<p>Hello everybody,</p>
<p> </p>
<p>In some cases, the PAM user won't be present in /etc/passwd (eg. pam LDAP backend).</p>
<p>The current comportment of Tacacs+ is to check for the username in its configuration file.</p>
<p>If it doesn't exist but that there is a DEFAULT user, the username is replaced by DEFAULT, therefore it won't work with PAM.</p>
<p> </p>
<p>What would be really very nice : </p>
<p>Don't change the username to default if you see that the login method is PAM. That will allow the tacacs daemon to authenticate against remote server like LDAP (in such a case, the login information may not be present on the tacacs running server). It might be easy to patch the do_author.c file at line 86 but I guess it won't be enough or maybe we will need to do something in other parts of the daemon (like hash ?).</p>
<p> </p>
<p>The general picture would be :</p>
<p>1. Auth request with user name = xxy</p>
<p>2. I got no user name xxy in my tacacs conf but a DEFAULT user exist</p>
<p>3. The default user does authenticate against PAM, I won't change the username</p>
<p>4. Authenticate against PAM with username = xxy and return the result.</p>
<p> </p>
<p>If any tacacs+ hacker wants to implement this, it would be fabulous :)</p>
<p> </p>
<p>Please also note that I'm currently trying to get the Tacacs+ daemon to be shipped with Debian.</p>
<p>It has been uploaded and is waiting for ftp masters approval :</p>
<p>http://ftp-master.debian.org/new/tacacs+_4.0.4.19-2.html</p>
<p> </p>
<p>Regards,</p>
<p> </p>