Untitled

sudo apt-get update && sudo apt-get upgrade
sudo apt-get install build-essential libnet-ldap-perl
cd ~
wget http://www.pro-bono-publico.de/projects/src/DEVEL.tar.bz2
bzip2 -dc DEVEL.tar.bz2 | tar xvfp -
cd PROJECTS
sudo make
sudo make install
sudo mkdir /var/log/tac_plus/access
sudo mkdir /var/log/tac_plus/accounting
sudo mkdir /var/log/tac_plus/authentication

/usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null
Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.
LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 277, <DATA> line 755.

cd /usr/local/etc
sudo touch tac_plus.cfg
sudo chmod 755 tac_plus.cfg
sudo nano tac_plus.cfg

#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { address = 0.0.0.0 port = 49 }
        #Uncomment the line below for IPv6 support
        #listen = { address = :: port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = /var/log/tac_plus/access/access-%Y%m%d.txt
        accounting log = /var/log/tac_plus/accounting/acct-%Y%m%d.txt
        authentication log = /var/log/tac_plus/authentication/auth-%Y%m%d.txt

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                #If you are using Microsoft Global Catalog with LDAP SSL
                #setenv LDAP_HOSTS = "ldaps://10.0.0.100:3269"
                #If you are using Microsoft Global Catalog with LDAP (non-SSL)
                setenv LDAP_HOSTS = "10.0.0.100:3268"
                setenv LDAP_BASE = "DC=domain,DC=name"
                setenv LDAP_SCOPE = sub
                setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
                setenv LDAP_USER = "svc_tacplus@domain.name"
                setenv LDAP_PASSWD = "ServiceAccountPassword"
                #Setting UNLIMIT_AD_GROUP_MEMBERSHIP to 0 will cause a NACK response if the AD account is a member of more than one security group
                setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
                #I'm not 100% sure what EXPAND_AD_GROUP_MEMBERSHIP does
                setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
                #Clear default setting of tacplus for AD_GROUP_PREFIX
                setenv AD_GROUP_PREFIX = ""
                #Setting REQUIRE_TACACS_GROUP_PREFIX to 1 will cause a NACK response if the AD account is not a member of a security group with the required prefix
                setenv REQUIRE_TACACS_GROUP_PREFIX = 0
                #Set USE_TLS to 1 if you are using port 636 or 3269, set to 0 for port 389 or 3268
                setenv USE_TLS = 0
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = world {
                address = 0.0.0.0/0
                #Uncomment the line below for IPv6 support
                #address = ::/0
                prompt = "Welcomen"
                enable 15 = clear secret
                key = "cisco"
        }

        #Example group that grants admin on Cisco IOS/XE/XR and NX-OS
        group = admin {
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
                service = exec {
                        set task = "#root-system"
                        set priv-lvl = 15
                        set shell:roles=""network-admin vdc-admin""
                }
        }

        #Example AD user mapping
        user = jsmith {
                password = mavis
                member = admin
        }
}

/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg

/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS SomeUserName SomeUserPassword

{mavistest debug output omitted}

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2501-1509172787-0
USER                SomeUserName
PASSWORD            SomeUserPassword
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2501-1509172787-0
USER                SomeUserName
RESULT              ACK
PASSWORD            SomeUserPassword
SERIAL              QrWVmlId0OZADDRU/hy/pw=
DBPASSWORD          SomeUserPassword
TACMEMBER           [List of Active Directory security groups]
TACTYPE             AUTH

cd /etc/init.d
sudo cp ~/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
sudo chmod 755 /etc/init.d/tac_plus
sudo chown root:root /etc/init.d/tac_plus
sudo update-rc.d tac_plus defaults
sudo service tac_plus start

sudo netstat -tulpen

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:49              0.0.0.0:*               LISTEN      0          25680       1911/tac_plus: 0 co
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          16105       1023/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      0          16113       1023/sshd

sudo nano /usr/local/etc/tac_plus.cfg
sudo service tac_plus stop
sudo service tac_plus start

Environment variables from mavis_tacplus_ldap.pl:

LDAP_SERVER_TYPE
    One of: generic tacacs_schema microsoft
    Default: tacacs_schema

LDAP_HOST
    Space-separated list of LDAP URLs or IP addresses or hostnames
    Examples: "ldap01 ldap02", "ldaps://ads01:636 ldaps://ads02:636"

LDAP_SCOPE
    LDAP search scope (base, one, sub)
    Default: sub

LDAP_BASE
    Base DN of your LDAP server
    Example: "dc=example,dc=com"

LDAP_FILTER
    LDAP search filter
    Defaults depend on LDAP_SERVER_TYPE:
    - generic:          "(uid=%s)"
    - tacacs_schema:    "(&(uid=%s)(objectClass=tacacsAccount))"
    - microsoft:        "(&(objectclass=user)(sAMAccountName=%s))"

LDAP_FILTER_CHPW
    LDAP search filter for password changes
    Defaults depend on LDAP_SERVER_TYPE:
    - generic:          "(uid=%s)"
    - tacacs_schema:    "(&(uid=%s)(objectClass=tacacsAccount)(!(tacacsFlag=staticpasswd))"
    - microsoft:        "(&(objectclass=user)(sAMAccountName=%s))"

LDAP_USER
    User to use for LDAP bind if server doesn't permit anonymous searches.
    Default: unset

LDAP_PASSWD
    Password for LDAP_USER
    Default: unset

AD_GROUP_PREFIX
    An AD group starting with this prefix will be used for tacacs group membership.
    Default: tacacs

REQUIRE_AD_GROUP_PREFIX
    If set, user needs to be in one of the AD_GROUP_PREFIX groups.
    Default: unset

UNLIMIT_AD_GROUP_MEMBERSHIP
    If unset, the number of groups a user can be member of is limited to one.
    Default: unset

EXPAND_AD_GROUP_MEMBERSHIP
    If set, AD group memberships will be expanded.
    Default: unset

USE_TLS
    If set, the server is required to support start_tls.
    Default: unset

FLAG_CHPW
    Permit password changes via this backend.
    Default: unset

FLAG_PWPOLICY
    Enforce a simplicistic password policy.
    Default: unset

FLAG_CACHE_CONNECTION
    Keep connection to LDAP server open.
    Default: unset

FLAG_FALLTHROUGH
    If LDAP search fails, try next module (if any).
    Default: unset

FLAG_USE_MEMBEROF
    Use the memberof attribute for determining group membership.
    Default: unset

FLAG_AUTHORIZE_ONLY
    Don't attempt to authenticate users.