SQL backend for MAVIS external module

[saskiat]

Hi all,
I would like to use SQL backend for MAVIS external module.
Do you have any experiences with this?
Of course, an existing “mavis_tacplus_sql.pl” and "SQL schema" would
be the best :)

Thanks,
saskiat

[Marc Huber]

Hi Saskiat,

writing a SQL backend would be trivial. We're talking Perl after all.
However, neither schema nor support scripts exist, and while the
backend script would be easy, I'd imagine that a SQL backend would
require a lot more. E.g., a frontend to create new users, to change
users, ...

A SQL backend might prove useful if there's a pre-existing database
that's already populated with user objects (or table entries,
whatever). However, for new setups I don't see any advantage over
using LDAP -- unless accounting logs are to be stored in the database,
too.

Cheers,

Marc

[saskia s.]

Hi Marc,
 
thank your for your quick replies :)
You're totally right! I'm working on
management tacacs system with
php frontend with sql backend, but I'm not
perl familiar - so that's why I've had
question about support the script.
 
In our system we have master ldap server
used only and only for authentication of the users.
The management system is primarly based on sql.
So the final idea is (and this is also question to you),
if is it possible to set tac_plus in this configuration:
To authenticate users by mavis external with ldap backend and
authorization  (group assign, permit/deny commands - tacacsprofile)
by mavis external with sql backend.

 

Thanks,

saskiat

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To post to this group, send email to event-driv...@googlegroups.com.
To unsubscribe from this group, send email to event-driven-ser...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/event-driven-servers?hl=en.

[Marc Huber]

Hi Saskiat,

using SQL for authorization and LDAP for authentication shouldn't be
too hard. You'd need two "mavis" modules which will be called in
sequence:


mavis module = external {
exec = /usr/local/lib/mavis/mavis_tacplus_sql.pl
}
mavis module = external {
exec = /usr/local/lib/mavis/mavis_ldap_authonly.pl
}

The tricky part is obviously the mavis_tacplus_sql.pl script. I'll
attach some code below that might give you a start.

Cheers,

Marc

--- 8< ---
#!/usr/bin/perl -w

use strict;

use lib '/usr/local/lib/mavis';
use Mavis;
use DBI;

$| = 1;

my ($in);

$/ = "\n=\n";

sub lookup_profile_in_sql_db($) {
my $res = undef;
my $dbi = DBI->connect ("DBI:mysql:mydb", "user", "pass",
{ RaiseError => 1 }) || die;
my $q = $dbi->prepare("select profile from usertable where user =
" .$_[0]);
$q->execute;
my @arr = $q->fetchrow_array;
$res = $arr[0] if $#arr > -1;
$q->finish;
$dbi->disconnect;
$res;
}

while ($in = <>) {
my ($a, @V, $result, $profile);

@V = ();
$result = MAVIS_DEFERRED;

chomp $in;

foreach $a (split (/\n/, $in)) {
next unless $a =~ /^(\d+) (.*)$/;
$V[$1] = $2;
}

if (defined $V[AV_A_TYPE] && $V[AV_A_TYPE] ne AV_V_TYPE_TACPLUS) {
$result = MAVIS_DOWN;
goto bye;
}
$profile = lookup_profile_in_sql_db($V[AV_A_USER]);

if (defined $profile) {
$V[AV_A_TACPROFILE] = $profile;
$V[AV_A_RESULT] = AV_V_RESULT_OK;
if (AV_A_TACTYPE eq AV_V_TACTYPE_INFO) {
$V[AV_A_RESULT] = AV_V_RESULT_OK;
$result = MAVIS_FINAL;
} else {
$result = MAVIS_DOWN;
}
} else {
$V[AV_A_RESULT] = AV_V_RESULT_FAIL;
$result = MAVIS_FINAL;
}
bye:
my ($out) = "";
for (my $i = 0; $i <= $#V; $i++) {
$out .= sprintf ("%d %s\n", $i, $V[$i]) if defined $V[$i];
}
$out .= sprintf ("=%d\n", $result);
print $out;
}
--- 8< ---

[saskia s.]

Hi,

Thank you Marc for attached code, after some tests, it looks
that it works:)

Cheers,

saskiat

--