[tac_plus] TACPLUS AD Authentication
Matt Addison
matt.addison at lists.evilgeni.us
Fri Apr 25 18:06:00 UTC 2014
On Wed, Apr 16, 2014 at 10:47 AM, Linda Slater <lslater at yorku.ca> wrote:
> Couple questions:
>
> I am using PAM_LDAP to authenticate our users via AD. The additional
> requirements are now:
>
>
>
> 1. No usernames in the Tac+ config file, I will define only groups and use
> AD groupings to decide if that user can be allowed to access a network
> device. Does anyone have any examples using this method? Currently, I
> have the user name ...... login = PAM, listed in the tac...config file.
>
> 2. Each user that logins into the Network device, must use their AD
> password to gain enable access to the network device. Is anyone using
> this method to allow users enable access, given that the Tac+ enable
> password cannot be pointed to PAM? Each user will have using their own
> AD login credentials.
>
There's a patch for that.
https://gist.github.com/ragzilla/11297928
Allows for enable to be pointed to PAM, and also for DEFAULT user
attributes to be used (such as login/enable) if there's no specific user.
Planning to use this in my environment with do_auth (and a patch for that,
to allow for pulling in NSS groups) so that the tac_plus.conf only has to
have a default user and service accounts. Ideally you'd have 2 separate
auth mechanisms for login/enable though (in our case we're using aceclnt
for login, and PAM for enable).
~Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140425/f5f1c7dc/attachment.html>
More information about the tac_plus
mailing list