<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jul 12, 2013 at 12:55 PM, Alan McKinnon <span dir="ltr"><<a href="mailto:alan.mckinnon@gmail.com" target="_blank">alan.mckinnon@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">On 12/07/2013 18:41, Asif Iqbal wrote:<br>
> What are the hash types you use for your passwords and is it a method<br>
> that be hashed quickly by the OS<br>
><br>
><br>
> using PAM -> AD.<br>
><br>
><br>
><br>
> Those would be the first thing I'd look at. Second is to post your<br>
> tac_plus.conf. there aren't really any best practices as such for this,<br>
> tac_plus is more than adequate to deal with just about any realistic<br>
> scenario so the "best practice" is whatever works for you and gives<br>
> *you* the control *you* need.<br>
><br>
><br>
><br>
> Need to sanitize a lot before posting it, but I have 31 group stanzas,<br>
> 1325 user stanzas,<br>
> 19 acl stanzas and some of those acls have about 130 permit lines.<br>
><br>
> currently I have 24 tac_plus instance running like below<br>
><br>
> $ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s<br>
> 4692 1 78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l<br>
> /var/log/tacacs.daemon.log -C /etc/tacacs.conf<br>
> 27276 4692 78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l<br>
> /var/log/tacacs.daemon.log -C /etc/tacacs.conf<br>
><br>
<br>
<br>
</div>No need to post and sanitize your configs, the thing to investigate<br>
first is your PAM -> AD authen setup.<br>
<br>
I have a config similar to yours in terms of numbers and my setup works<br>
as expected. Most systems use a passwd file, one system has all the<br>
users directly in tac_plus.conf. I've run it on FreeBSD, Linux and<br>
Solaris and there's never been a hint of memory leaks at all. And no-one<br>
else here has posted about memory leaks as far as I can recall.<br></blockquote><div><br></div><div><br></div><div>Not sure why restart of tac_plus fixes the slowness in working with </div><div>router for almost a month until the next restart.</div>
<div> </div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
All that seems to point towards tac_plus itself working correctly, so we<br>
should look at things you have that are different.<br>
<br>
And AD via PAM is one such thing :-)<br>
Using PAM for auth in tac_plus is poorly documented and most folks who<br>
ask about it end up experimenting a lot to get it right.<br>
<br>
Can you post how your setup works and what your PAM config is?<br>
<div class=""><div class="h5"><br></div></div></blockquote><div><br></div><div>$ cat /etc/pam.d/tac_plus</div><div> auth<span class="" style="white-space:pre"> </span>required<span class="" style="white-space:pre"> </span>pam_ldap.so<br>
</div><div><br></div><div>$ cat /etc/ldap/ldap.conf</div><div><div> BASE ou=People,dc=example,dc=com</div><div> URI ldaps://<a href="http://192.168.137.34:1636">192.168.137.34:1636</a> ldaps://<a href="http://192.168.137.34:1636">192.168.137.34:1636</a><br>
</div><div><br></div><div> TLS_CACERT /etc/ssl/certs/example.cer<br></div><div> TLS_REQCERT never</div><div> nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,landscape,libuuid,list,lp,mail,man,news,postfix,proxy,root,sshd,sync,sys,syslog,uucp,www-data</div>
</div><div><br></div><div><br></div><div>using nslcd for caching</div><div><br></div><div><div>$ sudo cat /etc/nslcd.conf</div><div> uid nslcd</div><div> gid nslcd</div><div> uri ldaps://<a href="http://192.168.137.34:1636">192.168.137.34:1636</a> ldaps://<a href="http://192.168.137.34:1636">192.168.137.34:1636</a></div>
<div> base ou=People,dc=mnet,dc=example,dc=com</div><div> filter passwd (objectclass=mnetperson)</div><div> filter shadow (objectclass=mnetperson)</div><div> binddn uid=binduid,ou=people,dc=example,dc=com</div><div> bindpw secret</div>
<div> tls_reqcert never</div><div> tls_cacertfile /etc/ssl/certs/example.cer</div><div> idle_timelimit 60</div></div><div><br></div><div><div>$ ldd /usr/local/bin/tac_plus</div><div><span class="" style="white-space:pre"> </span>linux-vdso.so.1 => (0x00007fffa03ff000)</div>
<div><span class="" style="white-space:pre"> </span>libwrap.so.0 => /lib/libwrap.so.0 (0x00007f316aac5000)</div><div><span class="" style="white-space:pre"> </span>libtacacs.so.1 => /usr/local/lib/libtacacs.so.1 (0x00007f316a86c000)</div>
<div><span class="" style="white-space:pre"> </span>libpam.so.0 => /lib/libpam.so.0 (0x00007f316a65e000)</div><div><span class="" style="white-space:pre"> </span>libnsl.so.1 => /lib/libnsl.so.1 (0x00007f316a444000)</div>
<div><span class="" style="white-space:pre"> </span>libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f316a20b000)</div><div><span class="" style="white-space:pre"> </span>libpthread.so.0 => /lib/libpthread.so.0 (0x00007f3169fed000)</div>
<div><span class="" style="white-space:pre"> </span>libc.so.6 => /lib/libc.so.6 (0x00007f3169c67000)</div><div><span class="" style="white-space:pre"> </span>libdl.so.2 => /lib/libdl.so.2 (0x00007f3169a63000)</div>
<div>
<span class="" style="white-space:pre"> </span>/lib64/ld-linux-x86-64.so.2 (0x00007f316acd8000)</div></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class=""><div class="h5">
<br>
<br>
--<br>
Alan McKinnon<br>
<a href="mailto:alan.mckinnon@gmail.com">alan.mckinnon@gmail.com</a><br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Asif Iqbal<br>PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu">pgp.mit.edu</a><br>A: Because it messes up the order in which people normally read text.<br>
Q: Why is top-posting such a bad thing?<br>
</div></div>