[tac_plus] managing accounts

Daniel Schmidt daniel.schmidt at wyo.gov
Thu May 22 21:55:16 UTC 2014 

I see - you need to extract that data first.  When you are done extracting
the data, ConfigParser could provide you with a means to easily add/update
(set) and maintain those users in do_auth.ini.

Unfortunately, I see now from your output that not all your users are PAM,
so my idea does will help you.


On Thu, May 22, 2014 at 3:47 PM, Asif Iqbal <vadud3 at gmail.com> wrote:

>
> On May 22, 2014 5:41 PM, "Daniel Schmidt" <daniel.schmidt at wyo.gov> wrote:
> >
> > Not exactly the direction I was talking about.  My idea:  Standardize
> your tac_plus.conf with a DEFAULT user, member of do_auth_access, and login
> = PAM and you will never need to change it.  Auth your users via PAM and
> authorize them in do_auth.  Call config parser to add/remove them, perhaps
> based on an external database.
> >
> > Admittedly, it might not get all the services you need, I'm just saying
> it's much easier to call a pre-made config parser than trying to write you
> own as you are doing now.
> >
>
> I still need to convert my existing tac_plus conf file with about 1800
> users into ini type file first and ConfigParser is not good for that, If I
> understand correctly.
>
> >
> > On Thu, May 22, 2014 at 2:56 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
> >>
> >>
> >>
> >>
> >> On Thu, May 22, 2014 at 4:14 PM, Daniel Schmidt <daniel.schmidt at wyo.gov>
> wrote:
> >>>
> >>> Put users in do_auth and manage them there instead.  Import
> ConfigParser to add/remove users as needed.  Can even cross reference a
> database if needed.
> >>
> >>
> >>
> >> That is the direction I am heading. But I need to normalize the
> existing users into rows for the database and then it will easier to
> convert that
> >> into  ini type file to work with do_auth.
> >>
> >> I am pretty close to complete.
> >>
> >> So far I got this far
> >>
> >> import re
> >>
> >> f = open('tac_plus.conf').read()
> >>
> >> pattern = '\n?user\s*=\s*(\S+)\s*{(.+?)}'
> >>
> >> users = re.findall(pattern,f,re.DOTALL|re.MULTILINE)
> >>
> >> which outputs like this
> >>
> >> ('aa49451', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
> >> ('aa15561', '\n\tlogin = PAM\n\tacl = oobrs\n\tmember = readonly')
> >> ('aa56743', '\n\tlogin = PAM\n\tmember = oobrs')
> >> ('cariden', '\n\tlogin = des s5YXYZAm4f.\n\tmember = cariden')
> >> ('ssarepts', '\n        #login = des qwASvuPKw\n        login = file
> /etc/tacacs-passwd\n        cmd = terminal {\n                permit
> "length"\n                deny .*\n        }\n        cmd = show
> {\n                permit "interfaces|policy-map
> interface"\n                deny .*\n        }\n\tcmd = exit {\n\t\tpermit
> .*\n\t}')
> >> ('vtt2440', '\n\tlogin = PAM\n\tmember = opsdb')
> >> ('aa60589', '\n        login = PAM\n        member = opsdb')
> >> ('aa92589', '\n        login = PAM\n        member = opsdb')
> >>
> >> I am still working on to clean up more.
> >>
> >> There are only 6 users with cmd = {..} inside. So I will just convert
> those into new groups and just use member = newgroup.
> >>
> >> So not much work left to clean up.
> >>
> >>
> >>>
> >>>
> >>> On Thu, May 22, 2014 at 12:41 PM, Asif Iqbal <vadud3 at gmail.com> wrote:
> >>>>
> >>>> On Thu, May 22, 2014 at 12:48 PM, Asif Iqbal <vadud3 at gmail.com>
> wrote:
> >>>>
> >>>> >
> >>>> >
> >>>> >
> >>>> > On Thu, May 22, 2014 at 12:27 PM, heasley <heas at shrubbery.net>
> wrote:
> >>>> >
> >>>> >> Thu, May 22, 2014 at 12:26:10PM -0400, Asif Iqbal:
> >>>> >> > Any one has tool to manage user accounts on tac_plus.conf?
> >>>> >> >
> >>>> >> > Looking for adding/deleting multiple users.
> >>>> >> >
> >>>> >> > Adding/Modifying/Deleting them manually with an editor is
> painful.
> >>>> >>
> >>>> >> why not do it in a database/elsewhere and export it to the config
> file?
> >>>> >>
> >>>> >
> >>>> > I would go with mysql then.
> >>>> >
> >>>> > Most of them are like below.
> >>>> > user = vtt2440 {
> >>>> >     login = PAM
> >>>> >     member = opsdb
> >>>> > }
> >>>> >
> >>>> > So creating a schema and inserting these data would be pretty simple
> >>>> >
> >>>> > CREATE TABLE Users (
> >>>> >         user varchar(20) primary key,
> >>>> >         login varchar(20),
> >>>> >         member varchar(20)
> >>>> > );
> >>>> >
> >>>> > INSERT INTO Users (`user`, `login`,`member`) VALUES
> ("vtt2440","PAM",
> >>>> > "opsdb");
> >>>> >
> >>>> > But I will need some help with parsing this into a txt file and
> then just
> >>>> > LOAD DATA INFILE
> >>>> > would save lot of time with ~2000 users.
> >>>> >
> >>>> >
> >>>> > However, how would I manage stanza like this? Should I just move
> those
> >>>> > cmds inside group
> >>>> > definition?
> >>>> >
> >>>> > user =  ssarepts {
> >>>> >         login = file /etc/tacacs-passwd
> >>>> >         cmd = terminal {
> >>>> >                 permit "length"
> >>>> >                 deny .*
> >>>> >         }
> >>>> >         cmd = show {
> >>>> >                 permit "interfaces|policy-map interface"
> >>>> >                 deny .*
> >>>> >         }
> >>>> >     cmd = exit {
> >>>> >         permit .*
> >>>> >     }
> >>>> > }
> >>>> >
> >>>> > So looks like really need help with parsing these and normalize to
> rows,
> >>>> > before I can insert them into database.
> >>>> >
> >>>> > Thanks for any help with parsing.
> >>>> >
> >>>>
> >>>>
> >>>> So, so far I managed to parse most of the users
> >>>>
> >>>>  import re
> >>>>  f = open ('tac_plus.conf','rb').read()
> >>>>
> >>>>  regex =
> >>>>
> re.compile('\s?\w*\s*=\s*(\w*)\s{\s+\w*\s*=\s*(\w*)\s+\w*\s*=\s*(\w*)\s+}',re.DOTALL|re.MULTILINE)
> >>>>
> >>>>  users = regex.findall(f)
> >>>>
> >>>>  for f in users:
> >>>>     print f
> >>>>
> >>>> So this gets me 1532 users out of 1760 users. I still need to improve
> the
> >>>> regex and could use some help.
> >>>>
> >>>> Thanks
> >>>>
> >>>>
> >>>>
> >>>> >
> >>>> > --
> >>>> > Asif Iqbal
> >>>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> >>>> > A: Because it messes up the order in which people normally read
> text.
> >>>> > Q: Why is top-posting such a bad thing?
> >>>> >
> >>>> >
> >>>>
> >>>>
> >>>> --
> >>>> Asif Iqbal
> >>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> >>>> A: Because it messes up the order in which people normally read text.
> >>>> Q: Why is top-posting such a bad thing?
> >>>> -------------- next part --------------
> >>>> An HTML attachment was scrubbed...
> >>>> URL: <
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/decbfebc/attachment.html
> >
> >>>> _______________________________________________
> >>>> tac_plus mailing list
> >>>> tac_plus at shrubbery.net
> >>>> http://www.shrubbery.net/mailman/listinfo/tac_plus
> >>>
> >>>
> >>> E-Mail to and from me, in connection with the transaction
> >>> of public business, is subject to the Wyoming Public Records
> >>> Act and may be disclosed to third parties.
> >>>
> >>
> >>
> >>
> >> --
> >> Asif Iqbal
> >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> >> A: Because it messes up the order in which people normally read text.
> >> Q: Why is top-posting such a bad thing?
> >>
> >
> >
> > E-Mail to and from me, in connection with the transaction
> > of public business, is subject to the Wyoming Public Records
> > Act and may be disclosed to third parties.
> >
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20140522/94597390/attachment.html>

More information about the tac_plus mailing list