[tac_plus] managing accounts

Asif Iqbal vadud3 at gmail.com
Thu May 22 21:47:55 UTC 2014 

On May 22, 2014 5:41 PM, "Daniel Schmidt" <daniel.schmidt at wyo.gov> wrote:
>
> Not exactly the direction I was talking about.  My idea:  Standardize
your tac_plus.conf with a DEFAULT user, member of do_auth_access, and login
= PAM and you will never need to change it.  Auth your users via PAM and
authorize them in do_auth.  Call config parser to add/remove them, perhaps
based on an external database.
>
> Admittedly, it might not get all the services you need, I'm just saying
it's much easier to call a pre-made config parser than trying to write you
own as you are doing now.
>

I still need to convert my existing tac_plus conf file with about 1800
users into ini type file first and ConfigParser is not good for that, If I
understand correctly.

>
> On Thu, May 22, 2014 at 2:56 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>
>>
>>
>>
>> On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
wrote:
>>>
>>> Put users in do_auth and manage them there instead.  Import
ConfigParser to add/remove users as needed.  Can even cross reference a
database if needed.
>>
>>
>>
>> That is the direction I am heading. But I need to normalize the existing
users into rows for the database and then it will easier to convert that
>> into  ini type file to work with do_auth.
>>
>> I am pretty close to complete.
>>
>> So far I got this far
>>
>> import re
>>
>> f = open('tac_plus.conf').read()
>>
>> pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}'
>>
>> users = re.findall(pattern,f,re.DOTALL|re.MULTILINE)
>>
>> which outputs like this
>>
>> ('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
>> ('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
>> ('aa56743', '\n\tlogin = PAM\n\tmember = oobrs')
>> ('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden')
>> ('ssarepts', '\n        #login = des qwASvuPKw\n        login = file
/etc/tacacs-passwd\n        cmd = terminal {\n                permit
"length"\n                deny .*\n        }\n        cmd = show
{\n                permit "interfaces|policy-map
interface"\n                deny .*\n        }\n\tcmd = exit {\n\t\tpermit
.*\n\t}')
>> ('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb')
>> ('aa60589', '\n        login = PAM\n        member = opsdb')
>> ('aa92589', '\n        login = PAM\n        member = opsdb')
>>
>> I am still working on to clean up more.
>>
>> There are only 6 users with cmd = {..} inside. So I will just convert
those into new groups and just use member = newgroup.
>>
>> So not much work left to clean up.
>>
>>
>>>
>>>
>>> On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>>>
>>>> On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>>>
>>>> >
>>>> >
>>>> >
>>>> > On Thu, May 22, 2014 at 12:27 PM, heasley <heas at shrubbery.net> wrote:
>>>> >
>>>> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal:
>>>> >> > Any one has tool to manage user accounts on tac_plus.conf?
>>>> >> >
>>>> >> > Looking for adding/deleting multiple users.
>>>> >> >
>>>> >> > Adding/Modifying/Deleting them manually with an editor is painful.
>>>> >>
>>>> >> why not do it in a database/elsewhere and export it to the config
file?
>>>> >>
>>>> >
>>>> > I would go with mysql then.
>>>> >
>>>> > Most of them are like below.
>>>> > user = vtt2440 {
>>>> >     login = PAM
>>>> >     member = opsdb
>>>> > }
>>>> >
>>>> > So creating a schema and inserting these data would be pretty simple
>>>> >
>>>> > CREATE TABLE Users (
>>>> >         user varchar(20) primary key,
>>>> >         login varchar(20),
>>>> >         member varchar(20)
>>>> > );
>>>> >
>>>> > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM",
>>>> > "opsdb");
>>>> >
>>>> > But I will need some help with parsing this into a txt file and then
just
>>>> > LOAD DATA INFILE
>>>> > would save lot of time with ~2000 users.
>>>> >
>>>> >
>>>> > However, how would I manage stanza like this? Should I just move
those
>>>> > cmds inside group
>>>> > definition?
>>>> >
>>>> > user =  ssarepts {
>>>> >         login = file /etc/tacacs-passwd
>>>> >         cmd = terminal {
>>>> >                 permit "length"
>>>> >                 deny .*
>>>> >         }
>>>> >         cmd = show {
>>>> >                 permit "interfaces|policy-map interface"
>>>> >                 deny .*
>>>> >         }
>>>> >     cmd = exit {
>>>> >         permit .*
>>>> >     }
>>>> > }
>>>> >
>>>> > So looks like really need help with parsing these and normalize to
rows,
>>>> > before I can insert them into database.
>>>> >
>>>> > Thanks for any help with parsing.
>>>> >
>>>>
>>>>
>>>> So, so far I managed to parse most of the users
>>>>
>>>>  import re
>>>>  f = open ('tac_plus.conf','rb').read()
>>>>
>>>>  regex =
>>>>
re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE)
>>>>
>>>>  users = regex.findall(f)
>>>>
>>>>  for f in users:
>>>>     print f
>>>>
>>>> So this gets me 1532 users out of 1760 users. I still need to improve
the
>>>> regex and could use some help.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>> >
>>>> > --
>>>> > Asif Iqbal
>>>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>>> > A: Because it messes up the order in which people normally read text.
>>>> > Q: Why is top-posting such a bad thing?
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> Asif Iqbal
>>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>>> A: Because it messes up the order in which people normally read text.
>>>> Q: Why is top-posting such a bad thing?
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL: <
http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html
>
>>>> _______________________________________________
>>>> tac_plus mailing list
>>>> tac_plus at shrubbery.net
>>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>>
>>>
>>> E-Mail to and from me, in connection with the transaction
>>> of public business, is subject to the Wyoming Public Records
>>> Act and may be disclosed to third parties.
>>>
>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/609797dc/attachment.html>

More information about the tac_plus mailing list