[tac_plus] managing accounts

Daniel Schmidt daniel.schmidt at wyo.gov
Thu May 22 21:41:11 UTC 2014


Not exactly the direction I was talking about.  My idea:  Standardize your
tac_plus.conf with a DEFAULT user, member of do_auth_access, and login =
PAM and you will never need to change it.  Auth your users via PAM and
authorize them in do_auth.  Call config parser to add/remove them, perhaps
based on an external database.

Admittedly, it might not get all the services you need, I'm just saying
it's much easier to call a pre-made config parser than trying to write you
own as you are doing now.


On Thu, May 22, 2014 at 2:56 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

>
>
>
> On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:
>
>> Put users in do_auth and manage them there instead.  Import ConfigParser
>> to add/remove users as needed.  Can even cross reference a database if
>> needed.
>>
>
>
> That is the direction I am heading. But I need to normalize the existing
> users into rows for the database and then it will easier to convert that
> into  ini type file to work with do_auth.
>
> I am pretty close to complete.
>
> So far I got this far
>
> import re
>
> f = open('tac_plus.conf').read()
>
> pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}'
>
> users = re.findall(pattern,f,re.DOTALL|re.MULTILINE)
>
> which outputs like this
>
> ('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
> ('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
> ('aa56743', '\n\tlogin = PAM\n\tmember = oobrs')
> ('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden')
> ('ssarepts', '\n        #login = des qwASvuPKw\n        login = file
> /etc/tacacs-passwd\n        cmd = terminal {\n                permit
> "length"\n                deny .*\n        }\n        cmd = show
> {\n                permit "interfaces|policy-map
> interface"\n                deny .*\n        }\n\tcmd = exit {\n\t\tpermit
> .*\n\t}')
> ('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb')
> ('aa60589', '\n        login = PAM\n        member = opsdb')
> ('aa92589', '\n        login = PAM\n        member = opsdb')
>
> I am still working on to clean up more.
>
> There are only 6 users with cmd = {..} inside. So I will just convert
> those into new groups and just use member = newgroup.
>
> So not much work left to clean up.
>
>
>
>>
>> On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>
>>>  On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>>
>>> >
>>> >
>>> >
>>> > On Thu, May 22, 2014 at 12:27 PM, heasley <heas at shrubbery.net> wrote:
>>> >
>>> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal:
>>> >> > Any one has tool to manage user accounts on tac_plus.conf?
>>> >> >
>>> >> > Looking for adding/deleting multiple users.
>>> >> >
>>> >> > Adding/Modifying/Deleting them manually with an editor is painful.
>>> >>
>>> >> why not do it in a database/elsewhere and export it to the config
>>> file?
>>> >>
>>> >
>>> > I would go with mysql then.
>>> >
>>> > Most of them are like below.
>>> > user = vtt2440 {
>>> >     login = PAM
>>> >     member = opsdb
>>> > }
>>> >
>>> > So creating a schema and inserting these data would be pretty simple
>>> >
>>> > CREATE TABLE Users (
>>> >         user varchar(20) primary key,
>>> >         login varchar(20),
>>> >         member varchar(20)
>>> > );
>>> >
>>> > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM",
>>> > "opsdb");
>>> >
>>> > But I will need some help with parsing this into a txt file and then
>>> just
>>> > LOAD DATA INFILE
>>> > would save lot of time with ~2000 users.
>>> >
>>> >
>>> > However, how would I manage stanza like this? Should I just move those
>>> > cmds inside group
>>> > definition?
>>> >
>>> > user =  ssarepts {
>>> >         login = file /etc/tacacs-passwd
>>> >         cmd = terminal {
>>> >                 permit "length"
>>> >                 deny .*
>>> >         }
>>> >         cmd = show {
>>> >                 permit "interfaces|policy-map interface"
>>> >                 deny .*
>>> >         }
>>> >     cmd = exit {
>>> >         permit .*
>>> >     }
>>> > }
>>> >
>>> > So looks like really need help with parsing these and normalize to
>>> rows,
>>> > before I can insert them into database.
>>> >
>>> > Thanks for any help with parsing.
>>> >
>>>
>>>
>>> So, so far I managed to parse most of the users
>>>
>>>  import re
>>>  f = open ('tac_plus.conf','rb').read()
>>>
>>>  regex =
>>>
>>> re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE)
>>>
>>>  users = regex.findall(f)
>>>
>>>  for f in users:
>>>     print f
>>>
>>> So this gets me 1532 users out of 1760 users. I still need to improve the
>>> regex and could use some help.
>>>
>>> Thanks
>>>
>>>
>>>
>>> >
>>> > --
>>> > Asif Iqbal
>>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>> > A: Because it messes up the order in which people normally read text.
>>> > Q: Why is top-posting such a bad thing?
>>> >
>>> >
>>>
>>>
>>> --
>>> Asif Iqbal
>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>> A: Because it messes up the order in which people normally read text.
>>> Q: Why is top-posting such a bad thing?
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL: <
>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html
>>> >
>>> _______________________________________________
>>> tac_plus mailing list
>>> tac_plus at shrubbery.net
>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>
>>
>> E-Mail to and from me, in connection with the transaction
>> of public business, is subject to the Wyoming Public Records
>> Act and may be disclosed to third parties.
>>
>>
>>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/224180d4/attachment.html>


More information about the tac_plus mailing list