Tac_Plus-ng & LDAP integration
22 views
Skip to first unread message
sujith chadalawada
Jun 17, 2025, 1:58:56 PMJun 17
to Event-Driven Servers
Hi Marc,
We are working on introducing tac_plus-ng into our system to perform AAA with OpenLDAP as AD.
Existing Scenario:
We currently use tac_plus for Authorization only, where we use the customized pl script which creates a session file with the list of commands that a user can execute on NAS. So, when user tries running command tac_plus verifies each command against the session file and allows/denies the user.
The session file is getting created based on the data from ldap
New Requirement:
We are trying to perform Authentication as well along with Authorization against LDAP mainly for juniper as it supports either Tacacs/Radius but not both. As part of this requirement we moved from tac_plus to tac_plus-ng. Upon installation the service, local account is working fine but problems occur with LDAP user.
We are able to do the Authentication successfully but the authorization is what I think is failing. I'm attaching our current configuration.
Can you please let us know if authorization can be done by using our existing scenario (creating a session file and by ignoring the acls).?
Any feasibility of using two pl scripts in mavis module?
Appreciate your time & response.
Thank you inadvance
Sujith
We are working on introducing tac_plus-ng into our system to perform AAA with OpenLDAP as AD.
Existing Scenario:
We currently use tac_plus for Authorization only, where we use the customized pl script which creates a session file with the list of commands that a user can execute on NAS. So, when user tries running command tac_plus verifies each command against the session file and allows/denies the user.
The session file is getting created based on the data from ldap
New Requirement:
We are trying to perform Authentication as well along with Authorization against LDAP mainly for juniper as it supports either Tacacs/Radius but not both. As part of this requirement we moved from tac_plus to tac_plus-ng. Upon installation the service, local account is working fine but problems occur with LDAP user.
We are able to do the Authentication successfully but the authorization is what I think is failing. I'm attaching our current configuration.
Can you please let us know if authorization can be done by using our existing scenario (creating a session file and by ignoring the acls).?
Any feasibility of using two pl scripts in mavis module?
Appreciate your time & response.
Thank you inadvance
Sujith
Marc Huber
Jun 17, 2025, 2:44:38 PMJun 17
to Event-Driven Servers
Hi Sujith,
On 17.06.2025 19:54, sujith chadalawada wrote:
> Can you please let us know if authorization can be done by using our
> existing scenario (creating a session file and by ignoring the acls).?
no, this won't work. Or, more precisely, you'd have to write a
specialized MAVIS compatible script for that.
> Any feasibility of using two pl scripts in mavis module?
No. While MAVIS modules are stackable your current script won't be
compatible.
Regarding your configuration: most of the LDAP_* environment variables
you're using aren't recognized by mavis_tacplus-ng_ldap.pl. I'd
recommend having a closer look at the "Environment variables" section of
the script to see what's actually supported.
As a next step, you can run mavis_tacplus-ng_ldap.pl from the command
line for testing, with the suitable environment variables set:
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env
LDAP_HOSTS="..." LDAP_BASE="..."
/usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
or
printf "0 TACPLUS\n4 $USER\n49 INFO\n=\n" | env LDAP_HOSTS="..."
LDAP_BASE="..." /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
This will show you tha resulting attribute-value pairs (47/TACMEMBER is
likely of most interest here).
Cheers,
Marc
On 17.06.2025 19:54, sujith chadalawada wrote:
> Can you please let us know if authorization can be done by using our
> existing scenario (creating a session file and by ignoring the acls).?
specialized MAVIS compatible script for that.
> Any feasibility of using two pl scripts in mavis module?
compatible.
Regarding your configuration: most of the LDAP_* environment variables
you're using aren't recognized by mavis_tacplus-ng_ldap.pl. I'd
recommend having a closer look at the "Environment variables" section of
the script to see what's actually supported.
As a next step, you can run mavis_tacplus-ng_ldap.pl from the command
line for testing, with the suitable environment variables set:
printf "0 TACPLUS\n4 $USER\n8 $PASS\n49 AUTH\n=\n" | env
LDAP_HOSTS="..." LDAP_BASE="..."
/usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
or
printf "0 TACPLUS\n4 $USER\n49 INFO\n=\n" | env LDAP_HOSTS="..."
LDAP_BASE="..." /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
This will show you tha resulting attribute-value pairs (47/TACMEMBER is
likely of most interest here).
Cheers,
Marc
Reply all
Reply to author
Forward
0 new messages