Misunderstanding tacacs-ng acl

Petr Issakov

unread,

Mar 31, 2023, 3:14:10 AM3/31/23

to Event-Driven Servers

Hello!

Sorry for stupid questions but I didn't find a sample in docs and I don't uderstand how acl in tacacs-ng works

In tac_plus (previous version) I can confgure acl on user instance:

acl = alu_tl_mbh {
permit = 10.27.[64-71].
deny = .*
}

user = ank {
member = region
acl = alu_tl_mbh
}

Or on group instance:

group = mbh_reg{
acl = alu_tl_mbh
}

How I can implement the same approach in tacacs-ng?

Thanks

Marc Huber

unread,

Mar 31, 2023, 9:27:33 AM3/31/23

to event-driv...@googlegroups.com

Hi,

the sample configuration snippet below should work. Please git pull and build first, or apply

https://github.com/MarcJHuber/event-driven-servers/commit/c7f72fce39008c38af4bccdd1a30b8b1735c5bfb

manually. That fixes an issue in the parsing code that will keep the daemon from accepting the "==" or "!=" operators for ACLs.

Cheers,

Marc

        acl alu_tl_mbh {
                if (nac == 10.27.64.0/21)
                        permit
                deny
        }

        profile alu_tl_mbh {
                script {
                        if (service == shell) {
                            if (cmd == "") {
                                set priv-lvl = 15
                                permit
                            }
                            permit
                        }
                }
        }

        group region

        user = ank {
                member = region
        }

        ruleset {
                rule region {
                        enabled = yes
                        script {
                                if (acl == alu_tl_mbh && member == region) {
                                        profile = alu_tl_mbh
                                        permit
                                }
                        }
                }
        }

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/7bd69bf4-f67d-42c1-9074-abf39b82724bn%40googlegroups.com.

Petr Issakov

unread,

Apr 3, 2023, 5:01:10 AM4/3/23

to Event-Driven Servers

Hello! Marc thank you for quick answer!

I build new commit and install it. Your sample of configuration works ok!

But this sample is not what I want to do.

I have 2 types of users (guests and admins) and I have 50 networks (acls) with nas devices. Users must be restricted to access certain nas devices from own region (network) with certain rights (guest or admins)

Something like this:

acl nas_acl {
if (nas == 10.87.177.18) permit
deny
}

profile admin {

script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
permit
}
}
}

profile noc_admin {
script {

if (cmd == "") {
set priv-lvl = 15

permit # required for shell startup
}
if (cmd =~ /^show/) permit
if (cmd =~ /^info/) permit
if (cmd =~ /^help/) permit
if (cmd =~ /^terminal/) permit
if (cmd =~ /^environment/) permit
if (cmd =~ /^screen-length/) permit
if (cmd =~ /^ssh/) permit
if (cmd =~ /^telnet/) permit
if (cmd =~ /^ping/) permit
if (cmd =~ /^traceroute/) permit
if (cmd =~ /^exit/) permit
if (cmd =~ /^end/) permit
if (cmd =~ /^logout/) permit
if (cmd =~ /^configure/) {
if (cmd =~ /router interface/) permit
if (cmd =~ /router.*/) {message = "It is dangerous command. Denied" deny}
permit
}

deny

}

group admin {
}

group mbh_acl {
}

group noc_admin {

}

user demo {

password login = clear demo
password pap = login
member = admin,mbh_acl
}

user demo2 {

password login = clear demo2
# group
member = noc_admin,mbh_acl
}

ruleset {
rule mbh_profiles {
enabled = yes
script {

if (member == admin) {
profile = admin
permit
}

if (member == noc_admin) {
profile = noc_admin
permit
}

}
}
rule mbh_acls {
enabled = yes
script {
if (member == mbh_acl) {
if (acl == nas_acl) permit
deny
}
}
}

пятница, 31 марта 2023 г. в 19:27:33 UTC+6, Marc Huber:

Marc Huber

unread,

Apr 3, 2023, 11:31:52 AM4/3/23

to event-driv...@googlegroups.com

Hi Petr,

On 03.04.2023 11:01, Petr Issakov wrote:
> I have 2 types of users (guests and admins) and I have 50 networks
> (acls) with nas devices. Users must be restricted to access certain
> nas devices from own region (network) with certain rights (guest or
> admins)

is sample below closer to your use case?

Cheers,

Marc

        host network1 {
                key = ...
                address = ...

        }

        profile admin {
                script {
                        if (service == shell) {

                                if (cmd == "") permit
                                deny
                        }
                }
        }

        profile user {

                script {
                        if (service == shell) {
                                if (cmd == "") { set priv-lvl = 15 permit }

                                if (cmd =~ /^show /) permit
                                deny
                        }
                }
        }

        group admin
        group user

        group group1

        user = customer1_admin {
                member = group1
                member = admin
        }

        user = customer1_user {
                member = group1
                member = user
        }

        ruleset {
                rule customer1 {
                        script {
                                if (member == group1) {
                                        if (nas == network1) {

if (member == admin) {
profile = admin permit }

                                                if (member == user) {
profile = user permit }
                                        }
                                        deny
                                }
                        }
                }
        }

Petr Issakov

unread,

Apr 5, 2023, 2:53:31 AM4/5/23

to Event-Driven Servers

Hi, Marc!

Thank you! Config works!

I changed the configuration a bit so as not to repeat profiles configuration in the ruleset block for each nas-network (span)

My current test-zone config below (full sample in attachements)

Currently I have problem with that approach:

I can't apply 2 or more span (nas nets) for 1 user because rule mbh_spans will deny such users. For 1 span + 1 profile group config works fine.

Does syntax has some directive which exit from current rule and start checking next?

net all {
net mbh { address = 172.16.0.0/16 }
net test_zone { address = 10.87.177.18 }
net corp { address = 10.0.0.0/8 }
}

profile admin {
script {
if (service == shell) {

if (cmd == "") {

set priv-lvl = 15
permit
}

permit
}
}
}

profile noc_admin {
script {

if (cmd == "") {
set priv-lvl = 15

permit # required for shell startup
}
if (cmd =~ /^show/) permit
if (cmd =~ /^info/) permit
if (cmd =~ /^help/) permit
if (cmd =~ /^terminal/) permit
if (cmd =~ /^environment/) permit
if (cmd =~ /^screen-length/) permit
if (cmd =~ /^ssh/) permit
if (cmd =~ /^telnet/) permit
if (cmd =~ /^ping/) permit
if (cmd =~ /^traceroute/) permit
if (cmd =~ /^exit/) permit
if (cmd =~ /^end/) permit
if (cmd =~ /^logout/) permit
if (cmd =~ /^configure/) {
if (cmd =~ /router interface/) permit
if (cmd =~ /router.*/) {message = "It is dangerous command. Denied" deny}
permit
}

deny

}

############ Users ############
user demo {
#password acl jumpstation { login = permit }

password login = clear demo
password pap = login

member = profile_admin

}

user demo2 {
password login = clear demo2
# group

member = profile_noc_admin
member = span_mbh
member = span_test
}

#################################
############# Rules ############
realm heck {
ruleset {
rule mbh_spans {
enabled = yes
script {
if (member == span_mbh && nas != mbh) deny
if (member == span_test && nas != test_zone) deny

}
}

rule mbh_profiles {
enabled = yes
script {

if (member == profile_admin) {
profile = admin
permit
}
if (member == profile_noc_admin) {
profile = noc_admin
permit
}

}
}
}

}
}

понедельник, 3 апреля 2023 г. в 21:31:52 UTC+6, Marc Huber:

00_tac_plus-ng.cfg

Marc Huber

unread,

Apr 5, 2023, 1:31:13 PM4/5/23

to event-driv...@googlegroups.com

Hi Petr,

On 05.04.2023 08:53, Petr Issakov wrote:

I can't apply 2 or more span (nas nets) for 1 user because rule mbh_spans will deny such users. For 1 span + 1 profile group config works fine.

Does syntax has some directive which exit from current rule and start checking next?

in that case, instead of

if (member == span_mbh && nas != mbh) deny
if (member == span_test && nas != test_zone) deny

I'd use

if (!
           (
           (member == span_mbh && nas == mbh)
        || (member == span_test && nas == test_zone)
         )
         ) deny

(formatting for better readibility only)

Cheers,

Marc

Petr Issakov

unread,

Apr 12, 2023, 7:37:54 AM4/12/23

to Event-Driven Servers

Hi Marc, thank you again!

It's strange,

I have tested your configuration but in case user having 2 group I have the same problem:

2023-04-12 14:06:33 +0300 10.87.177.17 demo2 /dev/vty1 10.11.176.96 shell login denied by ACL

net all {
net mbh { address = 10.87.177.17 }
net test_zone { address = 11.87.177.17 }
}

user demo2 {
password login = clear demo2
# group
member = profile_noc_admin
member = span_mbh

member = span_test

}

...

realm heck {
ruleset {
rule mbh_spans {
enabled = yes
script {

if (!
(
(member == span_test && nas == test_zone) # not working 1 st condition is false
|| (member == span_mbh && nas == mbh) # # not working 1 st condition is false

)
) deny
}
}

I noticed: when truth in if condition have 1st position - acl work fine if not - I have result: denied by acl

if swap address between nets mbh and test_zone in configuration above Login succeed.

Full config in attachments

среда, 5 апреля 2023 г. в 23:31:13 UTC+6, Marc Huber:

tac_plus-ng.cfg

Marc Huber

unread,

Apr 12, 2023, 2:36:35 PM4/12/23

to event-driv...@googlegroups.com

Hi,

for user demo2, I'm looking at

if (!
(
(member == span_test && nas == test_zone) # not working 1 st condition is false
|| (member == span_mbh && nas == mbh) # # not working 1 st condition is false

)
) deny

which resolves to

if (!
(
(TRUE && nas == test_zone) # not working 1 st condition is false
|| (TRUE && nas == mbh) # # not working 1 st condition is false

)
) deny

which resolves to

if (! ((nas == test_zone) || (nas == mbh) ) ) deny

which resolves to

if (FALSE) deny

which resolves to

deny

so the end result "deny" seems legit as both networks and group memberships do overlap.

I'd go on with:

if (member == span_test && nas == test_zone){
    profile == ...
    permit
}
if (member == span_mbh && nas == mbh){
    profile = ..
    permit
}
deny

Cheers,

Mard

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/0e7634a5-16d8-46c2-8d74-badd7b996507n%40googlegroups.com.

Marc Huber

unread,

Apr 12, 2023, 2:56:20 PM4/12/23

to event-driv...@googlegroups.com

Hi

On 12.04.2023 20:36, Marc Huber wrote:
> which resolves to
>
>    if (! ((nas == test_zone) ||
> (nas == mbh) ) ) deny
>
> which resolves to
>
>    if (FALSE) deny
>
> which resolves to
>
>                                         deny
>

my apologies, this looks (quite obviouly) wrong. I'll have a close look,
but that might take some time.

Cheers,

Marc

Marc Huber

unread,

Apr 13, 2023, 11:11:35 AM4/13/23

to event-driv...@googlegroups.com

Hi Petr,

please git pull and retry. I didn't pay enough attention to negated non-trivial expressions, and the latest commit should fix that issue.

Cheers,

Marc

On 12.04.2023 13:37, Petr Issakov wrote:

Petr Issakov

unread,

Apr 20, 2023, 1:10:53 AM4/20/23

to Event-Driven Servers

Hi Marc, thank you! Rules now are working as expected.

I have another one question about integration with ldap.

I'm testing next config:

mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
#setenv FLAG_USE_MEMBEROF = 1
setenv LDAP_HOSTS = "1.2.3.4:389"
setenv LDAP_BASE = "dc=tacacscp,dc=ru"
setenv LDAP_FILTER = "(&(cn=%s)(objectClass=*)(memberOf=cn=tacacscp_users,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru))"
setenv LDAP_USER = "cn=admin,dc=tacacscp,dc=ru"
setenv LDAP_PASSWD = "###"
setenv TACACS_GROUP_PREFIX = "tacacscp_"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis
login backend = mavis
pap backend = mavis

# This requires PCRE2:
rewrite toLowerCase {
rewrite /^.*$/ \L$0
}

realm heck {
ruleset {
rule mbh_spans {
enabled = yes
script {
if (!
(

(memberof =~ /^cn=tacacscp_span_mbh,/ && nas == mbh)
|| (memberof =~ /^cn=tacacscp_span_test,/ && nas == test_zone)
)
) deny
}
}

rule mbh_roles {
enabled = yes
script {
if (memberof =~ /^cn=tacacscp_role_cn_admin,/) {
profile = profile_admin
permit
}

if (memberof =~ /^cn=tacacscp_role_noc_admin,/) {
profile = profile_noc_admin
permit
}

}
}
}

User "petr.isakov" if AD have next values in memberof attribute:

MEMBEROF: "cn=tacacscp_role_noc_admin,ou=tacacscp_roles,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_span_mbh,ou=tacacscp_spans,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_span_test,ou=tacacscp_spans,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_users,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru"

This config working fine, but in logs I noticed:

Apr 20 07:03:53 t2ru-tacacs-vm-01 tac_plus-ng[2183559]: 10.87.177.17 looking for user petr.isakov in MAVIS backend
Apr 20 07:03:53 t2ru-tacacs-vm-01 tac_plus-ng[2183559]: Error petr.isakov:1: Group 'role_noc_admin' not found.
Apr 20 07:03:53 t2ru-tacacs-vm-01 tac_plus-ng[2183559]: 10.87.177.17 verdict for user petr.isakov is ACK
Apr 20 07:03:53 t2ru-tacacs-vm-01 tac_plus-ng[2183559]: 10.87.177.17 shell login for 'petr.isakov' (realm: heck) from 10.11.176.96 on /dev/vty0 succeeded (profile=profile_noc_admin)

So user is included in local group definitions depending on memberof attribute in ldap

But if change config for analyzing user membership in local group such as:

#################################
############ Groups #############

############ Roles ##############
group role_cn_admin {
}
group role_noc_admin {
}
group role_guest {
}

############ Spans #############
group span_mbh {
}
group span_test {
}

################################

realm heck {
ruleset {
rule mbh_spans {
enabled = yes
script {
if (!
(

(member == span_mbh && nas == mbh)

|| (member == span_test && nas == test_zone)

)
) deny
}
}

rule mbh_roles {
enabled = yes
script {
if (member == role_cn_admin) {
profile = profile_admin
permit
}

if (member == role_guest) {
profile = profile_guest
permit
}
if (member == role_noc_admin) {
profile = profile_noc_admin
permit
}

}
}

Config not working, user denied by acl:

Apr 20 07:33:19 t2ru-tacacs-vm-01 tac_plus-ng[2185131]: 10.87.177.17 shell login for 'petr.isakov' (realm: heck) from 10.11.176.96 on /dev/vty0 denied by ACL

My question is:

Does tacacs-ng support ldap user belonging multiple group depending on memberof attribute?

четверг, 13 апреля 2023 г. в 21:11:35 UTC+6, Marc Huber:

Marc Huber

unread,

Apr 20, 2023, 12:09:37 PM4/20/23

to event-driv...@googlegroups.com

Hi Petr,

On 20.04.2023 07:10, Petr Issakov wrote:
> Config not working, user denied by acl:
> Apr 20 07:33:19 t2ru-tacacs-vm-01 tac_plus-ng[2185131]: 10.87.177.17
> shell login for 'petr.isakov' (realm: heck) from 10.11.176.96 on
> /dev/vty0 denied by ACL
>
> My question is:
> Does tacacs-ng support ldap user belonging multiple group depending on
> memberof attribute?

yes, mutliple tac_plus-ng supports multi-group memberships.

Could you please share the

tactrace.pl --conf=path_to_your_configuration.cfg --user petr.isakov
--remote=10.11.176.96 --nad=10.87.177.17 --realm=heck

output? That might give a clue why the ACLs don't match as expected.

I did some more code-deduplication last Monday, so please make sure to
use the current GIT.

Thanks,

Marc

Petr Issakov

unread,

Apr 25, 2023, 4:58:27 AM4/25/23

to Event-Driven Servers

Hi Marc.

I have updated tacplus-ng to last version from git and start tactrace.

logs in attachments

четверг, 20 апреля 2023 г. в 22:09:37 UTC+6, Marc Huber:

tactrace.log

Marc Huber

unread,

Apr 25, 2023, 12:34:04 PM4/25/23

to event-driv...@googlegroups.com

Hi Petr,

that's strange, the MEMBEROF attribute is correct, but TACMEMBER
contains just the first entry (and from an earlier post you seem to have
UNLIMIT_AD_GROUP_MEMBERSHIP set correctly.

Please give the experimental mavis/python/mavis_tacplus_ldap.py script a
try, it might work better for you.

Plus, I think I'll commit a revised version of mavis_tacplus_ldap.pl
(possibly named slightly different to keep compatibilty) later this week.

Cheers,

Marc

Petr Issakov

unread,

May 5, 2023, 5:44:49 AM5/5/23

to Event-Driven Servers

Hi, Marc

unfortunately experimental mavis/python/mavis_tacplus_ldap.py does not work (logs in attach)

Also I tried your new mavis_tacplus-ng_ldap.pl backend. It work but not to cut TACACS_GROUP_PREFIX

вторник, 25 апреля 2023 г. в 22:34:04 UTC+6, Marc Huber:

messages.log

Marc Huber

unread,

May 5, 2023, 12:41:16 PM5/5/23

to event-driv...@googlegroups.com

Hi Petr,

please try calling /usr/local/lib/mavis/mavis_tacplus_ldap.py directly. Are there any error messages, e.g. ModuleNotFound errors?

Regarding mavis_tacplus-ng_ldap.pl: It defaults to

my $LDAP_MEMBEROF_REGEX = "^cn=([^,]+),.*";

and I think you can override that with

setenv LDAP_MEMBEROF_REGEX = "^cn=your_group_prefix([^,]+),.*"

for TACACS_GROUP_PREFIX simulation.

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/372d6502-29df-4785-b186-1282d4ade8c5n%40googlegroups.com.

Petr Issakov

unread,

May 10, 2023, 4:46:29 AM5/10/23

to Event-Driven Servers

Hi, Marc! Thank you for your time!

mavis_tacplus_ldap.py:

All required modules was installed via pip. On ldap server side I see that tacacs backend try to install many connections but unexpectedly drop it after few moments (logs from ldap-server and tacplus-ng server in attach)

------------------------------------------------

I think that problem with TACMEMBER not in backend.

I add to standart backend mavis_tacplus_ldap.pl print command:

....

bye:
if (!defined($flag_cacheconn) && defined($ldap)) {
$ldap->unbind;
$ldap->disconnect;
$ldap = undef;
}
my ($out) = "";
for (my $i = 0; $i <= $#V; $i++) {
$out .= sprintf ("%d %s\n", $i, $V[$i]) if defined $V[$i];
}
$out .= sprintf ("=%d\n", $result);
print $out;
print STDERR $out;
}

I run tactrace and see only first value:

tactrace.pl --conf=/usr/local/etc/tac_plus-ng/00_tac_plus-ng.cfg --user petr.isakov --remote=10.11.176.96 --nad=10.87.177.17 --realm=heck

.......

10.87.177.17 USER (len: 11): petr.isakov
10.87.177.17 DN (len: 41): cn=petr.isakov,ou=Users,dc=tacacscp,dc=ru
10.87.177.17 TACMEMBER (len: 15): "role_cn_admin"
10.87.177.17 MEMBEROF (len: 227): "cn=tacacscp_role_cn_admin,ou=tacacscp_roles,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_span_test,ou=tacacscp_spans,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_users,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru"
10.87.177.17 SERVERIP (len: 12): 10.87.177.17
10.87.177.17 IPADDR (len: 12): 10.11.176.96
10.87.177.17 REALM (len: 4): heck
10.87.177.17 IDENTITY_SOURCE (len: 1):

# vim: ts=4
# MD5SUM: 73b6ce2ad8cb2b20dfd8c49edbd32dad

in logs I see that backend return properly values:

May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 3 16777216
May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 4 petr.isakov
May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 5 cn=petr.isakov,ou=Users,dc=tacacscp,dc=ru
May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 6 ACK
May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 14 10.11.176.96
May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 21 quGPNr5R9FIujdpnPiQDXQ=
May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 25 10.87.177.17
May 10 11:15:36 vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 27 heck
May 10 11:15:36 t2ru-tacacs-vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 47 "role_cn_admin","span_test","users"
May 10 11:15:36 t2ru-tacacs-vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: 49 INFO
May 10 11:15:36 t2ru-tacacs-vm-01 tac_plus-ng[2657597]: /usr/local/lib/mavis/mavis_tacplus_ldap_test.pl: 2657598: =0

пятница, 5 мая 2023 г. в 22:41:16 UTC+6, Marc Huber:

tacplus.log

ldap-server.log

Marc Huber

unread,

May 10, 2023, 12:05:42 PM5/10/23

to event-driv...@googlegroups.com, Petr Issakov

Hi Petr,

alas, the error messages aren't detailed enough for troubleshooting. Does setting the appropriate environment variables (LDAP_HOSTS et al.) and running

printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | whatever-backend-script-you-are-going-to-use

show anything weird?

I couldn't reproduce your issue, at all, and all of the three backend options (mavis_tacplus_ldap.pl, mavis_tacplus-ng_ldap.pl, mavis_tacplus_ldap.py) work just fine for me.

Cheers,

Marc

To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/53d324ee-843d-401d-b2a3-84caf93d4026n%40googlegroups.com.

Petr Issakov

unread,

May 11, 2023, 6:39:00 AM5/11/23

to Event-Driven Servers

Hi, Marc!

Yes, initally backend mavis_tacplus_ldap.py had problem:

[root@vm-01 python]# printf "0 TACPLUS\n4 petr.isakov\n8 1\n49 AUTH\n=\n" | /usr/local/lib/mavis/mavis_tacplus_ldap.py
File "/usr/local/lib/mavis/mavis_tacplus_ldap.py", line 205, in <module>
entry = conn.entries[0]
IndexError: list index out of range

I add some fixes to python backend (marked with #fix), please check it, I think it correct now (in attach)

And now it work:

printf "0 TACPLUS\n4 petr.isakov\n8 1\n49 AUTH\n=\n" | /usr/local/lib/mavis/mavis_tacplus_ldap.py
0 TACPLUS
1 "cn=tacacscp_users,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_role_cn_admin,ou=tacacscp_roles,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_span_test,ou=tacacscp_spans,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru"
4 petr.isakov
5 cn=petr.isakov,ou=Users,dc=tacacscp,dc=ru
6 ACK
8 1
36 1
47 "tacacscp_users","tacacscp_role_cn_admin","tacacscp_span_test"
49 AUTH
=0

But main problem still exist. As I mentioned above backend return all groups in TACMEMBER (47) attribute but in tactrace I see only first group.

среда, 10 мая 2023 г. в 22:05:42 UTC+6, Marc Huber:

mavis_tacplus_ldap.py

Marc Huber

unread,

May 11, 2023, 12:01:29 PM5/11/23

to event-driv...@googlegroups.com

Hi Petr,

On 11.05.2023 12:38, Petr Issakov wrote:
> IndexError: list index out of range
>
> I add some fixes to python backend (marked with #fix), please check
> it, I think it correct now (in attach)

thanks, great you've spotted that bug! I've actually commited the very
same fix yesterday evening, but nevertheless ;-)

> But main problem still exist. As I mentioned above backend return all
> groups in TACMEMBER (47) attribute but in tactrace I see only first group.
>

This is basically what I don't understand. The tactrace output will show
the TACMEMBER attribute as-is, and the attribute list should just be
virtually identical to what you're seeing when calling the module
manually. I'm pretty much lost here.

Cheers,

Marc

Petr Issakov

unread,

May 18, 2023, 3:40:03 AM5/18/23

to Event-Driven Servers

Hi Marc!
I think there is something mistake in /mavis/libmavis_groups.c module , please check it

I have tried to replace code block handling TACMEMBER attribute (rows 345-386)

To:

s = av_get(*ac, AV_A_TACMEMBER);
if (s) {
size_t len = strlen(s) + 1;
char *v = alloca(len);
char *b = alloca(len);
char *p = b;
*p = 0;
memcpy(v, s, len);
while (*v) {
char *e;
if (*v != '"')
break;

v++;
for (e = v; *e && *e != '"'; e++);
if (*e != '"')
break;

*e++ = 0;
if (good_name(mcx->groups_regex, v)) {
if (*b)
*p++ = ',';

*p++ = '"';
len = strlen(v);
memcpy(p, v, len);
p += len;

*p++ = '"';
*p = 0;
}
v = e;
if (!*v || *v != ',')
break;
v++;
}
if (b[0])
av_set(*ac, AV_A_TACMEMBER, b);
else
av_unset(*ac, AV_A_TACMEMBER);
}

(To exact the same as MEMBEROF attribute handling fragment)

and tactrace now show all groups from ldap backend!:

tactrace.pl --conf=/usr/local/etc/tac_plus-ng/00_tac_plus-ng.cfg --user petr.isakov --remote=10.11.176.96 --nad=10.87.177.17 --realm=heck

Version: GIT info is unavailable. This build might be outdated. Please make sure to update to the latest GIT version before issuing a support request.
10.87.177.17 ---<start packet>---
10.87.177.17 session id: 00000001, data length: 54
10.87.177.17 AUTHOR, priv_lvl=0
10.87.177.17 authen_type=ascii (1)
10.87.177.17 authen_method=tacacs+ (6)
10.87.177.17 service=login (1)
10.87.177.17 user_len=11 port_len=4 rem_addr_len=12 arg_cnt=2
10.87.177.17 user (len: 11): petr.isakov
10.87.177.17 port (len: 4): vty0
10.87.177.17 rem_addr (len: 12): 10.11.176.96
10.87.177.17 arg[0] (len: 13): service=shell
10.87.177.17 arg[1] (len: 4): cmd*
10.87.177.17 ---<end packet>---
10.87.177.17 Start authorization request
10.87.177.17 pcre2: '^.*$' <=> 'petr.isakov' = 1
10.87.177.17 pcre2: setting username to 'petr.isakov'
10.87.177.17 evaluating ACL __internal__username_acl__
10.87.177.17 regex: '[]<>/()|=[*"':$]+' <=> 'petr.isakov' = 0
10.87.177.17 line 441: [user] regex '[]<>/()|=[*"':$]+' => false
10.87.177.17 line 441: [permit]
10.87.177.17 ACL __internal__username_acl__: match

10.87.177.17 looking for user petr.isakov in MAVIS backend

10.87.177.17 user found by MAVIS backend, av pairs:

10.87.177.17 USER (len: 11): petr.isakov
10.87.177.17 DN (len: 41): cn=petr.isakov,ou=Users,dc=tacacscp,dc=ru

10.87.177.17 TACMEMBER (len: 35): "role_cn_admin","span_test","users"

10.87.177.17 MEMBEROF (len: 227): "cn=tacacscp_role_cn_admin,ou=tacacscp_roles,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_span_test,ou=tacacscp_spans,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru","cn=tacacscp_users,ou=tacacscp,ou=Groups,dc=tacacscp,dc=ru"
10.87.177.17 SERVERIP (len: 12): 10.87.177.17
10.87.177.17 IPADDR (len: 12): 10.11.176.96
10.87.177.17 REALM (len: 4): heck
10.87.177.17 IDENTITY_SOURCE (len: 1):

{ member = "role_cn_admin","span_test","users"
petr.isakov:1: Group 'users' not found.
2848635: petr.isakov:1: Group 'users' not found.
10.87.177.17 result for user petr.isakov is ACK
10.87.177.17 user 'petr.isakov' found
10.87.177.17 evaluating ACL mbh_spans
10.87.177.17 line 303: [member] member 'span_mbh' => false
10.87.177.17 line 303: [&&] => false
10.87.177.17 line 303: [member] member 'span_test' => true
10.87.177.17 line 303: [nas] net 'test_zone' => true
10.87.177.17 line 303: [&&] => true
10.87.177.17 line 303: [||] => true
10.87.177.17 line 303: [!] => false
10.87.177.17 ACL mbh_spans: no match
10.87.177.17 petr....@10.11.176.96: ACL mbh_spans: <unknown> (profile: n/a)
10.87.177.17 evaluating ACL mbh_roles
10.87.177.17 line 310: [member] member 'role_cn_admin' => true
10.87.177.17 line 311: [profile] 'profile_admin'
10.87.177.17 line 312: [permit]
10.87.177.17 ACL mbh_roles: match
10.87.177.17 petr....@10.11.176.96: ACL mbh_roles: permit (profile: profile_admin)
10.87.177.17 line 101: [service] = 'shell' => true
10.87.177.17 line 102: [cmd] = '' => true
10.87.177.17 line 103: [set] 'priv-lvl=15'
10.87.177.17 line 104: [permit]
10.87.177.17 nas:service=shell (passed thru)
10.87.177.17 nas:cmd* (passed thru)
10.87.177.17 nas:absent srv:priv-lvl=15 -> add priv-lvl=15 (k)
10.87.177.17 added 1 args
10.87.177.17 Writing AUTHOR/PASS_ADD size=30
10.87.177.17 ---<start packet>---
10.87.177.17 session id: 00000001, data length: 18
10.87.177.17 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
10.87.177.17 msg_len=0, data_len=0, arg_cnt=1
10.87.177.17 msg (len: 0):
10.87.177.17 data (len: 0):
10.87.177.17 arg[0] (len: 11): priv-lvl=15
10.87.177.17 ---<end packet>---

user belong to all groups in local definitions and ruleset works fine

четверг, 11 мая 2023 г. в 22:01:29 UTC+6, Marc Huber:

Marc Huber

unread,

May 18, 2023, 8:06:06 AM5/18/23

to event-driv...@googlegroups.com

Hi Petr,

thanks -- I actually seem to have missed that you're using the "groups" module. I've commited a fix that resolve that issue, please git pull and retry.

Cheers,

Marc

On 18.05.2023 09:40, Petr Issakov wrote:

Hi Marc!
I think there is something mistake in /mavis/libmavis_groups.c module , please check it

I have tried to replace code block handling TACMEMBER attribute (rows 345-386)

To:

<snip>

Petr Issakov

unread,

May 19, 2023, 2:37:52 AM5/19/23

to Event-Driven Servers

Hi Marc!

Thank you very much!

Now all works fine!

четверг, 18 мая 2023 г. в 18:06:06 UTC+6, Marc Huber:

Marc Huber

unread,

May 19, 2023, 11:56:03 AM5/19/23

to event-driv...@googlegroups.com

Hi Petr,

great, thanks!

Cheers,

Marc

On 19.05.2023 08:37, Petr Issakov wrote:
> Hi Marc!

Reply all

Reply to author

Forward