From lslater at yorku.ca Mon May 5 15:18:59 2014 From: lslater at yorku.ca (Linda Slater) Date: Mon, 5 May 2014 11:18:59 -0400 Subject: [tac_plus] TACPLUS AD Authentication In-Reply-To: References: Message-ID: Hi Matt, Thank you, I implemented the patch and now my users are able to use their AD password to enable to the Cisco devices. Regards, Linda -------------- next part -------------- An HTML attachment was scrubbed... URL: From ssaner at hubris.net Wed May 7 21:56:38 2014 From: ssaner at hubris.net (Steven Saner) Date: Wed, 07 May 2014 16:56:38 -0500 Subject: [tac_plus] tacacs+ compile problem Message-ID: <536AAC16.9000604@hubris.net> I was trying to compile tacacs+-F4.0.4.27a.tar.gz on a Linux distribution that has gcc 4.8.2 (Slackware 14.1). The compile failed because it could not "find" libwrap. The reason for that is that configure was not able to compile the test program that binds to libwrap. From config.log configure:13744: gcc -o conftest -O2 -march=i486 -mtune=i686 -pthread -O2 -march=i486 -mtune=i686 -I/usr/loca l/include -L/usr/local/lib -L/lib conftest.c -L/usr/lib -lwrap -R/usr/lib -lnsl -lcrypt >&5 gcc: error: unrecognized command line option '-R' In earlier gcc versions, such as 4.5.2, you get a warning: gcc: unrecognized option '-R/usr/lib' but it compiles anyway and configure does its thing. I'm afraid I'm not well enough versed in gcc to know if the -R option ever existed or not, but its existence seems to cause a fatal error in the newer version. I just modified the configure script as per the following diff: --- tacacs+-F4.0.4.27a.orig/configure 2012-06-28 17:37:06.000000000 -0500 +++ tacacs+-F4.0.4.27a/configure 2014-05-07 16:49:57.010560954 -0500 @@ -13722,7 +13722,7 @@ if test -d "$withval"; then WRAPINCS="-I$withval/include" - WRAPLIBS="-L$withval/lib -lwrap -R$withval/lib" + WRAPLIBS="-L$withval/lib -lwrap" else WRAPLIBS="$withval" fi I was going to try to change the autoconf stuff so that configure would get created without this option in there, but I'm using a different version of autoconf than was used to put the package together. I figured you might want to track that down yourself anyway. Steve -- -------------------------------------------------------------------------- Steven Saner Voice: 316-858-3000 Director of Network Operations Fax: 316-858-3001 Hubris Communications http://www.hubris.net From vadud3 at gmail.com Thu May 22 16:26:10 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 22 May 2014 12:26:10 -0400 Subject: [tac_plus] managing accounts Message-ID: Any one has tool to manage user accounts on tac_plus.conf? Looking for adding/deleting multiple users. Adding/Modifying/Deleting them manually with an editor is painful. Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu May 22 16:27:32 2014 From: heas at shrubbery.net (heasley) Date: Thu, 22 May 2014 16:27:32 +0000 Subject: [tac_plus] managing accounts In-Reply-To: References: Message-ID: <20140522162732.GJ9515@shrubbery.net> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: > Any one has tool to manage user accounts on tac_plus.conf? > > Looking for adding/deleting multiple users. > > Adding/Modifying/Deleting them manually with an editor is painful. why not do it in a database/elsewhere and export it to the config file? From vadud3 at gmail.com Thu May 22 16:48:21 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 22 May 2014 12:48:21 -0400 Subject: [tac_plus] managing accounts In-Reply-To: <20140522162732.GJ9515@shrubbery.net> References: <20140522162732.GJ9515@shrubbery.net> Message-ID: On Thu, May 22, 2014 at 12:27 PM, heasley wrote: > Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: > > Any one has tool to manage user accounts on tac_plus.conf? > > > > Looking for adding/deleting multiple users. > > > > Adding/Modifying/Deleting them manually with an editor is painful. > > why not do it in a database/elsewhere and export it to the config file? > I would go with mysql then. Most of them are like below. user = vtt2440 { login = PAM member = opsdb } So creating a schema and inserting these data would be pretty simple CREATE TABLE Users ( user varchar(20) primary key, login varchar(20), member varchar(20) ); INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM", "opsdb"); But I will need some help with parsing this into a txt file and then just LOAD DATA INFILE would save lot of time with ~2000 users. However, how would I manage stanza like this? Should I just move those cmds inside group definition? user = ssarepts { login = file /etc/tacacs-passwd cmd = terminal { permit "length" deny .* } cmd = show { permit "interfaces|policy-map interface" deny .* } cmd = exit { permit .* } } So looks like really need help with parsing these and normalize to rows, before I can insert them into database. Thanks for any help with parsing. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Thu May 22 18:41:29 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 22 May 2014 14:41:29 -0400 Subject: [tac_plus] managing accounts In-Reply-To: References: <20140522162732.GJ9515@shrubbery.net> Message-ID: On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal wrote: > > > > On Thu, May 22, 2014 at 12:27 PM, heasley wrote: > >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: >> > Any one has tool to manage user accounts on tac_plus.conf? >> > >> > Looking for adding/deleting multiple users. >> > >> > Adding/Modifying/Deleting them manually with an editor is painful. >> >> why not do it in a database/elsewhere and export it to the config file? >> > > I would go with mysql then. > > Most of them are like below. > user = vtt2440 { > login = PAM > member = opsdb > } > > So creating a schema and inserting these data would be pretty simple > > CREATE TABLE Users ( > user varchar(20) primary key, > login varchar(20), > member varchar(20) > ); > > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM", > "opsdb"); > > But I will need some help with parsing this into a txt file and then just > LOAD DATA INFILE > would save lot of time with ~2000 users. > > > However, how would I manage stanza like this? Should I just move those > cmds inside group > definition? > > user = ssarepts { > login = file /etc/tacacs-passwd > cmd = terminal { > permit "length" > deny .* > } > cmd = show { > permit "interfaces|policy-map interface" > deny .* > } > cmd = exit { > permit .* > } > } > > So looks like really need help with parsing these and normalize to rows, > before I can insert them into database. > > Thanks for any help with parsing. > So, so far I managed to parse most of the users import re f = open ('tac_plus.conf','rb').read() regex = re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE) users = regex.findall(f) for f in users: print f So this gets me 1532 users out of 1760 users. I still need to improve the regex and could use some help. Thanks > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu May 22 20:14:58 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 22 May 2014 14:14:58 -0600 Subject: [tac_plus] managing accounts In-Reply-To: References: <20140522162732.GJ9515@shrubbery.net>

Message-ID: Put users in do_auth and manage them there instead. Import ConfigParser to add/remove users as needed. Can even cross reference a database if needed. On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal wrote: > On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal wrote: > > > > > > > > > On Thu, May 22, 2014 at 12:27 PM, heasley wrote: > > > >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: > >> > Any one has tool to manage user accounts on tac_plus.conf? > >> > > >> > Looking for adding/deleting multiple users. > >> > > >> > Adding/Modifying/Deleting them manually with an editor is painful. > >> > >> why not do it in a database/elsewhere and export it to the config file? > >> > > > > I would go with mysql then. > > > > Most of them are like below. > > user = vtt2440 { > > login = PAM > > member = opsdb > > } > > > > So creating a schema and inserting these data would be pretty simple > > > > CREATE TABLE Users ( > > user varchar(20) primary key, > > login varchar(20), > > member varchar(20) > > ); > > > > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM", > > "opsdb"); > > > > But I will need some help with parsing this into a txt file and then just > > LOAD DATA INFILE > > would save lot of time with ~2000 users. > > > > > > However, how would I manage stanza like this? Should I just move those > > cmds inside group > > definition? > > > > user = ssarepts { > > login = file /etc/tacacs-passwd > > cmd = terminal { > > permit "length" > > deny .* > > } > > cmd = show { > > permit "interfaces|policy-map interface" > > deny .* > > } > > cmd = exit { > > permit .* > > } > > } > > > > So looks like really need help with parsing these and normalize to rows, > > before I can insert them into database. > > > > Thanks for any help with parsing. > > > > > So, so far I managed to parse most of the users > > import re > f = open ('tac_plus.conf','rb').read() > > regex = > > re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE) > > users = regex.findall(f) > > for f in users: > print f > > So this gets me 1532 users out of 1760 users. I still need to improve the > regex and could use some help. > > Thanks > > > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu May 22 21:41:11 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 22 May 2014 15:41:11 -0600 Subject: [tac_plus] managing accounts In-Reply-To: References: <20140522162732.GJ9515@shrubbery.net>

Message-ID: Not exactly the direction I was talking about. My idea: Standardize your tac_plus.conf with a DEFAULT user, member of do_auth_access, and login = PAM and you will never need to change it. Auth your users via PAM and authorize them in do_auth. Call config parser to add/remove them, perhaps based on an external database. Admittedly, it might not get all the services you need, I'm just saying it's much easier to call a pre-made config parser than trying to write you own as you are doing now. On Thu, May 22, 2014 at 2:56 PM, Asif Iqbal wrote: > > > > On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt wrote: > >> Put users in do_auth and manage them there instead. Import ConfigParser >> to add/remove users as needed. Can even cross reference a database if >> needed. >> > > > That is the direction I am heading. But I need to normalize the existing > users into rows for the database and then it will easier to convert that > into ini type file to work with do_auth. > > I am pretty close to complete. > > So far I got this far > > import re > > f = open('tac_plus.conf').read() > > pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}' > > users = re.findall(pattern,f,re.DOTALL|re.MULTILINE) > > which outputs like this > > ('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') > ('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') > ('aa56743', '\n\tlogin = PAM\n\tmember = oobrs') > ('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden') > ('ssarepts', '\n #login = des qwASvuPKw\n login = file > /etc/tacacs-passwd\n cmd = terminal {\n permit > "length"\n deny .*\n }\n cmd = show > {\n permit "interfaces|policy-map > interface"\n deny .*\n }\n\tcmd = exit {\n\t\tpermit > .*\n\t}') > ('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb') > ('aa60589', '\n login = PAM\n member = opsdb') > ('aa92589', '\n login = PAM\n member = opsdb') > > I am still working on to clean up more. > > There are only 6 users with cmd = {..} inside. So I will just convert > those into new groups and just use member = newgroup. > > So not much work left to clean up. > > > >> >> On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal wrote: >> >>> On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal wrote: >>> >>> > >>> > >>> > >>> > On Thu, May 22, 2014 at 12:27 PM, heasley wrote: >>> > >>> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: >>> >> > Any one has tool to manage user accounts on tac_plus.conf? >>> >> > >>> >> > Looking for adding/deleting multiple users. >>> >> > >>> >> > Adding/Modifying/Deleting them manually with an editor is painful. >>> >> >>> >> why not do it in a database/elsewhere and export it to the config >>> file? >>> >> >>> > >>> > I would go with mysql then. >>> > >>> > Most of them are like below. >>> > user = vtt2440 { >>> > login = PAM >>> > member = opsdb >>> > } >>> > >>> > So creating a schema and inserting these data would be pretty simple >>> > >>> > CREATE TABLE Users ( >>> > user varchar(20) primary key, >>> > login varchar(20), >>> > member varchar(20) >>> > ); >>> > >>> > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM", >>> > "opsdb"); >>> > >>> > But I will need some help with parsing this into a txt file and then >>> just >>> > LOAD DATA INFILE >>> > would save lot of time with ~2000 users. >>> > >>> > >>> > However, how would I manage stanza like this? Should I just move those >>> > cmds inside group >>> > definition? >>> > >>> > user = ssarepts { >>> > login = file /etc/tacacs-passwd >>> > cmd = terminal { >>> > permit "length" >>> > deny .* >>> > } >>> > cmd = show { >>> > permit "interfaces|policy-map interface" >>> > deny .* >>> > } >>> > cmd = exit { >>> > permit .* >>> > } >>> > } >>> > >>> > So looks like really need help with parsing these and normalize to >>> rows, >>> > before I can insert them into database. >>> > >>> > Thanks for any help with parsing. >>> > >>> >>> >>> So, so far I managed to parse most of the users >>> >>> import re >>> f = open ('tac_plus.conf','rb').read() >>> >>> regex = >>> >>> re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE) >>> >>> users = regex.findall(f) >>> >>> for f in users: >>> print f >>> >>> So this gets me 1532 users out of 1760 users. I still need to improve the >>> regex and could use some help. >>> >>> Thanks >>> >>> >>> >>> > >>> > -- >>> > Asif Iqbal >>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> > A: Because it messes up the order in which people normally read text. >>> > Q: Why is top-posting such a bad thing? >>> > >>> > >>> >>> >>> -- >>> Asif Iqbal >>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> A: Because it messes up the order in which people normally read text. >>> Q: Why is top-posting such a bad thing? >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: < >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html >>> > >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >> >> E-Mail to and from me, in connection with the transaction >> of public business, is subject to the Wyoming Public Records >> Act and may be disclosed to third parties. >> >> >> > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Thu May 22 21:47:55 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 22 May 2014 17:47:55 -0400 Subject: [tac_plus] managing accounts In-Reply-To: References: <20140522162732.GJ9515@shrubbery.net>

Message-ID: On May 22, 2014 5:41 PM, "Daniel Schmidt" wrote: > > Not exactly the direction I was talking about. My idea: Standardize your tac_plus.conf with a DEFAULT user, member of do_auth_access, and login = PAM and you will never need to change it. Auth your users via PAM and authorize them in do_auth. Call config parser to add/remove them, perhaps based on an external database. > > Admittedly, it might not get all the services you need, I'm just saying it's much easier to call a pre-made config parser than trying to write you own as you are doing now. > I still need to convert my existing tac_plus conf file with about 1800 users into ini type file first and ConfigParser is not good for that, If I understand correctly. > > On Thu, May 22, 2014 at 2:56 PM, Asif Iqbal wrote: >> >> >> >> >> On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt wrote: >>> >>> Put users in do_auth and manage them there instead. Import ConfigParser to add/remove users as needed. Can even cross reference a database if needed. >> >> >> >> That is the direction I am heading. But I need to normalize the existing users into rows for the database and then it will easier to convert that >> into ini type file to work with do_auth. >> >> I am pretty close to complete. >> >> So far I got this far >> >> import re >> >> f = open('tac_plus.conf').read() >> >> pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}' >> >> users = re.findall(pattern,f,re.DOTALL|re.MULTILINE) >> >> which outputs like this >> >> ('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') >> ('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') >> ('aa56743', '\n\tlogin = PAM\n\tmember = oobrs') >> ('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden') >> ('ssarepts', '\n #login = des qwASvuPKw\n login = file /etc/tacacs-passwd\n cmd = terminal {\n permit "length"\n deny .*\n }\n cmd = show {\n permit "interfaces|policy-map interface"\n deny .*\n }\n\tcmd = exit {\n\t\tpermit .*\n\t}') >> ('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb') >> ('aa60589', '\n login = PAM\n member = opsdb') >> ('aa92589', '\n login = PAM\n member = opsdb') >> >> I am still working on to clean up more. >> >> There are only 6 users with cmd = {..} inside. So I will just convert those into new groups and just use member = newgroup. >> >> So not much work left to clean up. >> >> >>> >>> >>> On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal wrote: >>>> >>>> On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal wrote: >>>> >>>> > >>>> > >>>> > >>>> > On Thu, May 22, 2014 at 12:27 PM, heasley wrote: >>>> > >>>> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: >>>> >> > Any one has tool to manage user accounts on tac_plus.conf? >>>> >> > >>>> >> > Looking for adding/deleting multiple users. >>>> >> > >>>> >> > Adding/Modifying/Deleting them manually with an editor is painful. >>>> >> >>>> >> why not do it in a database/elsewhere and export it to the config file? >>>> >> >>>> > >>>> > I would go with mysql then. >>>> > >>>> > Most of them are like below. >>>> > user = vtt2440 { >>>> > login = PAM >>>> > member = opsdb >>>> > } >>>> > >>>> > So creating a schema and inserting these data would be pretty simple >>>> > >>>> > CREATE TABLE Users ( >>>> > user varchar(20) primary key, >>>> > login varchar(20), >>>> > member varchar(20) >>>> > ); >>>> > >>>> > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM", >>>> > "opsdb"); >>>> > >>>> > But I will need some help with parsing this into a txt file and then just >>>> > LOAD DATA INFILE >>>> > would save lot of time with ~2000 users. >>>> > >>>> > >>>> > However, how would I manage stanza like this? Should I just move those >>>> > cmds inside group >>>> > definition? >>>> > >>>> > user = ssarepts { >>>> > login = file /etc/tacacs-passwd >>>> > cmd = terminal { >>>> > permit "length" >>>> > deny .* >>>> > } >>>> > cmd = show { >>>> > permit "interfaces|policy-map interface" >>>> > deny .* >>>> > } >>>> > cmd = exit { >>>> > permit .* >>>> > } >>>> > } >>>> > >>>> > So looks like really need help with parsing these and normalize to rows, >>>> > before I can insert them into database. >>>> > >>>> > Thanks for any help with parsing. >>>> > >>>> >>>> >>>> So, so far I managed to parse most of the users >>>> >>>> import re >>>> f = open ('tac_plus.conf','rb').read() >>>> >>>> regex = >>>> re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE) >>>> >>>> users = regex.findall(f) >>>> >>>> for f in users: >>>> print f >>>> >>>> So this gets me 1532 users out of 1760 users. I still need to improve the >>>> regex and could use some help. >>>> >>>> Thanks >>>> >>>> >>>> >>>> > >>>> > -- >>>> > Asif Iqbal >>>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>>> > A: Because it messes up the order in which people normally read text. >>>> > Q: Why is top-posting such a bad thing? >>>> > >>>> > >>>> >>>> >>>> -- >>>> Asif Iqbal >>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>>> A: Because it messes up the order in which people normally read text. >>>> Q: Why is top-posting such a bad thing? >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html > >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo/tac_plus >>> >>> >>> E-Mail to and from me, in connection with the transaction >>> of public business, is subject to the Wyoming Public Records >>> Act and may be disclosed to third parties. >>> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> > > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Thu May 22 20:56:08 2014 From: vadud3 at gmail.com (Asif Iqbal) Date: Thu, 22 May 2014 16:56:08 -0400 Subject: [tac_plus] managing accounts In-Reply-To: References: <20140522162732.GJ9515@shrubbery.net>

Message-ID: On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt wrote: > Put users in do_auth and manage them there instead. Import ConfigParser > to add/remove users as needed. Can even cross reference a database if > needed. > That is the direction I am heading. But I need to normalize the existing users into rows for the database and then it will easier to convert that into ini type file to work with do_auth. I am pretty close to complete. So far I got this far import re f = open('tac_plus.conf').read() pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}' users = re.findall(pattern,f,re.DOTALL|re.MULTILINE) which outputs like this ('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') ('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') ('aa56743', '\n\tlogin = PAM\n\tmember = oobrs') ('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden') ('ssarepts', '\n #login = des qwASvuPKw\n login = file /etc/tacacs-passwd\n cmd = terminal {\n permit "length"\n deny .*\n }\n cmd = show {\n permit "interfaces|policy-map interface"\n deny .*\n }\n\tcmd = exit {\n\t\tpermit .*\n\t}') ('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb') ('aa60589', '\n login = PAM\n member = opsdb') ('aa92589', '\n login = PAM\n member = opsdb') I am still working on to clean up more. There are only 6 users with cmd = {..} inside. So I will just convert those into new groups and just use member = newgroup. So not much work left to clean up. > > On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal wrote: > >> On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal wrote: >> >> > >> > >> > >> > On Thu, May 22, 2014 at 12:27 PM, heasley wrote: >> > >> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: >> >> > Any one has tool to manage user accounts on tac_plus.conf? >> >> > >> >> > Looking for adding/deleting multiple users. >> >> > >> >> > Adding/Modifying/Deleting them manually with an editor is painful. >> >> >> >> why not do it in a database/elsewhere and export it to the config file? >> >> >> > >> > I would go with mysql then. >> > >> > Most of them are like below. >> > user = vtt2440 { >> > login = PAM >> > member = opsdb >> > } >> > >> > So creating a schema and inserting these data would be pretty simple >> > >> > CREATE TABLE Users ( >> > user varchar(20) primary key, >> > login varchar(20), >> > member varchar(20) >> > ); >> > >> > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM", >> > "opsdb"); >> > >> > But I will need some help with parsing this into a txt file and then >> just >> > LOAD DATA INFILE >> > would save lot of time with ~2000 users. >> > >> > >> > However, how would I manage stanza like this? Should I just move those >> > cmds inside group >> > definition? >> > >> > user = ssarepts { >> > login = file /etc/tacacs-passwd >> > cmd = terminal { >> > permit "length" >> > deny .* >> > } >> > cmd = show { >> > permit "interfaces|policy-map interface" >> > deny .* >> > } >> > cmd = exit { >> > permit .* >> > } >> > } >> > >> > So looks like really need help with parsing these and normalize to rows, >> > before I can insert them into database. >> > >> > Thanks for any help with parsing. >> > >> >> >> So, so far I managed to parse most of the users >> >> import re >> f = open ('tac_plus.conf','rb').read() >> >> regex = >> >> re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE) >> >> users = regex.findall(f) >> >> for f in users: >> print f >> >> So this gets me 1532 users out of 1760 users. I still need to improve the >> regex and could use some help. >> >> Thanks >> >> >> >> > >> > -- >> > Asif Iqbal >> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> > A: Because it messes up the order in which people normally read text. >> > Q: Why is top-posting such a bad thing? >> > >> > >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: < >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html >> > >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/tac_plus >> > > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.schmidt at wyo.gov Thu May 22 21:55:16 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 22 May 2014 15:55:16 -0600 Subject: [tac_plus] managing accounts In-Reply-To: References: <20140522162732.GJ9515@shrubbery.net>

Message-ID: I see - you need to extract that data first. When you are done extracting the data, ConfigParser could provide you with a means to easily add/update (set) and maintain those users in do_auth.ini. Unfortunately, I see now from your output that not all your users are PAM, so my idea does will help you. On Thu, May 22, 2014 at 3:47 PM, Asif Iqbal wrote: > > On May 22, 2014 5:41 PM, "Daniel Schmidt" wrote: > > > > Not exactly the direction I was talking about. My idea: Standardize > your tac_plus.conf with a DEFAULT user, member of do_auth_access, and login > = PAM and you will never need to change it. Auth your users via PAM and > authorize them in do_auth. Call config parser to add/remove them, perhaps > based on an external database. > > > > Admittedly, it might not get all the services you need, I'm just saying > it's much easier to call a pre-made config parser than trying to write you > own as you are doing now. > > > > I still need to convert my existing tac_plus conf file with about 1800 > users into ini type file first and ConfigParser is not good for that, If I > understand correctly. > > > > > On Thu, May 22, 2014 at 2:56 PM, Asif Iqbal wrote: > >> > >> > >> > >> > >> On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt > wrote: > >>> > >>> Put users in do_auth and manage them there instead. Import > ConfigParser to add/remove users as needed. Can even cross reference a > database if needed. > >> > >> > >> > >> That is the direction I am heading. But I need to normalize the > existing users into rows for the database and then it will easier to > convert that > >> into ini type file to work with do_auth. > >> > >> I am pretty close to complete. > >> > >> So far I got this far > >> > >> import re > >> > >> f = open('tac_plus.conf').read() > >> > >> pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}' > >> > >> users = re.findall(pattern,f,re.DOTALL|re.MULTILINE) > >> > >> which outputs like this > >> > >> ('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') > >> ('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly') > >> ('aa56743', '\n\tlogin = PAM\n\tmember = oobrs') > >> ('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden') > >> ('ssarepts', '\n #login = des qwASvuPKw\n login = file > /etc/tacacs-passwd\n cmd = terminal {\n permit > "length"\n deny .*\n }\n cmd = show > {\n permit "interfaces|policy-map > interface"\n deny .*\n }\n\tcmd = exit {\n\t\tpermit > .*\n\t}') > >> ('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb') > >> ('aa60589', '\n login = PAM\n member = opsdb') > >> ('aa92589', '\n login = PAM\n member = opsdb') > >> > >> I am still working on to clean up more. > >> > >> There are only 6 users with cmd = {..} inside. So I will just convert > those into new groups and just use member = newgroup. > >> > >> So not much work left to clean up. > >> > >> > >>> > >>> > >>> On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal wrote: > >>>> > >>>> On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal > wrote: > >>>> > >>>> > > >>>> > > >>>> > > >>>> > On Thu, May 22, 2014 at 12:27 PM, heasley > wrote: > >>>> > > >>>> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal: > >>>> >> > Any one has tool to manage user accounts on tac_plus.conf? > >>>> >> > > >>>> >> > Looking for adding/deleting multiple users. > >>>> >> > > >>>> >> > Adding/Modifying/Deleting them manually with an editor is > painful. > >>>> >> > >>>> >> why not do it in a database/elsewhere and export it to the config > file? > >>>> >> > >>>> > > >>>> > I would go with mysql then. > >>>> > > >>>> > Most of them are like below. > >>>> > user = vtt2440 { > >>>> > login = PAM > >>>> > member = opsdb > >>>> > } > >>>> > > >>>> > So creating a schema and inserting these data would be pretty simple > >>>> > > >>>> > CREATE TABLE Users ( > >>>> > user varchar(20) primary key, > >>>> > login varchar(20), > >>>> > member varchar(20) > >>>> > ); > >>>> > > >>>> > INSERT INTO Users (`user`, `login`,`member`) VALUES > ("vtt2440","PAM", > >>>> > "opsdb"); > >>>> > > >>>> > But I will need some help with parsing this into a txt file and > then just > >>>> > LOAD DATA INFILE > >>>> > would save lot of time with ~2000 users. > >>>> > > >>>> > > >>>> > However, how would I manage stanza like this? Should I just move > those > >>>> > cmds inside group > >>>> > definition? > >>>> > > >>>> > user = ssarepts { > >>>> > login = file /etc/tacacs-passwd > >>>> > cmd = terminal { > >>>> > permit "length" > >>>> > deny .* > >>>> > } > >>>> > cmd = show { > >>>> > permit "interfaces|policy-map interface" > >>>> > deny .* > >>>> > } > >>>> > cmd = exit { > >>>> > permit .* > >>>> > } > >>>> > } > >>>> > > >>>> > So looks like really need help with parsing these and normalize to > rows, > >>>> > before I can insert them into database. > >>>> > > >>>> > Thanks for any help with parsing. > >>>> > > >>>> > >>>> > >>>> So, so far I managed to parse most of the users > >>>> > >>>> import re > >>>> f = open ('tac_plus.conf','rb').read() > >>>> > >>>> regex = > >>>> > re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE) > >>>> > >>>> users = regex.findall(f) > >>>> > >>>> for f in users: > >>>> print f > >>>> > >>>> So this gets me 1532 users out of 1760 users. I still need to improve > the > >>>> regex and could use some help. > >>>> > >>>> Thanks > >>>> > >>>> > >>>> > >>>> > > >>>> > -- > >>>> > Asif Iqbal > >>>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > >>>> > A: Because it messes up the order in which people normally read > text. > >>>> > Q: Why is top-posting such a bad thing? > >>>> > > >>>> > > >>>> > >>>> > >>>> -- > >>>> Asif Iqbal > >>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > >>>> A: Because it messes up the order in which people normally read text. > >>>> Q: Why is top-posting such a bad thing? > >>>> -------------- next part -------------- > >>>> An HTML attachment was scrubbed... > >>>> URL: < > http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html > > > >>>> _______________________________________________ > >>>> tac_plus mailing list > >>>> tac_plus at shrubbery.net > >>>> http://www.shrubbery.net/mailman/listinfo/tac_plus > >>> > >>> > >>> E-Mail to and from me, in connection with the transaction > >>> of public business, is subject to the Wyoming Public Records > >>> Act and may be disclosed to third parties. > >>> > >> > >> > >> > >> -- > >> Asif Iqbal > >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > >> A: Because it messes up the order in which people normally read text. > >> Q: Why is top-posting such a bad thing? > >> > > > > > > E-Mail to and from me, in connection with the transaction > > of public business, is subject to the Wyoming Public Records > > Act and may be disclosed to third parties. > > > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: