tac_plus: Return auth_error instead of auth_fail when LDAP backend is unreachable

[maincarry]

Hi,
We configured tac_plus to use the MAVIS Active Directory backend.

When all LDAP backends are unreachable, tac_plus will send authentication failed (0x02) response with the message: "No answer from LDAP backend." Is it possible to send an authentication error (0x07) instead if MAVIS returns an error (LDAP no response in this case)?

This way, network devices can fallback to secondary authentication methods, instead of failing the auth request. This also makes the TACACS behave consistently with mavis_test, which reports an "ERR" result.

Thank you very much for your help!

Context (mavis_test when AD is unreachable):

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest...
USER                test.account
PASSWORD            testpassword
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest...
USER                test.account
RESULT              ERR
PASSWORD            testpassword
SERIAL              ...
USER_RESPONSE       No answer from LDAP backend.
TACTYPE             AUTH

RFC 8907 Ref: https://datatracker.ietf.org/doc/html/rfc8907#section-5.2-5.7

[MarcJHuber]

Hi,

thanks for reporting! I've just pushed a fix.

Cheers,

Marc

[jamenlang]

is this fix necessary to use fallback options? I'm not able to find where to actually use the option for fallback.

[MarcJHuber]

Hi,

"authentication fallback = yes" at host level will accept a "fallback-only" user if the backend fails. Without that, the daemon will return an error to the device, and I think that's what you've suggested.

So yes, the fix is necessary, but the default behavior should be fine in most cases, so you won't have to change your configuration.

Cheers,

Marc