Realms and subrealms explanation
13 views
Skip to first unread message
Martin
May 27, 2025, 2:33:59 PMMay 27
to Event-Driven Servers
Hi all,
i am trying to implement tac_plus-ng with multiple realms but it seems that only default realm is working for me.
Can someone explain if it is possible to create subrealms under default realm? To make it more clear i am adding my example configuration.
I believe tenant1-router should match subrealm tenant1. But it does not work, tenant2-router have same problem.
#!../../../sbin/tac_plus-ng
# spawnd: single port for all realms
id = spawnd {
listen { port = 49 }
}
# tac_plus-ng server
id = tac_plus-ng {
# MAVIS: system users and groups
mavis module = groups {
resolve gids = yes
resolve gids attribute = TACMEMBER
groups filter = /^(aaa-login|admin|helpdesk)$/
}
mavis module = external {
exec = /usr/local/sbin/pammavis "pammavis" "-s" "sshd"
}
user backend = mavis
login backend = mavis chpass
pap backend = mavis
# Logging
log mainlog {
destination = "/var/log/tac_plus/tac_plus-%Y-%m-%d.log"
}
log acctlog {
destination = "/var/log/tac_plus/tac_plus_acct-%Y-%m-%d.log"
}
authentication log = mainlog
authorization log = mainlog
accounting log = acctlog
# Groups (must be declared for rule matching)
group aaa-login
group admin
group helpdesk
# Realm: TENANT 1
realm tenant1 {
profile priv {
script {
if (service == shell) {
if (cmd == "") { set priv-lvl = 15; permit }
}
permit
}
}
ruleset {
rule group-map {
enabled = yes
script {
if (group == aaa-login) { profile = priv permit }
deny
}
}
}
}
# Realm: TENANT 2
realm tenant2 {
profile priv10 {
script {
if (service == shell) {
if (cmd == "") { set priv-lvl = 10; permit }
}
permit
}
}
ruleset {
rule group-map {
enabled = yes
script {
if (group == aaa-login) { profile = priv10 permit }
deny
}
}
}
}
# Realm: MIGRATION
realm migration {
profile readonly {
script {
if (service == shell) {
if (cmd == "") { set priv-lvl = 1; permit }
}
permit
}
}
ruleset {
rule group-map {
enabled = yes
script {
if (group == aaa-login) { profile = readonly permit }
deny
}
}
}
}
# Device mapping at top-level with target-realm routing
device tenant1-router {
key = "key2025"
address = 172.19.96.41/32
target-realm = tenant1
}
device tenant2-router {
key = "demo"
address = 10.202.6.18/32
target-realm = tenant2
}
device migration-router {
key = "MigrationKey"
address = 10.0.2.1/32
target-realm = migration
}
}
i am trying to implement tac_plus-ng with multiple realms but it seems that only default realm is working for me.
Can someone explain if it is possible to create subrealms under default realm? To make it more clear i am adding my example configuration.
I believe tenant1-router should match subrealm tenant1. But it does not work, tenant2-router have same problem.
#!../../../sbin/tac_plus-ng
# spawnd: single port for all realms
id = spawnd {
listen { port = 49 }
}
# tac_plus-ng server
id = tac_plus-ng {
# MAVIS: system users and groups
mavis module = groups {
resolve gids = yes
resolve gids attribute = TACMEMBER
groups filter = /^(aaa-login|admin|helpdesk)$/
}
mavis module = external {
exec = /usr/local/sbin/pammavis "pammavis" "-s" "sshd"
}
user backend = mavis
login backend = mavis chpass
pap backend = mavis
# Logging
log mainlog {
destination = "/var/log/tac_plus/tac_plus-%Y-%m-%d.log"
}
log acctlog {
destination = "/var/log/tac_plus/tac_plus_acct-%Y-%m-%d.log"
}
authentication log = mainlog
authorization log = mainlog
accounting log = acctlog
# Groups (must be declared for rule matching)
group aaa-login
group admin
group helpdesk
# Realm: TENANT 1
realm tenant1 {
profile priv {
script {
if (service == shell) {
if (cmd == "") { set priv-lvl = 15; permit }
}
permit
}
}
ruleset {
rule group-map {
enabled = yes
script {
if (group == aaa-login) { profile = priv permit }
deny
}
}
}
}
# Realm: TENANT 2
realm tenant2 {
profile priv10 {
script {
if (service == shell) {
if (cmd == "") { set priv-lvl = 10; permit }
}
permit
}
}
ruleset {
rule group-map {
enabled = yes
script {
if (group == aaa-login) { profile = priv10 permit }
deny
}
}
}
}
# Realm: MIGRATION
realm migration {
profile readonly {
script {
if (service == shell) {
if (cmd == "") { set priv-lvl = 1; permit }
}
permit
}
}
ruleset {
rule group-map {
enabled = yes
script {
if (group == aaa-login) { profile = readonly permit }
deny
}
}
}
}
# Device mapping at top-level with target-realm routing
device tenant1-router {
key = "key2025"
address = 172.19.96.41/32
target-realm = tenant1
}
device tenant2-router {
key = "demo"
address = 10.202.6.18/32
target-realm = tenant2
}
device migration-router {
key = "MigrationKey"
address = 10.0.2.1/32
target-realm = migration
}
}
Marc Huber
May 27, 2025, 2:37:37 PMMay 27
to event-driv...@googlegroups.com
Hi,
commit f56cc9d8c66bdee440d8b351da74f6f5b74390aa should resolve the
issues you're seeing.
https://github.com/MarcJHuber/event-driven-servers/discussions/164
Cheers,
Marc
On 27.05.2025 09:50, Martin wrote:
> Hi all,
>
> i am trying to implement tac_plus-ng with multiple realms but it seems
> that only default realm is working for me.
> Can someone explain if it is possible to create subrealms under
> default realm? To make it more clear i am adding my example configuration.
>
> I believe tenant1-router should match subrealm tenant1. But it does
> not work, tenant2-router have same problem.
<snkp>
commit f56cc9d8c66bdee440d8b351da74f6f5b74390aa should resolve the
issues you're seeing.
https://github.com/MarcJHuber/event-driven-servers/discussions/164
Cheers,
Marc
On 27.05.2025 09:50, Martin wrote:
> Hi all,
>
> i am trying to implement tac_plus-ng with multiple realms but it seems
> that only default realm is working for me.
> Can someone explain if it is possible to create subrealms under
> default realm? To make it more clear i am adding my example configuration.
>
> I believe tenant1-router should match subrealm tenant1. But it does
> not work, tenant2-router have same problem.
Reply all
Reply to author
Forward
0 new messages