[tac_plus] tac_plus configuration AVP/VSAs

Ken Webb KWebb at adva.com
Thu May 28 14:43:38 UTC 2020 

Hello  -

I am trying to use a tac_plus server with a client that uses the open source nss_tacplus library (https://github.com/benschumacher/nss_tacplus).  This library attempts to sufficient information for a Linux-based operating system login process via its "nss" subsystem.  To do this it tries to leverage the AVPs/VSAs returned from a tacacs+ server during an authorization query.

Unfortunately, I have not had any luck devising a tac_plus configuration that will work.  The client connects, and the user name is apparently recognized, but the required AVPs are not being passed back.   The log messages I get from the nss_tacplus library look like:

May 29 06:50:08 nscd: src/nss_tacplus.c: `/etc/tacplus.conf' no change at cycle=23750
May 29 06:50:08 nscd: src/nss_tacplus.c: begin lookup: user=`joan', server=`10.1.27.136:49'
May 29 06:50:08 nscd: Args cnt 0
May 29 06:50:08 nscd: src/nss_tacplus.c: found match: user=`joan', server=`10.1.27.136:49', status=1, attributes? no
May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'UID'
May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'GID'
May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'HOME'
May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'SHELL'
May 29 06:50:08 sshd[19451]: Invalid user joan from 10.11.12.44 port 55294

Do you have any experience inter-operating with this (nss_tacplus) library?  Does tac_plus respond to authorization queries with AVPs in its response?   Our use of the nss_tacplus library has been validated with Cisco ACS 5.5.0.46.

Below is the tac_plus.conf file that I have used :

key = cisco
accounting file = /var/log/tac.log
group = admin {
        default service = permit
#        service = adva-exec {
#                  uid=1012
#                  gid=1014
#                  home=/home
#                  shell=/bin/bash
#    service = adva-exec {
#        uid="2000"
#        gid="504"
#        home="/home"
#        shell="/bin/bash"
#    }
#       }
}

user=joan {
    member = admin
    service = adva-exec {
        uid="2000"
        gid="504"
        home="/home"
        shell="/bin/bash"
    }
}

Thank you,

Ken Webb
Sr Software Engineer
ADVA



Please see our privacy statement at https://www.adva.com/en/about-us/legal/privacy-statement for details of how ADVA processes personal information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20200528/586ba668/attachment.htm>

More information about the tac_plus mailing list