[tac_plus] managing accounts

Asif Iqbal vadud3 at gmail.com
Thu May 22 20:56:08 UTC 2014 

On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>wrote:

> Put users in do_auth and manage them there instead.  Import ConfigParser
> to add/remove users as needed.  Can even cross reference a database if
> needed.
>


That is the direction I am heading. But I need to normalize the existing
users into rows for the database and then it will easier to convert that
into  ini type file to work with do_auth.

I am pretty close to complete.

So far I got this far

import re

f = open('tac_plus.conf').read()

pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}'

users = re.findall(pattern,f,re.DOTALL|re.MULTILINE)

which outputs like this

('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
('aa56743', '\n\tlogin = PAM\n\tmember = oobrs')
('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden')
('ssarepts', '\n        #login = des qwASvuPKw\n        login = file
/etc/tacacs-passwd\n        cmd = terminal {\n                permit
"length"\n                deny .*\n        }\n        cmd = show
{\n                permit "interfaces|policy-map
interface"\n                deny .*\n        }\n\tcmd = exit {\n\t\tpermit
.*\n\t}')
('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb')
('aa60589', '\n        login = PAM\n        member = opsdb')
('aa92589', '\n        login = PAM\n        member = opsdb')

I am still working on to clean up more.

There are only 6 users with cmd = {..} inside. So I will just convert those
into new groups and just use member = newgroup.

So not much work left to clean up.



>
> On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>
>>  On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
>>
>> >
>> >
>> >
>> > On Thu, May 22, 2014 at 12:27 PM, heasley <heas at shrubbery.net> wrote:
>> >
>> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal:
>> >> > Any one has tool to manage user accounts on tac_plus.conf?
>> >> >
>> >> > Looking for adding/deleting multiple users.
>> >> >
>> >> > Adding/Modifying/Deleting them manually with an editor is painful.
>> >>
>> >> why not do it in a database/elsewhere and export it to the config file?
>> >>
>> >
>> > I would go with mysql then.
>> >
>> > Most of them are like below.
>> > user = vtt2440 {
>> >     login = PAM
>> >     member = opsdb
>> > }
>> >
>> > So creating a schema and inserting these data would be pretty simple
>> >
>> > CREATE TABLE Users (
>> >         user varchar(20) primary key,
>> >         login varchar(20),
>> >         member varchar(20)
>> > );
>> >
>> > INSERT INTO Users (`user`, `login`,`member`) VALUES ("vtt2440","PAM",
>> > "opsdb");
>> >
>> > But I will need some help with parsing this into a txt file and then
>> just
>> > LOAD DATA INFILE
>> > would save lot of time with ~2000 users.
>> >
>> >
>> > However, how would I manage stanza like this? Should I just move those
>> > cmds inside group
>> > definition?
>> >
>> > user =  ssarepts {
>> >         login = file /etc/tacacs-passwd
>> >         cmd = terminal {
>> >                 permit "length"
>> >                 deny .*
>> >         }
>> >         cmd = show {
>> >                 permit "interfaces|policy-map interface"
>> >                 deny .*
>> >         }
>> >     cmd = exit {
>> >         permit .*
>> >     }
>> > }
>> >
>> > So looks like really need help with parsing these and normalize to rows,
>> > before I can insert them into database.
>> >
>> > Thanks for any help with parsing.
>> >
>>
>>
>> So, so far I managed to parse most of the users
>>
>>  import re
>>  f = open ('tac_plus.conf','rb').read()
>>
>>  regex =
>>
>> re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE)
>>
>>  users = regex.findall(f)
>>
>>  for f in users:
>>     print f
>>
>> So this gets me 1532 users out of 1760 users. I still need to improve the
>> regex and could use some help.
>>
>> Thanks
>>
>>
>>
>> >
>> > --
>> > Asif Iqbal
>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> > A: Because it messes up the order in which people normally read text.
>> > Q: Why is top-posting such a bad thing?
>> >
>> >
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html
>> >
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/8ec3543e/attachment.html>

More information about the tac_plus mailing list