[tac_plus] Extend "default authentication" using "PAM"

Kouhei Maeda mkouhei at gmail.com
Wed Oct 30 17:10:52 UTC 2013


I customised tacplus related "default authentication" top level
directive to enable to use PAM.

The purpose of my change:

I usually manage user accounts of servers using LDAP.
I want to centrally manage an LDAP also account management of network
devices in the same way.

I looked at following note(*1),
and I understand that it is possible to manage with LDAP through PAM modules
using "login = PAM" in each group directive or each user directive.

*1: http://www.shrubbery.net/pipermail/tac_plus/2013-August/001319.html

But This method required to change tac_plus.conf when adding or removing users.
I want to manage using only LDAP.
So, I have to be able to use the PAM in the default authentication.
This change eliminates the need for user management in tacplus.

I attach the patch for "F4.0.4.26" version.
This version is the same version of tacacs + package of Debian GNU /
Linux Sid current. (
In addition, I've created a patch to the version for the Debian GNU /
Linux Wheezy
for use in the production environment normal. (
I have published these unofficial Debian source package patched on
GitHub. (*2, *3)

*2: for Sid

*3: for Wheezy

If thats ok, would you merge my patch?

Best regards,

Kouhei Maeda <mkouhei at gmail.com | palmtb.net >
 KeyID 4096R/7E37CE41
-------------- next part --------------
A non-text attachment was scrubbed...
Name: extend_default_authentication.patch
Type: text/x-patch
Size: 3535 bytes
Desc: not available
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20131031/91a7ff27/attachment.bin>

More information about the tac_plus mailing list