tac_plus authenticating against an LDAP group

[quicky2g]

Not sure if what I'm trying to do is supported or not...

I have a group in Microsoft AD 2008 inside Users container called "TACACSData". I have a few users part of the AD group. I'm trying to authenticate against routers/switches with the users in the AD group.

I'm using this config:

id = spawnd {
        listen = {
                port = 49
        }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = no
}

id = tac_plus {
        host = any { key = "mykey" address = 0.0.0.0/0 }
        authorization log = syslog
        debug = +AUTHEN
        mavis module = external {
                # # Optionally:
                # script out = {
                #       if (undef($TACMEMBER) && $RESULT == ACK) set RESULT = NAK
                # }

                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "192.168.0.233:3268 192.168.0.18:3268"
                setenv LDAP_SCOPE = sub
                setenv LDAP_BASE = "dc=company,dc=pri"
                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
                setenv LDAP_USER = ldapuser@company.pri
                setenv LDAP_PASSWD = ldappass
                setenv AD_GROUP_PREFIX = TACACS
                setenv REQUIRE_AD_GROUP_PREFIX = 1
                setenv USE_TLS = 0
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        user backend = mavis    # query backend for users
        login backend = mavis   # authenticate login via backend
        pap backend = mavis     # authenticate PAP via backend

        # A user will be in the "admin" group if he's member of the
        # corresponding "tacacsadmin" ADS group. See $tacacsGroupPrefix
        # and $require_tacacsGroupPrefix in the code.

        group = Data {
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

       #user = quicky2g {
       #         member = Data
                #default service = permit
                #service = shell {
                #       default command = permit
                #       default attribute = permit
                #       set priv-lvl = 15
                #}
       #}

}

The user "quicky2g" is already included in the AD group TACACSData. If I un-comment the user, I can login to routers/switches and execute commands. If I comment the user, I cannot login to routers/switches. I'd prefer not to list out every user that's part of the AD group in my tac_plus configuration file. Is there a way to have configuration for a group only?

[Marc Huber]

On 24.07.13 00:36, quicky2g wrote

> Not sure if what I'm trying to do is supported or not...

should be. Care to provide the mavistest output?

Cheers,

Marc

[quicky2g]

I ran this command:

sudo mavistest -d -1 /etc/tac_plus/tac_plus.conf tac_plus quicky2g

and got this output:

29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[id] buf='id'
29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[<string>] buf='spawnd'
29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=2 sym=[listen] buf='listen'
29736: file=/etc/tac_plus/tac_plus.conf line=2 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=2 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=3 sym=[port] buf='port'
29736: file=/etc/tac_plus/tac_plus.conf line=3 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=3 sym=[<string>] buf='49'
29736: file=/etc/tac_plus/tac_plus.conf line=4 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=5 sym=[spawn] buf='spawn'
29736: file=/etc/tac_plus/tac_plus.conf line=5 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=5 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=6 sym=[instances] buf='instances'
29736: file=/etc/tac_plus/tac_plus.conf line=6 sym=[min] buf='min'
29736: file=/etc/tac_plus/tac_plus.conf line=6 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=6 sym=[<string>] buf='1'
29736: file=/etc/tac_plus/tac_plus.conf line=7 sym=[instances] buf='instances'
29736: file=/etc/tac_plus/tac_plus.conf line=7 sym=[max] buf='max'
29736: file=/etc/tac_plus/tac_plus.conf line=7 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=7 sym=[<string>] buf='10'
29736: file=/etc/tac_plus/tac_plus.conf line=8 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=9 sym=[background] buf='background'
29736: file=/etc/tac_plus/tac_plus.conf line=9 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=9 sym=[no] buf='no'
29736: file=/etc/tac_plus/tac_plus.conf line=10 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=12 sym=[id] buf='id'
29736: file=/etc/tac_plus/tac_plus.conf line=12 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=12 sym=[<string>] buf='tac_plus'
29736: file=/etc/tac_plus/tac_plus.conf line=12 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[host] buf='host'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[any] buf='any'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[key] buf='key'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[<string>] buf='mykey'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[address] buf='address'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[<string>] buf='0.0.0.0/0'
29736: file=/etc/tac_plus/tac_plus.conf line=13 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=14 sym=[mavis] buf='mavis'
29736: file=/etc/tac_plus/tac_plus.conf line=14 sym=[module] buf='module'
29736: file=/etc/tac_plus/tac_plus.conf line=14 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=14 sym=[<string>] buf='external'
29736: file=/etc/tac_plus/tac_plus.conf line=14 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=20 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=20 sym=[<string>] buf='LDAP_SERVER_TYPE'
29736: file=/etc/tac_plus/tac_plus.conf line=20 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=20 sym=[<string>] buf='microsoft'
29736: file=/etc/tac_plus/tac_plus.conf line=22 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=22 sym=[<string>] buf='LDAP_HOSTS'
29736: file=/etc/tac_plus/tac_plus.conf line=22 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=22 sym=[<string>] buf='192.168.0.233:3268 192.168.0.18:3268'
29736: file=/etc/tac_plus/tac_plus.conf line=23 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=23 sym=[<string>] buf='LDAP_SCOPE'
29736: file=/etc/tac_plus/tac_plus.conf line=23 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=23 sym=[<string>] buf='sub'
29736: file=/etc/tac_plus/tac_plus.conf line=24 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=24 sym=[<string>] buf='LDAP_BASE'
29736: file=/etc/tac_plus/tac_plus.conf line=24 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=24 sym=[<string>] buf='dc=company,dc=pri'
29736: file=/etc/tac_plus/tac_plus.conf line=25 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=25 sym=[<string>] buf='LDAP_FILTER'
29736: file=/etc/tac_plus/tac_plus.conf line=25 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=25 sym=[<string>] buf='(&(objectclass=user)(sAMAccountName=%s))'
29736: file=/etc/tac_plus/tac_plus.conf line=26 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=26 sym=[<string>] buf='LDAP_USER'
29736: file=/etc/tac_plus/tac_plus.conf line=26 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=26 sym=[<string>] buf='ldap...@company.pri'
29736: file=/etc/tac_plus/tac_plus.conf line=27 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=27 sym=[<string>] buf='LDAP_PASSWD'
29736: file=/etc/tac_plus/tac_plus.conf line=27 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=27 sym=[<string>] buf='ldappass'
29736: file=/etc/tac_plus/tac_plus.conf line=30 sym=[setenv] buf='setenv'
29736: file=/etc/tac_plus/tac_plus.conf line=30 sym=[<string>] buf='USE_TLS'
29736: file=/etc/tac_plus/tac_plus.conf line=30 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=30 sym=[<string>] buf='0'
29736: file=/etc/tac_plus/tac_plus.conf line=31 sym=[exec] buf='exec'
29736: file=/etc/tac_plus/tac_plus.conf line=31 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=31 sym=[<string>] buf='/usr/local/lib/mavis/mavis_tacplus_ldap.pl'
29736: file=/etc/tac_plus/tac_plus.conf line=32 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=34 sym=[user] buf='user'
29736: file=/etc/tac_plus/tac_plus.conf line=34 sym=[backend] buf='backend'
29736: file=/etc/tac_plus/tac_plus.conf line=34 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=34 sym=[mavis] buf='mavis'
29736: file=/etc/tac_plus/tac_plus.conf line=35 sym=[login] buf='login'
29736: file=/etc/tac_plus/tac_plus.conf line=35 sym=[backend] buf='backend'
29736: file=/etc/tac_plus/tac_plus.conf line=35 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=35 sym=[mavis] buf='mavis'
29736: file=/etc/tac_plus/tac_plus.conf line=36 sym=[pap] buf='pap'
29736: file=/etc/tac_plus/tac_plus.conf line=36 sym=[backend] buf='backend'
29736: file=/etc/tac_plus/tac_plus.conf line=36 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=36 sym=[mavis] buf='mavis'
29736: file=/etc/tac_plus/tac_plus.conf line=42 sym=[group] buf='group'
29736: file=/etc/tac_plus/tac_plus.conf line=42 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=42 sym=[<string>] buf='TACACSData'
29736: file=/etc/tac_plus/tac_plus.conf line=42 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=43 sym=[default] buf='default'
29736: file=/etc/tac_plus/tac_plus.conf line=43 sym=[service] buf='service'
29736: file=/etc/tac_plus/tac_plus.conf line=43 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=43 sym=[permit] buf='permit'
29736: file=/etc/tac_plus/tac_plus.conf line=44 sym=[service] buf='service'
29736: file=/etc/tac_plus/tac_plus.conf line=44 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=44 sym=[shell] buf='shell'
29736: file=/etc/tac_plus/tac_plus.conf line=44 sym=[{] buf='{'
29736: file=/etc/tac_plus/tac_plus.conf line=45 sym=[default] buf='default'
29736: file=/etc/tac_plus/tac_plus.conf line=45 sym=[command] buf='command'
29736: file=/etc/tac_plus/tac_plus.conf line=45 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=45 sym=[permit] buf='permit'
29736: file=/etc/tac_plus/tac_plus.conf line=46 sym=[default] buf='default'
29736: file=/etc/tac_plus/tac_plus.conf line=46 sym=[attribute] buf='attribute'
29736: file=/etc/tac_plus/tac_plus.conf line=46 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=46 sym=[permit] buf='permit'
29736: file=/etc/tac_plus/tac_plus.conf line=47 sym=[set] buf='set'
29736: file=/etc/tac_plus/tac_plus.conf line=47 sym=[<string>] buf='priv-lvl'
29736: file=/etc/tac_plus/tac_plus.conf line=47 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=47 sym=[<string>] buf='15'
29736: file=/etc/tac_plus/tac_plus.conf line=48 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=49 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=74 sym=[}] buf='}'
29736: file=/etc/tac_plus/tac_plus.conf line=75 sym=[<end-of-file>] buf=''

[Marc Huber]

Hi,

On 24.07.13 19:05, quicky2g wrote:

I ran this command:

sudo mavistest -d -1 /etc/tac_plus/tac_plus.conf tac_plus quicky2g

and got this output:

29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[id] buf='id'
29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[=] buf='='
29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[<string>] buf='spawnd'
29736: file=/etc/tac_plus/tac_plus.conf line=1 sym=[{] buf='{'

<snip>

this isn't what I hoped to see.



# mavistest
mavistest [options] <config> <id> <type> <user> [<password>]

Options:
  -P                  (parse only)
  -d <debuglevel>     (set debug level)

Valid <type> values: FTP, TACPLUS

Sample usage: mavistest -d -1  /usr/local/etc/tac_plus.cfg tac_plus TACPLUS joe p4ssw0rd
#

Please try the command marked in red.

Cheers,

Marc

[quicky2g]

Ran this command (password masked):

mavistest -d -1 /etc/tac_plus/tac_plus.conf tac_plus TACPLUS quicky2g userpassword

I got the same output as before with this extra at the end:

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-29870-1374686717-0
USER                quicky2g
PASSWORD            userpassword
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-29870-1374686717-0
USER                quicky2g
RESULT              ACK
PASSWORD            userpassword
SERIAL              /09uhPh8D7mpHRxlvk4Y2w=
DBPASSWORD          userpassword
TACTYPE             AUTH

[Marc Huber]

Hi,

On 24.07.13 19:28, quicky2g wrote:

Output attribute-value-pairs:

TYPE                TACPLUS
TIMESTAMP           mavistest-29870-1374686717-0
USER                quicky2g
RESULT              ACK
PASSWORD            userpassword
SERIAL              /09uhPh8D7mpHRxlvk4Y2w=
DBPASSWORD          userpassword
TACTYPE             AUTH

ok, so authentication works, but groups membership doesn't.

The Perl script is evaluating the LDAP "memberof" attribute. Please use an LDAP browser (or ldapsearch, e.g.) to verify that the user object comes with a suitable memberof entry. If the user is in multiple groups starting with "TACACS", setting UNLIMIT_AD_GROUP_MEMBERSHIP is mandatory (but this isn't a recommended configuration and will require more configuration work to resolve conflicts; a user may only be a direct member of exactly one group).

The EXPAND_AD_GROUP_MEMBERSHIP might be useful, too.

Cheers,

Marc



UNLIMIT_AD_GROUP_MEMBERSHIP
    If unset, the number of groups a user can be member of is limited to one.
    Default: unset

EXPAND_AD_GROUP_MEMBERSHIP
    If set, AD group memberships will be expanded.
    Default: unset

[dwayne coker]

Marc,

I having issues understanding where to add the LDAP_HOST to the /usr/local/lib/mavis/mavis_tacplus_ldap.pl file.  I constantly get the below error.  I'm a novice user with CentOS so if you could please assist it would be greatly appreciated. 

FYI.. I have tacacs+ working with static users, but cannot get the authenticate to LDAP working with tacacs+

[root@msc-lex-si014 ~]# env LDAP_SERVER_TYPE=”microsoft” /usr/local/lib/mavis/mavis_tacplus_ldap.pl
LDAP_HOSTS not defined at /usr/local/lib/mavis/mavis_tacplus_ldap.pl line 276, <DATA> line 522.


When I run the mavistest I get the following:


Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2723-1425230289-0
USER                test
PASSWORD            xxxx
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2723-1425230289-0
USER                test
RESULT              ERR
PASSWORD            xxxx
SERIAL              pMEa/36vhAgTH313lEkSZA=
USER_RESPONSE       No answer from LDAP backend.
TACTYPE             AUTH


[root]# env LDAP_HOSTS=”172.19.32.12” /usr/local/lib/mavis/mavis_tacplus_ldap.pl
Default server type is 'tacacs_schema'. You *may* need to change that to 'generic' or 'microsoft'.

[Marc Huber]

Hi,

On 01.03.15 18:51, dwayne coker wrote:
> I having issues understanding where to add the LDAP_HOST to the
> /usr/local/lib/mavis/mavis_tacplus_ldap.pl file. I constantly get the
> below error. I'm a novice user with CentOS so if you could please
> assist it would be greatly appreciated.

the Perl script will take the LDAP_* variables from the environment. You
can add the variables to the configuration file as part of the the
corresponding "module" section, e.g.:

mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
setenv USE_TLS = 0
setenv LDAP_HOSTS = "192.0.2.193"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=example,dc=com"
}

Cheers,

Marc

[dwayne coker]

Marc

Many thanks.  I managed to get it working.

Dwayne

[Dwayne Coker]

Marc,

Hey I have the TACACS working with my Cisco IOS devices.  I’m unable to get them to authenticate with my cisco nexus NX-OS devices.  Any thoughts.  I can authenticate with a static account configured for my NX-OS devices though.

Dwayne

--
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/0HUmjaIWlgg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-ser...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Marc Huber]

Hi Dwayne,

On 02.03.15 17:25, Dwayne Coker wrote:

Hey I have the TACACS working with my Cisco IOS devices.  I’m unable to get them to authenticate with my cisco nexus NX-OS devices.  Any thoughts.  I can authenticate with a static account configured for my NX-OS devices though.

this might related to NX-OS using PAP authentication ... "pap backend = mavis" could help.

Cheers,

Marc

[Dwayne Coker]

Marc,

Thanks.  Adding the pap backend = mavis works.  It does not inherit my settings for my user permissions though.  When I log into the nexus with an account that I have strict limitations on this doesn’t work.  Do you know how I can incorporate the below in my tac_plus.cfg file.  

service  = exec {

priv-lvl = 15

shell:roles=“\”network=admin\””

When I add this my tac_plus file errors out.

Thoughts??

Many thanks again.

Dwayne

On Mar 1, 2015, at 12:51 PM, dwayne coker <dlc...@gmail.com> wrote:

[Axel Eble]

Dwayne,

my config looks like this:


...
        login backend = mavis
        pap backend = mavis
        user backend = mavis

        pap password mapping = login

        host = world {
                address = ::/0
                prompt = "Welcome to CMS TACACS+ Service decmsnetwork01\n"
                enable 15 = clear secret
                key = <masked>
        }

        group = netadmin {

                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15

                        optional shell:roles = network-admin
                }
                [...]
                message ="\n\n\t\tWillkommen, NetAdmins!\n\n"
        }

This works for our NX-OS devices.

Regards,

Axel

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Axel Eble * Bachgasse 2 * 79108 Freiburg * Germany * cell: +49.178.285-3265

[Dwayne Coker]

Thanks for the reply.  When I add the shell:roles line I get the following error.  See below

  group = MSCneteng {
                       enable = login
                       default service = permit
                       message ="\n You are logged in with full admin privileges\n"

                       service = shell {
                               default command = permit
                               default attribute = permit
                               set priv-lvl = 15

                               shell:roles 
/usr/local/etc/tac_plus.cfg:50: 'shell:roles’ unexpected

Here is an example of my config per your recommendations.

user backend = mavis

login backend = mavis
pap backend = mavis

pap password mapping = login

                       host = MSC {

                       address = ::/0
                       prompt = "

----------------------
WARNING
----------------------
Unauthorized access prohibited.  
Authorized access only.
This system is the property of SIS.
Disconnect IMMEDIATELY if you are not an authorized user!\n"
                       key = xxx
                       }

                       group = MSCneteng {
                       enable = login
                       default service = permit
                       message ="\n You are logged in with full admin privileges\n"

                       service = shell {
                               default command = permit
                               default attribute = permit
                               set priv-lvl = 15

                               shell:roles = network-admin

[Axel Eble]

Dwayne,

if you look closely you have omitted they keyword "optional".

Regards,

Axel

 

[Dwayne Coker]

Many thanks Axel.  This now works as it should.

Dwayne

[Dwayne Coker]

Marc/Axel,

Have either of you configure the tacacs+ config to work with Vyatta’s.  I have a couple of these deployed and I want to add them to TACACS.

Thanks

Dwayne

[Tom Vaknin]

hi Marc,

I just installed tacacs pro bono from your guide, and all is working as expected. except 1 issue.

the authentication to AD is working just if i configured local users on my config file. (disabled the memberof attribute)/

my configuration as follow:

        #Require group membership

       if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK

            setenv LDAP_SERVER_TYPE = "microsoft"

            setenv LDAP_HOSTS = "ldap://x.x.x.x:389"

          # setenv LDAP_SCOPE = sub

          # setenv FLAG_FALLTHROUGH = 1

            setenv FLAG_FALLTHROUGH = y

            setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"

            setenv LDAP_BASE = "OU=RnD Users,DC=domain,DC=com"

            setenv FLAG_USE_MEMBEROF = 1

            setenv LDAP_USER = "user"

            setenv LDAP_PASSWD = "userpass"

            setenv REQUIRE_TACACS_GROUP_PREFIX = 1

            exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl

        group = ipgroup {

        service = shell {

                        default command = permit

                        set idletime = 30 # disconnect if there is no traffic for 5 minutes

                        set timeout = 60 # disconnect unconditionally after one hour

                        set priv-lvl = 15

                        }

        group = Networking {

                member = ipgroup@allother

i see in wireshark that the authentication to AD success, the AD return all of my user membership groups, and the tacacs not match the Networking group from AD.

here i can see that you not recommended to add:

EXPAND_AD_GROUP_MEMBERSHIP - it will require to configure few more things.

if so,

it is actually my problem?

i cant set the AD username to be on just 1 memberogf group.

thank you very much.

Tom

בתאריך יום ראשון, 1 במרץ 2015 בשעה 21:17:31 UTC+2, מאת dwayne coker: