[tac_plus] Problems with ACLs

Aaron Wasserott aaron.wasserott at viawest.com
Mon Nov 10 23:40:48 UTC 2014 

Looks like you are using a version of TAC+ other than the Shrubbery one? Googling "id = tac_plus" indicates you are using the Mark Huber version.

http://gatestec.wordpress.com/2012/01/11/tacacs-part-1-choosing-the-version/

I am not familiar with that version, but it looks like your closing curly-brackets are not in the right spot. I would expect that the "id = tac_plus" section would end right after the statement "pap backend", before the first ACL statement.

Either way, I am guessing your syntax is not structured correctly for that version:

http://www.pro-bono-publico.de/projects/tac_plus.html#AEN175

-----Original Message-----
From: tac_plus [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Nate Gagne
Sent: Monday, November 10, 2014 2:46 PM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Problems with ACLs

Hello,

I'm trying to implement ACLs in our environment but can't seem to get the syntax correct.  Here's our entire sanitized tac_plus.conf:

#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = /var/log/tac_plus/access/%Y%m%d.log
        accounting log = /var/log/tac_plus/acct/%Y%m%d.log

        key = test

        mavis module = external {
                script out = {
                        if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
                }
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "domain.local:3268"
                setenv LDAP_BASE = "DC=domain,dc=local"
                setenv LDAP_USER = "CN=ldap,CN=Managed Service Accounts,DC=domain,DC=local"
                setenv LDAP_PASSWD = "password"
                setenv LDAP_SCOPE = "sub"
                setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName=%s))"
                setenv LDAP_FILTER_CHPW = "(&(objectclass=user) (sAMAccountName=%s))"
                setenv TACACS_GROUP_PREFIX = "TACACS_"
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                #exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
                exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        acl = test {
                deny = 172.17.1\.(2|34|35)
                deny = 10.0.32.1$
                permit = .*
        }

        group = Group1 {
acl = test
                enable = permit
                default service = permit
                service = exec {
                        set priv-lvl = 15
                }

        }

        group = Group2 {
                enable = permit
                default service = permit
                service = exec {
                       set priv-lvl = 15
               }
        }
}
</snip>

When I run that through the config check (tac_plus -d 16 -P tac_plus.conf) I get:

31363: 19:00:00.000 0/00000000: /home/ngagne/tac_plus_test.conf:15: "key"
keyword is deprecated at top configuration level.
#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = /var/log/tac_plus/access/%Y%m%d.log
        accounting log = /var/log/tac_plus/acct/%Y%m%d.log

        key = test

        mavis module = external {
                script out = {
                        if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
                }
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "domain.local:3268"
                setenv LDAP_BASE = "DC=domain,dc=local"
                setenv LDAP_USER = "CN=ldap,CN=Managed Service Accounts,DC=domain,DC=local"
                setenv LDAP_PASSWD = "password"
                setenv LDAP_SCOPE = "sub"
                setenv LDAP_FILTER = "(&(objectclass=user) (sAMAccountName=%s))"
                setenv LDAP_FILTER_CHPW = "(&(objectclass=user) (sAMAccountName=%s))"
                setenv TACACS_GROUP_PREFIX = "TACACS_"
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                #exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
                exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        acl = test {
                deny
/home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port', 'time'
or 'acl', but got 'deny'
31363: /home/ngagne/tac_plus_test.conf:40: Expected 'nac', 'nas', 'port', 'time' or 'acl', but got 'deny'
31363: Detected fatal configuration error. Exiting.
</snip>

What am I doing wrong?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20141110/589f3069/attachment.html>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo/tac_plus

More information about the tac_plus mailing list