Local user and AD connection problem
faresf06 opened this issue · 4 comments
Hello,
I've been trying to set up the Tac_plus-ng service for a few days now.
Unfortunately it's not working as expected. I've tried to consult all your documentation and forums to find a solution to my problem, but there's no way of solving it.
I tried to use your configuration available in the "MiniHowto tac_plus-ng" with modifications to match my Ad's information but it didn't work.
When I test the connection with this command :
/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus-ng.cfg tac_plus-ng TAC_PLUS someusername
This one works: my user information is returned.
However, when I try to connect from a switch with a Tacacs+ configuration that should be functional (works with the basic tac_plus service).
I can't connect, here are the errors:
2023-06-14 08:47:31 -0400 (switch) demo tty1 (ip) shell login denied by ACL
2023-06-14 08:50:53 -0400 (switch) demo tty1 (ip) shell login denied by ACL
2023-06-14 09:11:11 -0400 (switch) demo tty1 (ip) shell login denied by ACL
Here is my configuration:
[09:13:54] root@tX:~# cat /usr/local/etc/tac_plus-ng.cfg
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng {
log connectlog {destination = /var/log/tac_plus/connecion.log}
connection log = connectlog
log accountlog {destination = /var/log/tac_plus/accounting/%Y%m%d.log}
log authlog {destination = /var/log/tac_plus/authentication/%Y%m%d.log}
log autorisationlog {destination = /var/log/tac_plus/access/%Y%m%d.log}
accounting log = accountlog
authentication log = authlog
authorization log = autorisationlog
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://ip"
setenv LDAP_BASE = "dc=x,dc=y,dc=z"
setenv LDAP_USER = "userTacs@x.y.z"
setenv LDAP_PASSWD = "key"
setenv TACACS_GROUP_PREFIX = ""
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
# login backend = mavis
# user backend = mavis
# pap backend = mavis
host switch {
address = ::/0
welcome banner = "Welcome\n"
key = x
}
profile admins {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
group admins
user X {
password login = mavis
member = admins
}
user demo {
password login = clear demo
member = admins
}
}
I've tried to log in with the user 'demo' and the password 'demo' but it doesn't work, as the logs show.
I wanted to solve this problem first before considering logging in with my AD users.
I'm sorry if you've already answered this kind of question or documented it, but I did read your documentation and tried several different configurations but none of them gave me a positive result of a successful connection.
Thanks to you and thanks for this project which is really great.
Hi,
your config seems to lack the "ruleset" portion, which is mandatory. Starting with
ruleset { rule { script { if (member == admins) { profile = admins permit } } } }
likely works.
Cheers,
Marc
Hello !
I was able to test this just now, and it's indeed this little line that's preventing me from running users on my AD but also locally.
I'll try to make a whole group work.
Thanks a lot for the quick answer and the help!
Everything works perfectly, thanks again for your help!
Thank you for creating this new version, which is much more complete than the others available on the market, and above all, it's free!
Cool, thanks! I'm closing this issue then.
Cheers,
Marc