cat /etc/tacacs.conf .... user = foo { login = PAM member = bar } ... # cat /etc/ldap.conf base ou=People,dc=example,dc=com uri ldaps://192.168.1.10:1636 ldaps://192.168.1.11:1636 ldap_version 3 binddn uid=mybinduid,ou=people,dc=example,dc=com bindpw secret pam_password crypt nss_initgroups_ignoreusers Gaxfrdns,Gdnscache,Gdnslog,Gtinydns,avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hobbit,hplip,irc,kernoops,landscape,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data # cat /etc/ldap/ldap.conf TLS_CACERT /etc/ssl/certs/company.cer TLS_REQCERT never Hopefully I did not miss anything. On Sun, Aug 4, 2013 at 12:28 PM, heasley wrote: > If you're a user of tac_plus on linux with pam, I'd like to see your pam > configuration to add to documentation to help others. I do not use linux > or ldap, but others request configuration help often. TIA. > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu Aug 8 17:35:52 2013 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 8 Aug 2013 11:35:52 -0600 Subject: [tac_plus] TACACS+ Accounting Report Generation In-Reply-To: References: <251C71CF3919A942A3A12FDD3CC76101DC0A305619@SINNODMBX001.TechMahindra.com> Message-ID: Here was that little cgi I promised. Nothing special - it parses the log into something readable so you can tell who did what when. Works for Cisco, Nexus, ASA, Brocade - might need tweaking to support others due to the fact that people can't standardize. Drop me line if you find it helpful or if you correct mistakes. http://pastie.org/8219174 and a simple popup help page to go with it: http://pastie.org/8219229 On Fri, Jul 26, 2013 at 7:10 PM, Daniel Schmidt wrote: > Splunk can do a better job than a simple Network Engineer with just a few > minutes of free time. Nevertheless, when I get back to the office, I'll > try to remember to post it. > > > > > > On Fri, Jul 19, 2013 at 11:05 AM, Asif Iqbal wrote: > >> >> >> >> On Thu, Jul 18, 2013 at 3:13 PM, Daniel Schmidt wrote: >> >>> I wrote a simple cgi in python so I could parse my logs to see who did >>> what >>> on what at what time. I'm not sure it's written well enough for me to >>> admit to writing it. Job != programmer. >>> >>> >> we are using splunk for that which indexes the accounting logs. although >> I would >> be interested to see your code. >> >> >> >>> >>> On Thu, Jul 18, 2013 at 6:57 AM, Sachin.6.Gupta < >>> SG00123446 at techmahindra.com >>> > wrote: >>> >>> > Hi All, >>> > >>> > Is there a suitable framework for generating reports from accounting >>> > records? >>> > >>> > I think this might be needed for PCI compliance and user views. >>> > >>> > Please suggest. >>> > >>> > Regards >>> > Sachin >>> > >>> > >>> ============================================================================================================================Disclaimer: >>> > This message and the information contained herein is proprietary and >>> > confidential and subject to the Tech Mahindra policy statement, you may >>> > review the policy at http://www.techmahindra.com/Disclaimer.html externally and >> href=" >>> > http://tim.techmahindra.com/tim/disclaimer.html"> >>> > http://tim.techmahindra.com/tim/disclaimer.html internally within >>> > Tech >>> > >>> Mahindra.============================================================================================================================ >>> > -------------- next part -------------- >>> > An HTML attachment was scrubbed... >>> > URL: < >>> > >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130718/e0a48182/attachment.html >>> > > >>> > _______________________________________________ >>> > tac_plus mailing list >>> > tac_plus at shrubbery.net >>> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> > >>> >>> >>> E-Mail to and from me, in connection with the transaction >>> of public business, is subject to the Wyoming Public Records >>> Act and may be disclosed to third parties. >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20130718/57277bab/attachment.html >>> > >>> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Aug 8 19:30:32 2013 From: heas at shrubbery.net (heasley) Date: Thu, 8 Aug 2013 19:30:32 +0000 Subject: [tac_plus] linux pam and ldap - or just linux pam In-Reply-To: References: <20130804162829.GF33998@shrubbery.net> Message-ID: <20130808193032.GU93877@shrubbery.net> Mon, Aug 05, 2013 at 03:54:05PM -0400, Asif Iqbal: > This is how we setup our tac_plus with libpam_ldap on ubuntu > > # sudo apt-get install build-essential libpam0g-dev gcc flex bison > libwrap0-dev libpam-ldap > # (compile tac_plus and it should find pam libraries) > > # cat /etc/pam.d/tac_plus > auth sufficient pam_ldap.so > > # cat /etc/tacacs.conf > .... > user = foo { > login = PAM > member = bar > } > ... > > # cat /etc/ldap.conf > base ou=People,dc=example,dc=com > uri ldaps://192.168.1.10:1636 ldaps://192.168.1.11:1636 > ldap_version 3 > binddn uid=mybinduid,ou=people,dc=example,dc=com > bindpw secret > pam_password crypt > nss_initgroups_ignoreusers > Gaxfrdns,Gdnscache,Gdnslog,Gtinydns,avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hobbit,hplip,irc,kernoops,landscape,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data those last two lines were wrapped, i presume. Thanks > # cat /etc/ldap/ldap.conf > TLS_CACERT /etc/ssl/certs/company.cer > TLS_REQCERT never > > > Hopefully I did not miss anything. > > > > On Sun, Aug 4, 2013 at 12:28 PM, heasley wrote: > > > If you're a user of tac_plus on linux with pam, I'd like to see your pam > > configuration to add to documentation to help others. I do not use linux > > or ldap, but others request configuration help often. TIA. > > > > > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? From vadud3 at gmail.com Thu Aug 8 19:46:24 2013 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 8 Aug 2013 15:46:24 -0400 Subject: [tac_plus] linux pam and ldap - or just linux pam In-Reply-To: <20130808193032.GU93877@shrubbery.net> References: <20130804162829.GF33998@shrubbery.net> <20130808193032.GU93877@shrubbery.net> Message-ID: On Thu, Aug 8, 2013 at 3:30 PM, heasley wrote: > > > Gaxfrdns,Gdnscache,Gdnslog,Gtinydns,avahi,avahi-autoipd,backup,bin,colord,daemon,games,gnats,hobbit,hplip,irc,kernoops,landscape,libuuid,lightdm,list,lp,mail,man,messagebus,news,ntp,proxy,pulse,root,rtkit,saned,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data > > those last two lines were wrapped, i presume. > yep. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ggood at vmware.com Wed Aug 21 16:40:10 2013 From: ggood at vmware.com (Gordon Good) Date: Wed, 21 Aug 2013 09:40:10 -0700 (PDT) Subject: [tac_plus] Access to older tac_plus versions In-Reply-To: <210062428.33849288.1377102953568.JavaMail.root@vmware.com> Message-ID: <549348916.33853701.1377103210909.JavaMail.root@vmware.com> Hi, I have a customer who is running an older version of tac_plus, and I'd like to verify the tacacs+ integration work we did against their version (we've been testing against the 4.0.4.19 version in Ubuntu precise). Unfortunately, I get a permission denied error when I try to cwd into the "OLD" directory on your ftp site. Would it be possible to open up access to the older versions? Thanks, -Gordon Good -Staff Software Engineer -VMware/Nicira -------------- next part -------------- An HTML attachment was scrubbed... URL: From mus3 at Lehigh.EDU Tue Aug 27 19:33:53 2013 From: mus3 at Lehigh.EDU (Munroe Sollog) Date: Tue, 27 Aug 2013 15:33:53 -0400 Subject: [tac_plus] Is this project still maintained? Message-ID: <521CFF21.6000901@lehigh.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm just curious to know if this project is still actively maintained. - -- Munroe Sollog LTS - Network Analyst x85002 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQEcBAEBAgAGBQJSHP8fAAoJEPbbZiWCKDVCCaQH/3GNO0UMH9CAqaoxKPsiylt1 +ymdFt2SzIxSQaA5W3tK80hHTgu8Ct0bK6IZg7BAhcCtK7nnd4OPEfkpy1k5Uk5f /rJRQJeVbCybhSndNh8tOLyz0Fjw4Iuoj+8R5uquSa9XpMs8nWjv8fNmNMgporqa nngZoJfYnMb4x/nt4n24BvM+sirYcHKEYMIe/CJr5stT07W58GP3rLglKV1JPpTy det2xqV41xbEFLnx8C1Uj+ezEfx2LDf134g8S+1ioUmdaxBV6QAucgGiQKCZh//B KwFR6nNCXiB9VrQvB/Qjg4ctMz4tJ42BTTyCWQJ0TRqweJdhYBEBfrA1H7Y7c4I= =cCq4 -----END PGP SIGNATURE----- From alan.mckinnon at gmail.com Tue Aug 27 20:06:21 2013 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 27 Aug 2013 22:06:21 +0200 Subject: [tac_plus] Is this project still maintained? In-Reply-To: <521CFF21.6000901@lehigh.edu> References: <521CFF21.6000901@lehigh.edu> Message-ID: <521D06BD.3060107@gmail.com> On 27/08/2013 21:33, Munroe Sollog wrote: > I'm just curious to know if this project is still actively maintained. Yes, very much so. The reason you see so little commit activity is that the product is mature and pretty much feature-complete for what it's users need. The tacacs protocol is stable and hasn't changed in years, so there's no need to update the software to match. Bugs are few and far between. The most common support request is how to add users to two or more groups, but the config file does not support this (quite correctly in my opinion). The usual answer is to use do-auth.py by Dan Schmidt (which also does this correctly calling out to a python script that can dynamically deal with it). So well maintained - yes! It just doesn't change much :-) -- Alan McKinnon alan.mckinnon at gmail.com