[tac_plus] tac_plus and PAM

Tucker Jones ttjones2013 at hotmail.com
Sat Dec 28 21:32:56 UTC 2013 

Please excuse my newbie questions. To utilize PAM do I need to use the pam_tacplus module? I currently was only using pam_tally2 but after looking around it appeared I needed to utilize the pam_tacplus module instead? Would you be able to clarify which module would be the best? You also said "Since tacacs is authenticating users normally until pam_tally blocks them", per my understanding if I have a user configured for PAM  and they attempt to login, tacacs would look in its conf file and see that the user is set to PAM and then use the associated tac_plus conf file in the PAM directory to tell it what to authenticate the user against?  Would you know of any example configuration where they are using a local shadow file to work with tac_plus and PAM? Most of the examples I find are for LDAP but this is a unique situation and we just want to utilize the shadow file initially.  Are there any good ways to test this locally on the server to try to find any errors? When I changed the module to pam_tacplus I see the user failing authentication now but I can't see what is causing the authentication problem as the user's password is correct that is being entered.

Thank you.

> Date: Mon, 23 Dec 2013 17:39:43 +0000
> From: heas at shrubbery.net
> To: ttjones2013 at hotmail.com
> CC: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] tac_plus and PAM
> 
> Fri, Dec 20, 2013 at 10:18:01AM -0500, Tucker Jones:
> > Hello,
> > 
> > I am setting up a Centos server to run tac_plus and am trying to use it with PAM. Currently, I am trying to use tac_plus to authenticate users who are VPN'ing into the network. The users are able to VPN in however, the pam_tally2 is indicating is a bad login and incrementing the attempts so after a period of time the user gets locked out. I am sure it is some step I have missed in my configuration. I have seen where some other people had a similar problem but, I haven't seen what their resolution was. I did look in the past archives but, I didn't see anything specific to this. I apologize if I missed it.
> > 
> > My current tac_plus.conf appears like this. I just started testing this so it is only slightly modified from the default currently.
> 
> Since tacacs is authenticating users normally until pam_tally blocks them, I
> expect the problem is mostly likely not related to tacacs at all.  It is
> probably your pam configuartion for tacacs.  presumably, its the order that
> the module appears or some module it relies upon is missing.  Compare the
> config to another pam config that uses this module.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131228/f75015fb/attachment.html>

More information about the tac_plus mailing list