[tac_plus] TACACS+ Authorization via LDAP

Fri Nov 8 03:32:20 UTC 2013

Thanks Asif,

>From this I understand that the users in conf file are manually entered.
However, in my case I would prefer to have a cron job (as suggested by Heasly) to dump the users from LDAP to a file for T+ conf.
For authorization, for commands, I would prefer capturing Vendor information in a group and associate commands with them.

Depending on privilege levels of the users, I would assign these groups to Users.

I am currently trying to figure out how to dump my ldap users to txt file.
PS. My ldap server and T+ server would be on remotely separate machines.

Regards

From: Asif Iqbal [mailto:vadud3 at gmail.com]
Sent: Thursday, November 07, 2013 11:54 PM
To: Sachin.6.Gupta
Cc: Daniel Schmidt; tac_plus at shrubbery.net
Subject: Re: [tac_plus] TACACS+ Authorization via LDAP

On Thu, Nov 7, 2013 at 12:46 PM, Sachin.6.Gupta <SG00123446 at techmahindra.com<mailto:SG00123446 at techmahindra.com>> wrote:
How are u generating the tac_plus.conf file for all the users?
And where is the group bar defined?

You start with a basic config file and populate it over time. You can take a look at tac_plus.conf man page
for start. There are also example command authorization syntaxes for T+ configs in cisco and juniper site.

Cisco and Juniper command authorization are different. So I would recommend to stick with separate
instances of tac_plus with separate tac_plus.conf for authorization against cisco and juniper and whatever
other vendor's network devices you are using. If you pick LDAP, you will have to have different group
names for cisco and juniper since the syntax is different. It would be messy.

My group bar is in the same tac_plus.conf file and that is where I define the authorization commands
that are allowed. I have multiple groups and users gets the commands based on the group they
are assigned.

--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu<http://pgp.mit.edu>
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

============================================================================================================================Disclaimer:  This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at <a href="http://www.techmahindra.com/Disclaimer.html">http://www.techmahindra.com/Disclaimer.html</a> externally and <a href="http://tim.techmahindra.com/tim/disclaimer.html">http://tim.techmahindra.com/tim/disclaimer.html</a> internally within Tech Mahindra.============================================================================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131108/73091f03/attachment.html>