LDAP / Mavis tacacs_schema group authorization
883 views
Skip to first unread message
Callum Barr
May 26, 2015, 1:35:53 AM5/26/15
to event-driv...@googlegroups.com
Hi,
I seem to have a problem where i have an attribute in my LDAP schema
tacacsMember=core-rw
However, this is never used when authorizing commands in tac_plus
Is this method of authorization supported?
id = tac_plus {
debug = MAVIS PACKET AUTHEN AUTHOR ACL REGEX
access log = /var/log/tac_plus/access.log
accounting log = /var/log/tac_plus/acct.log
authorization log = /var/log/tac_plus/auth.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "tacacs_schema"
setenv LDAP_HOSTS = "ipa.blah.co.nz:389"
setenv LDAP_BASE = "dc=blah,dc=co,dc=nz"
setenv LDAP_FILTER = "(&(uid=%s)(objectClass=tacacsAccount))"
setenv TACACS_GROUP_PREFIX = ""
setenv USE_TLS = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
cache timeout = 5
when i do a mavistest i get the following;
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-535-1432606858-0
USER callum
PASSWORD lol
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-535-1432606858-0
USER callum
RESULT ACK
PASSWORD lol
SERIAL Ui5QrtJQQtfCRk8WlEqqKQ=
DBPASSWORD lol
TACMEMBER core-rw
TACTYPE AUTH
I manage to authenticate fine, but when it tries to authorize - it seems to never use the TACMEMBER attribute;
544: 14:23:18.679 a/64030000: New session
544: 14:23:18.679 a/00000364: ---<start packet>---
544: 14:23:18.679 a/00000364: key used:
544: 14:23:18.679 a/00000364: version: 192, type: 1, seq no: 1, flags: unencrypted
544: 14:23:18.679 a/00000364: session id: 00000364 data length: 38
544: 14:23:18.679 a/00000364: AUTHEN/START, priv_lvl=0
544: 14:23:18.679 a/00000364: action=login (1)
544: 14:23:18.679 a/00000364: authen_type=ascii (1)
544: 14:23:18.679 a/00000364: service=login (1)
544: 14:23:18.679 a/00000364: user_len=6 port_len=3 rem_addr_len=13
544: 14:23:18.679 a/00000364: data_len=8
544: 14:23:18.679 a/00000364: user (len: 6): callum
544: 14:23:18.679 a/00000364: 0000 63 61 6c 6c 75 6d callum
544: 14:23:18.679 a/00000364: port (len: 3): ssh
544: 14:23:18.679 a/00000364: 0000 73 73 68 ssh
544: 14:23:18.679 a/00000364: rem_addr (len: 13): 120.136.2.115
544: 14:23:18.679 a/00000364: 0000 31 32 30 2e 31 33 36 2e 32 2e 31 31 35 120.136. 2.115
544: 14:23:18.679 a/00000364: data (len: 8): cb5235cb
544: 14:23:18.679 a/00000364: 0000 63 62 35 32 33 35 63 62 lol
544: 14:23:18.679 a/00000364: ---<end packet>---
544: 14:23:18.679 a/64030000: authen: hdr->seq_no: 1
544: 14:23:18.679 a/64030000: looking for user callum realm default
544: 14:23:18.679 a/64030000: user lookup failed
544: 14:23:18.706 0/00000000: creating user callum in realm default
544: 14:23:18.706 a/64030000: looking for user callum realm default
544: 14:23:18.706 a/64030000: cfg_get: checking user/group callum, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group core-rw, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group read-write, tag (NULL)
544: 14:23:18.706 a/64030000: user lookup succeded
544: 14:23:18.706 a/64030000: cfg_get: checking user/group callum, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group core-rw, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group read-write, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group callum, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group core-rw, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group read-write, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group callum, tag (NULL)
544: 14:23:18.706 a/64030000: cfg_get: checking user/group core-rw, tag (NULL)
544: 14:23:18.706 a/64030000: cal...@120.136.2.115: ACL entire-network line 57: NAS "14.1.32.11" <=> "all"
544: 14:23:18.706 a/64030000: cal...@120.136.2.115: ACL entire-network: NAS matched
544: 14:23:18.706 a/64030000: cal...@120.136.2.115: ACL entire-network: NAC matched (unrestricted)
544: 14:23:18.706 a/64030000: cal...@120.136.2.115: ACL entire-network: Port matched (unrestricted)
544: 14:23:18.706 a/64030000: cal...@120.136.2.115: ACL entire-network: Timespec matched (unrestricted)
544: 14:23:18.706 a/64030000: cal...@120.136.2.115: ACL entire-network: ACL matched (unrestricted)
544: 14:23:18.706 a/64030000: cal...@120.136.2.115: ACL entire-network: match
544: 14:23:18.706 a/64030000: 14.1.32.11: ascii login for 'callum' from 120.136.2.115 on ssh succeeded
544: 14:23:18.706 a/64030000: Writing AUTHEN/PASS size=18
544: 14:23:19.963 b/00000000: cidr match level 0 = all
544: 14:23:19.964 b/2e730000: New session
544: 14:23:19.964 b/0000732e: ---<start packet>---
544: 14:23:19.964 b/0000732e: key used: lol
544: 14:23:19.964 b/0000732e: version: 192, type: 2, seq no: 1, flags: unencrypted
544: 14:23:19.964 b/0000732e: session id: 0000732e data length: 58
544: 14:23:19.964 b/0000732e: AUTHOR priv_lvl=1 authen=1 method=tacacs+ (6) svc=1
544: 14:23:19.964 b/0000732e: user_len=6 port_len=3 rem_addr_len=13 arg_cnt=2
544: 14:23:19.964 b/0000732e: user (len: 6): callum
544: 14:23:19.964 b/0000732e: 0000 63 61 6c 6c 75 6d callum
544: 14:23:19.964 b/0000732e: port (len: 3): ssh
544: 14:23:19.964 b/0000732e: 0000 73 73 68 ssh
544: 14:23:19.964 b/0000732e: rem_addr (len: 13): 120.136.2.115
544: 14:23:19.964 b/0000732e: 0000 31 32 30 2e 31 33 36 2e 32 2e 31 31 35 120.136. 2.115
544: 14:23:19.964 b/0000732e: arg[0] (len: 13): service=shell
544: 14:23:19.964 b/0000732e: 0000 73 65 72 76 69 63 65 3d 73 68 65 6c 6c service= shell
544: 14:23:19.964 b/0000732e: arg[1] (len: 13): cmd=configure
544: 14:23:19.964 b/0000732e: 0000 63 6d 64 3d 63 6f 6e 66 69 67 75 72 65 cmd=conf igure
544: 14:23:19.964 b/0000732e: ---<end packet>---
544: 14:23:19.964 b/2e730000: Start authorization request
544: 14:23:19.981 0/00000000: creating user callum in realm default
544: 14:23:19.981 b/2e730000: cfg_get: checking user/group callum, tag (NULL)
544: 14:23:19.981 b/2e730000: user 'callum' found
544: 14:23:19.981 b/2e730000: cfg_get: checking user/group callum, tag (NULL)
544: 14:23:19.981 b/2e730000: cal...@14.1.32.11: not found: svcname=shell@all cmd=configure
544: 14:23:19.981 b/2e730000: cal...@14.1.32.11: not found: svcname=shell cmd=configure
544: 14:23:19.981 b/2e730000: Writing AUTHOR/FAIL size=18
What am I doing wrong?
Thanks,
Callum
Rodrigo Pescador
May 27, 2015, 12:59:10 AM5/27/15
to event-driv...@googlegroups.com
Hi,
Please post your complete configuration file, including group and NAS definitions.
About your question: Yes, you can set tacacsMember=core-rw for a user in LDAP and tac plus will perform authorization against this group (core-rw) for every command.
Thanks!
Callum Barr
Jun 1, 2015, 9:04:19 PM6/1/15
to event-driv...@googlegroups.com
Hi,
Please see below for my config;
#!../../../sbin/tac_plus
id = spawnd {
listen = {
port = 49
}
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = MAVIS PACKET AUTHEN AUTHOR ACL REGEX
access log = /var/log/tac_plus/access.log
accounting log = /var/log/tac_plus/acct.log
authorization log = /var/log/tac_plus/auth.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "tacacs_schema"
setenv LDAP_HOSTS = "host:389"
setenv LDAP_BASE = "dc=example,dc=co,dc=nz"
setenv LDAP_FILTER = "(&(uid=%s)(objectClass=tacacsAccount))"
setenv FLAG_USE_MEMBEROF = 1
setenv TACACS_GROUP_PREFIX = ""
setenv USE_TLS = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
cache timeout = 5
single-connection = yes
#Host Configuration
host = all {
address = 0.0.0.0/0
key = "x"
}
#ACL configuration
acl = entire-network {
nas = all
}
#Group configurations
group = read-write {
default service = permit
debug = AUTHOR PACKET ACL REGEX ACCT AUTHEN
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
service = junos-exec {
set local-user-name = remote-super-user
}
service = exec {
set priv-lvl = 15
}
service = ascii {
set priv-lvl = 15
}
service = ppp {
protocol = all
}
}
group = read-only {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
cmd = configure { deny .* }
}
service = junos-exec {
set local-user-name = remote-muppet
}
}
group = core-rw {
acl = entire-network
member = read-write@all
}
group = core-ro {
acl = entire-network
member = read-only@all
Marc Huber
Jun 2, 2015, 7:38:14 AM6/2/15
to event-driv...@googlegroups.com
Hi Callum,
On 26.05.15 04:25, Callum Barr wrote:
I seem to have a problem where i have an attribute in my LDAP schema
tacacsMember=core-rw
However, this is never used when authorizing commands in tac_plus
Is this method of authorization supported?
yes, it is.
However, the user created during authentication ...
However, the user created during authentication ...
544: 14:23:18.679 a/00000364: ---<end packet>---544: 14:23:18.679 a/64030000: authen: hdr->seq_no: 1544: 14:23:18.679 a/64030000: looking for user callum realm default544: 14:23:18.679 a/64030000: user lookup failed544: 14:23:18.706 0/00000000: creating user callum in realm default
... can't be found during authorization:
544: 14:23:19.964 b/0000732e: ---<end packet>---544: 14:23:19.964 b/2e730000: Start authorization request544: 14:23:19.981 0/00000000: creating user callum in realm default544: 14:23:19.981 b/2e730000: cfg_get: checking user/group callum, tag (NULL)544: 14:23:19.981 b/2e730000: user 'callum' found544: 14:23:19.981 b/2e730000: cfg_get: checking user/group callum, tag (NULL)544: 14:23:19.981 b/2e730000: cal...@14.1.32.11: not found: svcname=shell@all cmd=configure544: 14:23:19.981 b/2e730000: cal...@14.1.32.11: not found: svcname=shell cmd=configure544: 14:23:19.981 b/2e730000: Writing AUTHOR/FAIL size=18
What am I doing wrong?
On 26.05.15 04:25, Callum Barr wrote:
cache timeout = 5
Values smaller than 11 will keep the process from caching user data. This shouldn't be a problem, unless the backend fails to handle authorization requests correctly.
Could you please retry the "mavistest" call without the password argument? Omitting the password will test authorization instead of authentication, and chances are that authorization doesn't work as expected.
Cheers,
Marc
Callum Barr
Jun 2, 2015, 6:47:14 PM6/2/15
to event-driv...@googlegroups.com
Hi Marc,
Yup - when I test mavis for authorization info only, i get the following;
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-3807-1433285156-0
USER callum
TACTYPE INFO
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-3807-1433285156-0
USER callum
RESULT ACK
SERIAL EyF5kjWwfTruTMt5LKpGwg=
TACTYPE INFO
any ideas?
Marc Huber
Jun 3, 2015, 1:50:03 AM6/3/15
to event-driv...@googlegroups.com
Hi Callum,
On 03.06.15 00:47, Callum Barr wrote:
> Output attribute-value-pairs:
> TYPE TACPLUS
> TIMESTAMP mavistest-3807-1433285156-0
> USER callum
> RESULT ACK
> SERIAL EyF5kjWwfTruTMt5LKpGwg=
> TACTYPE INFO
>
> any ideas?
for authentication the Perl script binds to the LDAP server using actual
user data and then retrieves the attributes. For authorization the LDAP
bind is anonymous, which might be not be sufficient, e.g. due to some
ACL that limits anonymous directory access to searching.
First thing I'd try now would be to switch to non-anonymous binds by
setting the LDAP_USER and LDAP_PASSWD environment variables.
Cheers,
Marc
On 03.06.15 00:47, Callum Barr wrote:
> Output attribute-value-pairs:
> TYPE TACPLUS
> TIMESTAMP mavistest-3807-1433285156-0
> USER callum
> RESULT ACK
> SERIAL EyF5kjWwfTruTMt5LKpGwg=
> TACTYPE INFO
>
> any ideas?
user data and then retrieves the attributes. For authorization the LDAP
bind is anonymous, which might be not be sufficient, e.g. due to some
ACL that limits anonymous directory access to searching.
First thing I'd try now would be to switch to non-anonymous binds by
setting the LDAP_USER and LDAP_PASSWD environment variables.
Cheers,
Marc
Callum Barr
Jun 3, 2015, 4:45:24 PM6/3/15
to event-driv...@googlegroups.com
Hi Marc,
Looks to be working sweet now - many thanks for your help!
Callum
Cheers,
Marc
--
You received this message because you are subscribed to a topic in the Google Groups "Event-Driven Servers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/event-driven-servers/3dHkSgFeqdI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to event-driven-ser...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Callum Barr
m...@callumb.com
m...@callumb.com
Reply all
Reply to author
Forward
0 new messages