Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- sudo apt-get update && sudo apt-get upgrade
- sudo apt-get install build-essential libnet-ldap-perl
- cd ~
- wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
- bzip2 -dc DEVEL.tar.bz2 | tar xvfp -
- cd PROJECTS
- sudo make
- sudo make install
- sudo mkdir /var/log/tac_plus/access
- sudo mkdir /var/log/tac_plus/accounting
- sudo mkdir /var/log/tac_plus/authentication
- /usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null
- Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.
- LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 277, <DATA> line 755.
- cd /usr/local/etc
- sudo touch tac_plus.cfg
- sudo chmod 755 tac_plus.cfg
- sudo nano tac_plus.cfg
- #!/usr/local/sbin/tac_plus
- id = spawnd {
- listen = { address = 0.0.0.0 port = 49 }
- #Uncomment the line below for IPv6 support
- #listen = { address = :: port = 49 }
- spawn = {
- instances min = 1
- instances max = 10
- }
- background = yes
- }
- id = tac_plus {
- access log = /var/log/tac_plus/access/access-%Y%m%d.txt
- accounting log = /var/log/tac_plus/accounting/acct-%Y%m%d.txt
- authentication log = /var/log/tac_plus/authentication/auth-%Y%m%d.txt
- mavis module = external {
- setenv LDAP_SERVER_TYPE = "microsoft"
- #If you are using Microsoft Global Catalog with LDAP SSL
- #setenv LDAP_HOSTS = "ldaps://10.0.0.100:3269"
- #If you are using Microsoft Global Catalog with LDAP (non-SSL)
- setenv LDAP_HOSTS = "10.0.0.100:3268"
- setenv LDAP_BASE = "DC=domain,DC=name"
- setenv LDAP_SCOPE = sub
- setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
- setenv LDAP_USER = "svc_tacplus@domain.name"
- setenv LDAP_PASSWD = "ServiceAccountPassword"
- #Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group
- setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
- #I'm not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does
- setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
- #Clear default setting of tacplus for AD_GROUP_PREFIX
- setenv AD_GROUP_PREFIX = ""
- #Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix
- setenv REQUIRE_TACACS_GROUP_PREFIX = 0
- #Set USE_TLS to 1 if you are using port 636 or 3269, set to 0 for port 389 or 3268
- setenv USE_TLS = 0
- exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
- }
- login backend = mavis
- user backend = mavis
- pap backend = mavis
- host = world {
- address = 0.0.0.0/0
- #Uncomment the line below for IPv6 support
- #address = ::/0
- prompt = "Welcomen"
- enable 15 = clear secret
- key = "cisco"
- }
- #Example group that grants admin on Cisco IOS/XE/XR and NX-OS
- group = admin {
- default service = permit
- service = shell {
- default command = permit
- default attribute = permit
- set priv-lvl = 15
- }
- service = exec {
- set task = "#root-system"
- set priv-lvl = 15
- set shell:roles=""network-admin vdc-admin""
- }
- }
- #Example AD user mapping
- user = jsmith {
- password = mavis
- member = admin
- }
- }
- /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
- /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS SomeUserName SomeUserPassword
- {mavistest debug output omitted}
- Input attribute-value-pairs:
- TYPE TACPLUS
- TIMESTAMP mavistest-2501-1509172787-0
- USER SomeUserName
- PASSWORD SomeUserPassword
- TACTYPE AUTH
- Output attribute-value-pairs:
- TYPE TACPLUS
- TIMESTAMP mavistest-2501-1509172787-0
- USER SomeUserName
- RESULT ACK
- PASSWORD SomeUserPassword
- SERIAL QrWVmlId0OZADDRU/hy/pw=
- DBPASSWORD SomeUserPassword
- TACMEMBER [List of Active Directory security groups]
- TACTYPE AUTH
- cd /etc/init.d
- sudo cp ~/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
- sudo chmod 755 /etc/init.d/tac_plus
- sudo chown root:root /etc/init.d/tac_plus
- sudo update-rc.d tac_plus defaults
- sudo service tac_plus start
- sudo netstat -tulpen
- Active Internet connections (only servers)
- Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
- tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 0 25680 1911/tac_plus: 0 co
- tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 16105 1023/sshd
- tcp6 0 0 :::22 :::* LISTEN 0 16113 1023/sshd
- sudo nano /usr/local/etc/tac_plus.cfg
- sudo service tac_plus stop
- sudo service tac_plus start
- Environment variables from mavis_tacplus_ldap.pl:
- LDAP_SERVER_TYPE
- One of: generic tacacs_schema microsoft
- Default: tacacs_schema
- LDAP_HOST
- Space-separated list of LDAP URLs or IP addresses or hostnames
- Examples: "ldap01 ldap02", "ldaps://ads01:636 ldaps://ads02:636"
- LDAP_SCOPE
- LDAP search scope (base, one, sub)
- Default: sub
- LDAP_BASE
- Base DN of your LDAP server
- Example: "dc=example,dc=com"
- LDAP_FILTER
- LDAP search filter
- Defaults depend on LDAP_SERVER_TYPE:
- - generic: "(uid=%s)"
- - tacacs_schema: "(&(uid=%s)(objectClass=tacacsAccount))"
- - microsoft: "(&(objectclass=user)(sAMAccountName=%s))"
- LDAP_FILTER_CHPW
- LDAP search filter for password changes
- Defaults depend on LDAP_SERVER_TYPE:
- - generic: "(uid=%s)"
- - tacacs_schema: "(&(uid=%s)(objectClass=tacacsAccount)(!(tacacsFlag=staticpasswd))"
- - microsoft: "(&(objectclass=user)(sAMAccountName=%s))"
- LDAP_USER
- User to use for LDAP bind if server doesn't permit anonymous searches.
- Default: unset
- LDAP_PASSWD
- Password for LDAP_USER
- Default: unset
- AD_GROUP_PREFIX
- An AD group starting with this prefix will be used for tacacs group membership.
- Default: tacacs
- REQUIRE_AD_GROUP_PREFIX
- If set, user needs to be in one of the AD_GROUP_PREFIX groups.
- Default: unset
- UNLIMIT_AD_GROUP_MEMBERSHIP
- If unset, the number of groups a user can be member of is limited to one.
- Default: unset
- EXPAND_AD_GROUP_MEMBERSHIP
- If set, AD group memberships will be expanded.
- Default: unset
- USE_TLS
- If set, the server is required to support start_tls.
- Default: unset
- FLAG_CHPW
- Permit password changes via this backend.
- Default: unset
- FLAG_PWPOLICY
- Enforce a simplicistic password policy.
- Default: unset
- FLAG_CACHE_CONNECTION
- Keep connection to LDAP server open.
- Default: unset
- FLAG_FALLTHROUGH
- If LDAP search fails, try next module (if any).
- Default: unset
- FLAG_USE_MEMBEROF
- Use the memberof attribute for determining group membership.
- Default: unset
- FLAG_AUTHORIZE_ONLY
- Don't attempt to authenticate users.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement