[tac_plus] Two TACACS+ server and primary one is always busy

Asif Iqbal vadud3 at gmail.com
Fri Jul 12 17:25:33 UTC 2013 

On Fri, Jul 12, 2013 at 12:55 PM, Alan McKinnon <alan.mckinnon at gmail.com>wrote:

> On 12/07/2013 18:41, Asif Iqbal wrote:
> >     What are the hash types you use for your passwords and is it a method
> >     that be hashed quickly by the OS
> >
> >
> > using PAM -> AD.
> >
> >
> >
> >     Those would be the first thing I'd look at. Second is to post your
> >     tac_plus.conf. there aren't really any best practices as such for
> this,
> >     tac_plus is more than adequate to deal with just about any realistic
> >     scenario so the "best practice" is whatever works for you and gives
> >     *you* the control *you* need.
> >
> >
> >
> > Need to sanitize a lot before posting it, but I have 31 group stanzas,
> > 1325 user stanzas,
> > 19 acl stanzas and some of those acls have about 130 permit lines.
> >
> > currently I have 24 tac_plus instance running like below
> >
> > $ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s
> >  4692     1  78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l
> > /var/log/tacacs.daemon.log -C /etc/tacacs.conf
> > 27276  4692  78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l
> > /var/log/tacacs.daemon.log -C /etc/tacacs.conf
> >
>
>
> No need to post and sanitize your configs, the thing to investigate
> first is your PAM -> AD authen setup.
>
> I have a config similar to yours in terms of numbers and my setup works
> as expected. Most systems use a passwd file, one system has all the
> users directly in tac_plus.conf. I've run it on FreeBSD, Linux and
> Solaris and there's never been a hint of memory leaks at all. And no-one
> else here has posted about memory leaks as far as I can recall.
>


Not sure why restart of tac_plus fixes the slowness in working with
router for almost a month until the next restart.



> All that seems to point towards tac_plus itself working correctly, so we
> should look at things you have that are different.
>
> And AD via PAM is one such thing :-)
> Using PAM for auth in tac_plus is poorly documented and most folks who
> ask about it end up experimenting a lot to get it right.
>
> Can you post how your setup works and what your PAM config is?
>
>
$ cat /etc/pam.d/tac_plus
   auth required pam_ldap.so

$ cat /etc/ldap/ldap.conf
   BASE    ou=People,dc=example,dc=com
   URI     ldaps://192.168.137.34:1636 ldaps://192.168.137.34:1636

   TLS_CACERT /etc/ssl/certs/example.cer
   TLS_REQCERT never
   nss_initgroups_ignoreusers
backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,news,postfix,proxy,root,sshd,sync,sys,syslog,uucp,www-data


using nslcd for caching

$ sudo cat /etc/nslcd.conf
  uid nslcd
  gid nslcd
  uri ldaps://192.168.137.34:1636 ldaps://192.168.137.34:1636
  base ou=People,dc=mnet,dc=example,dc=com
  filter passwd (objectclass=mnetperson)
  filter shadow (objectclass=mnetperson)
  binddn uid=binduid,ou=people,dc=example,dc=com
  bindpw secret
  tls_reqcert never
  tls_cacertfile /etc/ssl/certs/example.cer
  idle_timelimit 60

$ ldd /usr/local/bin/tac_plus
linux-vdso.so.1 =>  (0x00007fffa03ff000)
 libwrap.so.0 => /lib/libwrap.so.0 (0x00007f316aac5000)
libtacacs.so.1 => /usr/local/lib/libtacacs.so.1 (0x00007f316a86c000)
 libpam.so.0 => /lib/libpam.so.0 (0x00007f316a65e000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00007f316a444000)
 libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f316a20b000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3169fed000)
 libc.so.6 => /lib/libc.so.6 (0x00007f3169c67000)
libdl.so.2 => /lib/libdl.so.2 (0x00007f3169a63000)
 /lib64/ld-linux-x86-64.so.2 (0x00007f316acd8000)



>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>



-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20130712/2b204447/attachment.html>

More information about the tac_plus mailing list