Hi All,
I've setup tac_plus with AD auth and everything seems to be working just fine, I just wanted to know if it's possible to add 2nd authentication method(google authentication or wikid). My config is given below. Another problem I'm facing is that ldaps doesn't seem to be working for me, maybe because of self-signed AD certificate, is there any method to skip certificate validation or maybe it's some other problem as I get, SSL handshake has read 4431 bytes and written 370 bytes.Verification error: unable to verify the first certificate. read:errno=104. When I try to run openssl s_client -connect
192.168.1.10:636#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "
172.17.5.1:389 172.17.5.2:389"
setenv LDAP_BASE = "OU=Test,DC=example,DC=com"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "
lda...@example.com"
setenv LDAP_PASSWD = "Abcd98798798"
setenv AD_GROUP_PREFIX = "Network Management Team"
#setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/
mavis_tacplus_ldap.pl }
login backend = mavis
user backend = mavis
pap backend = mavis
host = world {
address = ::/0
prompt = "TACACS+ Authentication Server"
enable 15 = clear abcd123456
key = cisco
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}
user = cisco {
password = clear cisco
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = example.user {
member = admin
}
user = another.user {
member = admin
}
user = another.user1 {
member = admin
}
user = another.user2 {
}
}