Ldap cache - sssd/pam

17 views
Skip to first unread message

Alexandre Heidemann

unread,
Feb 16, 2026, 12:07:28 PM (4 days ago) Feb 16
to Event-Driven Servers

Hello all

I'm trying to config the tac_plus-ng with pam backend. (users and groups is bringing by sssd/ldap).
The main idea is have a ldap cache if the server goes down.

// Current configs:

mavis module = groups {
resolve gids = yes
resolve gids attribute = member
resolve gids attribute = TACMEMBER
groups filter = /^(1564800513)$/
}

mavis module = external {
exec = /usr/local/sbin/pammavis "pammavis" "-s" "tacacs"
}
...
ruleset {
rule {
script {

           if (member =~ /1564800513/) {
            profile = net_admin_users_profile
            permit
          }
         
        }
    }
}
...
But the connection is denied by acl:

152379: 11:46:57.668 2/7abf004d: 172.27.5.5 ------
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 key used: demo
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 version: 192, type: 1, seq no: 3, flags: unencrypted
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 session id: 7abf004d, data length: 19
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 AUTHEN/CONT user_msg_len=14, user_data_len=0
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 ------
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 authen: hdr->seq_no: 3
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 looking for user alexandre.h realm default
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 user lookup failed
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 looking for user alexandre.h in MAVIS backend
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 >>> sent user av pairs:
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 USER (len: 11): alexandre.h
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 SERVERIP (len: 10): 172.27.5.5
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 IPADDR (len: 12): 10.71.134.27
152379: 11:46:57.668 2/7abf004d: 172.27.5.5 REALM (len: 7): default
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 <<< received user av pairs:
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 USER (len: 11): alexandre.h
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 SERVERIP (len: 10): 172.27.5.5
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 IPADDR (len: 12): 10.71.134.27
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 REALM (len: 7): default
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 UID (len: 10): 1564801147
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 GID (len: 10): 1564800513
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 HOME (len: 17): /home/alexandre.h
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 SHELL (len: 9): /bin/bash
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 GIDS (len: 769): 1564800513,1564803632,1564803841,1564802338,1564809854,1564815523,1564807007,1564825192,1564815531,1564815543,1564828680,1564804471,1564803848,1564804906,1564831876,1564803930,1564806445,1564810517,1564826446,1564806614,1564808229,1564815539,1564819433,1564831709,1564805064,1564835597,1564804904,1564805063,1564804974,1564816724,1564825777,1564835336,1564810002,1564809869,1564827809,1564829477,1564815538,1564818645,1564835568,1564805062,1564802493,1564804905,1564827670,1564803627,1564804462,1564829476,1564815545,1564818104,1564830880,1564806439,1564827438,1564814172,1564804902,1564815527,1564815532,1564815533,1564822677,1564809978,1564810942,1564828420,1564804903,1564804476,1564812757,1564817386,1564815541,1564830287,1564814223,1564812625,1564815536,1564815530
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 IDENTITY_SOURCE (len: 1): 1
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 result for user alexandre.h is ACK [260 ms]
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 looking for user alexandre.h realm default
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 user lookup succeded
152379: 11:46:57.929 2/7abf004d: 172.27.5.5 shell login for 'alexandre.h' from 10.71.134.27 on /dev/pts/0 denied by ACL
152379: 11:46:58.940 2/7abf004d: 172.27.5.5 Writing AUTHEN/FAIL size=38

root@tacacsng:/usr/src/event-driven-servers# mavistest /etc/tac_plus-ng.conf tac_plus-ng TACPLUS alexandre.h pass
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-152384-1771253262-0
USER alexandre.h
PASSWORD pass
TACTYPE AUTH

Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-152384-1771253262-0
USER alexandre.h
RESULT ACK
PASSWORD pass
UID 1564801147
GID 1564800513
HOME /home/alexandre.h
SERIAL g9+bymQwXXpBei24FUBOUA=
GIDS 1564800513,1564803632,1564803841,1564802338,1564809854,1564815523,1564807007,1564825192,1564815531,1564815543,1564828680,1564804471,1564803848,1564804906,1564831876,1564803930,1564806445,1564810517,1564826446,1564806614,1564808229,1564815539,1564819433,1564831709,1564805064,1564835597,1564804904,1564805063,1564804974,1564816724,1564825777,1564835336,1564810002,1564809869,1564827809,1564829477,1564815538,1564818645,1564835568,1564805062,1564802493,1564804905,1564827670,1564803627,1564804462,1564829476,1564815545,1564818104,1564830880,1564806439,1564827438,1564814172,1564804902,1564815527,1564815532,1564815533,1564822677,1564809978,1564810942,1564828420,1564804903,1564804476,1564812757,1564817386,1564815541,1564830287,1564814223,1564812625,1564815536,1564815530
DBPASSWORD pass
IDENTITY_SOURCE 1
TACTYPE AUTH
SHELL /bin/bash

root@tacacsng:/usr/src/event-driven-servers#

Marc Huber

unread,
Feb 16, 2026, 4:21:51 PM (4 days ago) Feb 16
to event-driv...@googlegroups.com

Hi,

please don't ask the same question on the mailing list and GitHub. Pick one, not both.

"member" will check the TACMEMBER attribute, but that's not set because the "groups filter" will match the already resolved GIDs, not the numeric ones.

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/d177a98b-ba44-498c-8f6d-70fd3c4c4769n%40googlegroups.com.

Alexandre Heidemann

unread,
Feb 17, 2026, 7:16:23 AM (3 days ago) Feb 17
to Event-Driven Servers
Sorry about the duplicate question; I was about to remove from Git but I forgot.

Regarding  the member issue, what really worked for me was adding a script out in the groups session:

  mavis module = groups {
      resolve gids = yes
      # Fitro de grupos, regex
      groups filter = /GERENCIA_REDES/
      script out {
            # copy the already filtered UNIX group access list to TACMEMBER
              eval $GIDS =~ /^(.*)$/
              set $TACMEMBER = $1
      }
  }


With this, I was able to filter the groups correctly.

Is there any way to use a group name with whitespace? There is a group in my LDAP that contais spaces, and I don't have the permission to change it.

[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 TACMEMBER (len: 30): 41302-SET DE GERENCIA DE REDES
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 SERVERIP (len: 10): 172.27.5.5
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 IPADDR (len: 12): 10.71.113.29
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 REALM (len: 13): global_vendor
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 UID (len: 10): 1564801147
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 GID (len: 10): 1564800513
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 HOME (len: 17): /home/alexandre.h
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 SHELL (len: 9): /bin/bash
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 GIDS (len: 30): 41302-SET DE GERENCIA DE REDES
[2026-02-16 15:49:17]  154454: 15:49:16.673 2/08d2ce7c: 172.27.5.5 IDENTITY_SOURCE (len: 1): 2
[2026-02-16 15:49:17]  { member = 41302-SET
[2026-02-16 15:49:17]  alexandre.h:1: Group '41302-SET' not found.
[2026-02-16 15:49:17]  154454: alexandre.h:1: Group '41302-SET' not found.
[2026-02-16 15:49:17]  { member = 41302-SET DE
[2026-02-16 15:49:17]  alexandre.h:1: Expected 'alias', 'debug', 'enable', 'fallback-only', 'hushlogin', 'member', 'message', 'net', 'password', 'profile', 'rewritten-only', 'ssh-key', 'ssh-key-id', 'tag', 'time', 'user.tag' or 'valid', but got 'DE'
[2026-02-16 15:49:17]  154454: alexandre.h:1: Expected 'alias', 'debug', 'enable', 'fallback-only', 'hushlogin', 'member', 'message', 'net', 'password', 'profile', 'rewritten-only', 'ssh-key', 'ssh-key-id', 'tag', 'time', 'user.tag' or 'valid', but got 'DE'
[2026-02-16 15:49:17]  root@tacacsng:/usr/src/tac_plus-ng/etc# /usr/local/sbin/tac_plus-ng -f -d 532518 /etc/tac_plus-ng.conf
[2026-02-16 15:53:16]  
Reply all
Reply to author
Forward
0 new messages