tac_plus-ng dns preload file
chirossel opened this issue · 6 comments
Hi
I tried to create a conf with rule base on nas dns name and use the "dns preload file directive" for load the reverse resolutions.
it's not working with my configuration , so i debug with gdb and found that the authen.c:add_revmap failed because the
io_dns_ctx for my realm (default) is NULL
So I comment this check and everything is OK now
void add_revmap(tac_realm * r, struct in6_addr *address, char hostname, int ttl, int table)
{
/ while (r && !r->idc)
r = r->parent; */
if (r) {
Is there an issue with my configuration ?
Regards
Olivier
PS : There is no check on realm->idc for dsn preload address
Hi Olivier,
thanks for reporting this -- alas, I've trouble to reproduce this issue. Could you please post a minimalistic config that would allow me to debug this?
Thanks,
Marc
Hi
thanks for your reply
my config below
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { address = 0.0.0.0 port = 4949 }
background = yes
}
id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m/%d.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m/%d.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
debug = ALL DNS REGEX
retire limit = 1000
mavis module = groups {
resolve gids = yes
resolve gids attribute = TACMEMBER
groups filter = /^(admin|engineering|guest|readonly)$/ # these are defined below
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "tacacs_schema"
setenv LDAP_HOSTS = "192.168.100.194"
setenv LDAP_BASE = "dc=ldap,dc=local"
setenv LDAP_FILTER = "(&(uid=%s)(objectClass=tacacsAccount))"
setenv LDAP_USER = "cn=admin,dc=ldap,dc=local"
setenv LDAP_PASSWD = "secret"
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis
login backend = mavis
pap backend = mavis
dns reverse-lookup nas = yes
dns preload address 192.168.205.1 = RNS_RAD_9300_01
dns preload file = sample/hosts
device = /^RNS_RAD_9300.*/ {
welcome banner = "\nWelcome to Tacacs NG AIX LAB Plateforme\n"
key = test123
}
device = MRS_RAD_9300 {
welcome banner = "\nWelcome to Tacacs NG AIX LAB Plateforme\n"
key = test123
enable 15 = clear test
address = 192.168.245.105
}
device = RNS_RAD_9300 {
welcome banner = "\nWelcome to Tacacs NG AIX LAB Plateforme\n"
key = test123
enable 15 = clear test
address = 192.168.205.1
}
device DHCP_SWITCH {
welcome banner = "\nWelcome to Tacacs NG AIX LAB Plateforme\n"
address = ::/0
device mrs {
address = 192.168.100.103
}
device rns {
address = 192.168.100.102
}
}
device world {
welcome banner = "\nWelcome to Tacacs NG AIX LAB Plateforme\n"
key = test123
enable 15 = clear test
address = ::/0
device lan {
address = 192.168.100.0/24
}
device mgnt {
address = 192.168.245.0/24
}
}
device localhost {
address = 127.0.0.1
welcome banner = "Welcome home\n"
parent = world # for key and other definitions not set here
}
device other {
address = 192.168.220.0/24
welcome banner = "Welcome private\n"
key = labKey
}
profile admin {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
profile getconfig {
script {
if (service == shell) {
if (cmd == "") {
set autocmd = "admin display-config"
set priv-lvl = 15
permit
}
}
}
}
profile engineering {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 7
permit
}
if (cmd =~ /^ping/) deny
permit
}
}
}
profile guest {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 1
permit
}
}
permit
}
}
group admin {
group lan # "admin" is a member
group mgnt # of both
}
group engineering {
}
group guest {
}
user olivier {
password login = clear olivier
member = admin,engineering
}
user readonly {
password login = clear readonly
member = guest
}
ruleset {
# rule radmrs {
# script {
# if (nas == TATA ) {
# if (member == admin) { profile = admin permit }
# if (member == engineering) { profile = engineering permit }
# }
# }
# }
rule radrns {
script {
if (device.dnsname =~ "RNS_RAD_9300_01" ) {
#if (nas == RNS_RAD_9300 ) {
if (member == admin) { profile = admin permit }
if (member == engineering) { profile = engineering permit }
}
}
}
# rule {
# script {
# if (member == admin) { profile = admin permit }
# if (member == engineering) { profile = engineering permit }
# }
# }
# rule {
# script {
# if (member == guest) { profile = guest permit }
# }
# }
}
}
Hi Olivier,
thanks -- alas, I still can't reproduce this issue. I had to remove the DHCP_SWITCH "address = ::/0" declaration, but then the config parsed just fine. Is the segmentation fault you're seeing at startup, or at a later time?
Thanks,
Marc
Hi Marc
Sorry for the misunderstanding
it's not a segmentation fault,
The content of the host file is not load into the r->dns_tree_ptr[0] because the r->idc is NULL when the add_revmap(authen.c) function is call by the parse_etc_hosts(config.c) function
i have to comment the 2 lines at the beginning of the add_revmap and it's works now
/*
while (r && !r->idc)
r = r->parent;
*/
but perhaps a different configuration avoid this patch ?
Regards,
Olivier
Hi Olivier,
ah, thanks! I think I misplaced a curly bracket when refactoring the parsing code. Does
diff --git a/tac_plus-ng/config.c b/tac_plus-ng/config.c
index e8ddb94..7bde73a 100644
--- a/tac_plus-ng/config.c
+++ b/tac_plus-ng/config.c
@@ -983,10 +983,10 @@ static void parse_host_dns(struct sym *sym, tac_host * host)
break;
default:
parse_error_expect(sym, S_equal, S_client, S_nac, S_device, S_nas, S_unknown);
- if ((host->lookup_revmap_nas == TRISTATE_YES || host->lookup_revmap_nac == TRISTATE_YES)
- && !host->realm->idc)
- host->realm->idc = io_dns_init(common_data.io);
}
+ if ((host->lookup_revmap_nas == TRISTATE_YES || host->lookup_revmap_nac == TRISTATE_YES)
+ && !host->realm->idc)
+ host->realm->idc = io_dns_init(common_data.io);
return;
default:
;
fix this problem for you?
Cheers,
Marc
Yes
It's good for me
Thanks again
Regards
Olivier