From: Adam Date: Fri, 09 Jul 2010 08:15:27 -0400 Subject: [tac_plus] Re: tac_plus configuration using AD/LDAP Hi, This is possible, to a certain extent.You may use pam to authenticate a user, (and thus pam_ldap or pam_krb5), but you still must define users in your tac_plus.conf, and you must still define groups in tac_plus.conf. A set of steps follows, and was written specifically for RHEL and an openldap server, so file locations and naming may vary: 1. Install the pam-devel package and tcp_wrappers via yum: yum install pam-devel tcp_wrappers 2. Obtain the latest tac_plus from ftp://ftp.shrubbery.net/pub/tac_plus/ I used version F4.0.4.15 3. unpack tac_plus: tar xfz tacacs+- 4. Run configure: ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --localstatedir=/var/local/tacacs --sysconfdir=/etc --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid --with-acctfile=/var/log/tacacs/acctfile Note that the above configure choices were my own, you can choose whatever values you want. 5. Make sure the pam libraries were found. Look at the output of configure for a line that looks like this: checking for pam_start in -lpam... yes If that says yes, then the daemon will compile with pam support. If it says no, then configure is unable to find your pam libraries. Make sure you performed Step 1. 6. compile tac_plus: make 7. install tac_plus make install 8. Configure tac_plus. While there are many more configurations to be done to make tac_plus work as a whole, the pam specific configuration is as follows: Edit the tac_plus conf file, and define your users as such: user = { login = PAM } Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :( 9. Define a pam stack for tac_plus. cd /etc/pam.d vi tac_plus My pam stack config is as follows: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so Note that this config also works well for system-auth. If you want all authentication for your server to use ldap (graphical login, ssh, etc.), you can place the above into system-auth, and the define tac_plus as follows: auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so 10. Configure your ldap.conf. This is where you define your ldap server, binddn, attribute maps, etc. Note that on RHEL5, there are two ldap.conf files. One is in /etc/openldap and the other is just in /etc. PAM will stat both files upon invocation, and the second one it stats will override the first. I usually modify /etc/openldap/ldap.conf, and then symlink /etc/ldap.conf to it. That's it. At this point, assuming you have everything setup right, you should be able to use your LDAP server for authentication. To troubleshoot, I normally run the tacacs daemon in the foreground with debugging on: tac_plus -C /path/to/tac_plus.conf -L -p 49 -d16 -g and then try to authenticate. So far, I have found a couple caveats that will make life very sad. First, if you decide to run tac_plus from xinetd in linux (which I suggest you do, to utilize tcp wrappers properly), then you should set up your /etc/xinetd.d/tacacs conf file as follows: service tacacs { socket_type = stream protocol = tcp wait = no disable = no user = root server = /path/to/tac_plus server_args = -C /path/to/tac_plus.conf -L -p 49 -i -d 16 cps = 50 10 flags = IPv4 } The server must be run as root. Because you are talking to PAM, then you must have root privileges, or else it will not work. Secondly, if you are using xinetd, in your ldap.conf file, turn off debugging. When run from xinetd with ldap debugging on, the ldap libs will output debug code to stderr. Since you are running the daemon from within xinetd, there is no stderr to output to, and the tac_plus daemon upon discovering this broken pipe will fail and exit. Whether this is a tac_plus or xinetd problem I'm not sure, but it's there all the same. You can use the -g option to run in the foreground to test your ldap conf if you wish, but once you start to use xinetd, make sure that the debug directive in your ldap.conf is off. On 07/08/2010 03:49 PM, Robert Selvidge wrote: > Hi, > > I'm trying to implement a solution using tac_plus with AD/LDAP authentication. I cannot find much information on this using Shurbbery's tac_plus with this setup. Can someone point me in the right direction on how to set this up or even supply a sample configuration if someone has implemented this? > > -Rob