[tac_plus] Two TACACS+ server and primary one is always busy
Asif Iqbal
vadud3 at gmail.com
Fri Jul 12 17:25:33 UTC 2013
On Fri, Jul 12, 2013 at 12:55 PM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:
> On 12/07/2013 18:41, Asif Iqbal wrote:
> > What are the hash types you use for your passwords and is it a method
> > that be hashed quickly by the OS
> >
> >
> > using PAM -> AD.
> >
> >
> >
> > Those would be the first thing I'd look at. Second is to post your
> > tac_plus.conf. there aren't really any best practices as such for
> this,
> > tac_plus is more than adequate to deal with just about any realistic
> > scenario so the "best practice" is whatever works for you and gives
> > *you* the control *you* need.
> >
> >
> >
> > Need to sanitize a lot before posting it, but I have 31 group stanzas,
> > 1325 user stanzas,
> > 19 acl stanzas and some of those acls have about 130 permit lines.
> >
> > currently I have 24 tac_plus instance running like below
> >
> > $ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s
> > 4692 1 78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l
> > /var/log/tacacs.daemon.log -C /etc/tacacs.conf
> > 27276 4692 78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l
> > /var/log/tacacs.daemon.log -C /etc/tacacs.conf
> >
>
>
> No need to post and sanitize your configs, the thing to investigate
> first is your PAM -> AD authen setup.
>
> I have a config similar to yours in terms of numbers and my setup works
> as expected. Most systems use a passwd file, one system has all the
> users directly in tac_plus.conf. I've run it on FreeBSD, Linux and
> Solaris and there's never been a hint of memory leaks at all. And no-one
> else here has posted about memory leaks as far as I can recall.
>
Not sure why restart of tac_plus fixes the slowness in working with
router for almost a month until the next restart.
> All that seems to point towards tac_plus itself working correctly, so we
> should look at things you have that are different.
>
> And AD via PAM is one such thing :-)
> Using PAM for auth in tac_plus is poorly documented and most folks who
> ask about it end up experimenting a lot to get it right.
>
> Can you post how your setup works and what your PAM config is?
>
>
$ cat /etc/pam.d/tac_plus
auth required pam_ldap.so
$ cat /etc/ldap/ldap.conf
BASE ou=People,dc=example,dc=com
URI ldaps://192.168.137.34:1636 ldaps://192.168.137.34:1636
TLS_CACERT /etc/ssl/certs/example.cer
TLS_REQCERT never
nss_initgroups_ignoreusers
backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,news,postfix,proxy,root,sshd,sync,sys,syslog,uucp,www-data
using nslcd for caching
$ sudo cat /etc/nslcd.conf
uid nslcd
gid nslcd
uri ldaps://192.168.137.34:1636 ldaps://192.168.137.34:1636
base ou=People,dc=mnet,dc=example,dc=com
filter passwd (objectclass=mnetperson)
filter shadow (objectclass=mnetperson)
binddn uid=binduid,ou=people,dc=example,dc=com
bindpw secret
tls_reqcert never
tls_cacertfile /etc/ssl/certs/example.cer
idle_timelimit 60
$ ldd /usr/local/bin/tac_plus
linux-vdso.so.1 => (0x00007fffa03ff000)
libwrap.so.0 => /lib/libwrap.so.0 (0x00007f316aac5000)
libtacacs.so.1 => /usr/local/lib/libtacacs.so.1 (0x00007f316a86c000)
libpam.so.0 => /lib/libpam.so.0 (0x00007f316a65e000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00007f316a444000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f316a20b000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3169fed000)
libc.so.6 => /lib/libc.so.6 (0x00007f3169c67000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f3169a63000)
/lib64/ld-linux-x86-64.so.2 (0x00007f316acd8000)
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130712/2b204447/attachment.html>
More information about the tac_plus
mailing list