[tac_plus] Problems with ACLs
Nate Gagne
nategagne at gmail.com
Mon Nov 10 21:46:03 UTC 2014
Hello,
I'm trying to implement ACLs in our environment but can't seem to get the
syntax correct. Here's our entire sanitized tac_plus.conf:
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
key = test
mavis module = external {
script out = {
if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
}
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "domain.local:3268"
setenv LDAP_BASE = "DC=domain,dc=local"
setenv LDAP_USER = "CN=ldap,CN=Managed Service
Accounts,DC=domain,DC=local"
setenv LDAP_PASSWD = "password"
setenv LDAP_SCOPE = "sub"
setenv LDAP_FILTER = "(&(objectclass=user)
(sAMAccountName=%s))"
setenv LDAP_FILTER_CHPW = "(&(objectclass=user)
(sAMAccountName=%s))"
setenv TACACS_GROUP_PREFIX = "TACACS_"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
#exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
acl = test {
deny = 172.17.1\.(2|34|35)
deny = 10.0.32.1$
permit = .*
}
group = Group1 {
acl = test
enable = permit
default service = permit
service = exec {
set priv-lvl = 15
}
}
group = Group2 {
enable = permit
default service = permit
service = exec {
set priv-lvl = 15
}
}
}
</snip>
When I run that through the config check (tac_plus -d 16 -P tac_plus.conf)
I get:
31363: 19:00:00.000 0/00000000: /home/ngagne/tac_plus_test.conf:15: "key"
keyword is deprecated at top configuration level.
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
key = test
mavis module = external {
script out = {
if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
}
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "domain.local:3268"
setenv LDAP_BASE = "DC=domain,dc=local"
setenv LDAP_USER = "CN=ldap,CN=Managed Service
Accounts,DC=domain,DC=local"
setenv LDAP_PASSWD = "password"
setenv LDAP_SCOPE = "sub"
setenv LDAP_FILTER = "(&(objectclass=user)
(sAMAccountName=%s))"
setenv LDAP_FILTER_CHPW = "(&(objectclass=user)
(sAMAccountName=%s))"
setenv TACACS_GROUP_PREFIX = "TACACS_"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
#exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
acl = test {
deny
/home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port', 'time'
or 'acl', but got 'deny'
31363: /home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port',
'time' or 'acl', but got 'deny'
31363: Detected fatal configuration error. Exiting.
</snip>
What am I doing wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20141110/589f3069/attachment.html>
More information about the tac_plus
mailing list