[tac_plus] TACACS+ Authorization via LDAP

Sachin.6.Gupta SG00123446 at TechMahindra.com
Thu Nov 7 17:25:57 UTC 2013 

Hi Daniel,

I guess it would be privilidge levels, groups, services, and maybe commands also.
Commands would require vendor specific information also, i guess. So Vendor information would also be required somewhere. :~

What is confusing to me is that if suppose i somehow manage to authenticate my users with LDAP (not even sure currently how LDAP auth will work), TACACS+ still requires each and ever user to be mentioned in the tacacs.conf file. rt? Same would go with groups also. rt?

Heas mentioned that using PAM LDAP authentication works. Does the current TACACS+ package support this or i need some module to be integrated with TACACS+ also?

Regards



________________________________________
From: Daniel Schmidt [daniel.schmidt at wyo.gov]
Sent: Thursday, November 07, 2013 9:22 PM
To: Sachin.6.Gupta
Cc: heasley; tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

What would you authorize on?  Privilege level or commands?  I'm trying to imagine how ldap authorization would work.


On Wed, Nov 6, 2013 at 8:54 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com<mailto:SG00123446 at techmahindra.com>> wrote:
Thanks Heas for clarifying.

However, I need to the following: Authentication via LDAP (using PAM I guess) and Authorization and Accounting as it happens.
But for Authorization how would I configure Users and Groups in TACACS+ when the same would be configured in LDAP.

Is there a how to link for this? Authentication via LDAP and Authorization also?

TIA

-----Original Message-----
From: heasley [mailto:heas at shrubbery.net<mailto:heas at shrubbery.net>]
Sent: Wednesday, November 06, 2013 10:39 PM
To: Sachin.6.Gupta
Cc: heasley; tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

Wed, Nov 06, 2013 at 12:12:22PM +0530, Sachin.6.Gupta:
> I found one link which states that Authorization via LDAP is not possible.
> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html
>
> Quote:
> "Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :("

sorry, i misread it - there is no facility for authorization via pam (or ldap).

> Regards
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net<mailto:tac_plus-bounces at shrubbery.net> [mailto:tac_plus-bounces at shrubbery.net<mailto:tac_plus-bounces at shrubbery.net>] On Behalf Of Sachin.6.Gupta
> Sent: Wednesday, November 06, 2013 12:07 PM
> To: heasley
> Cc: tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
>
> Thanks. Can you please provide more details on using PAM (LDAP) for Authorization?
> Any links or mails would be helpful.
>
> -----Original Message-----
> From: heasley [mailto:heas at shrubbery.net<mailto:heas at shrubbery.net>]
> Sent: Wednesday, November 06, 2013 12:05 PM
> To: Sachin.6.Gupta
> Cc: tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
> Subject: Re: [tac_plus] TACACS+ Authorization via LDAP
>
> Wed, Nov 06, 2013 at 11:02:46AM +0530, Sachin.6.Gupta:
> > Hi All,
> >
> > Is it possible to do TACACS+ Authorization via LDAP?
> > I know that Authentication can be done via LDAP, but is TACACS+ authorization also possible?
>
> yes, via PAM.
>
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
> ============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/tac_plus



E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.




============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================

More information about the tac_plus mailing list