tac_plus with LDAP auth
11 views
Skip to first unread message
Javo Mora
Jan 5, 2026, 12:33:17 PM (5 days ago) Jan 5
to Event-Driven Servers
Hi.
I'm having some issues authenticating users with LDAP.
I'm having some issues authenticating users with LDAP.
user is member of ad group tacacsNetworkAdmin
The config file:
#!/usr/local/sbin/tac_plus
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = {
port = 49
}
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
#log authzlog { destination = /var/log/tac_plus/access_%Y-%m-%d.log }
#log authclog { destination = /var/log/tac_plus/auth_%Y-%m-%d.log }
#log acctlog { destination = /var/log/tac_plus/acct_%Y-%m-%d.log }
#accounting log = acctlog
#authentication log = authclog
#authorization log = authzlog
accounting log = /var/log/tac_plus/acct.log
#accounting log = syslog;
authentication log = /var/log/tac_plus/auth.log
#authentication log = syslog;
authorization log = /var/log/tac_plus/access.log
#authorization log = syslog;
retire limit = 1000
debug = ALL
# group = Admins{
# default service = permit
# service = fortigate {
# #default command = permit
# default attribute = permit
# set priv-lvl = 15
# set vdom = "root"
# set admin_prof = "super_admin"
# }
# }
# user = fortildap {
# login = clear "welcome@1"
# pap = clear "welcome@1"
# member = Admins
# }
mavis module = external {
# # Optionally:
# script out = {
# if (undef($TACMEMBER) && $RESULT == ACK) set RESULT = NAK
# }
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://x.x.x.x:389" #hidden on purpose
setenv LDAP_BASE = "dc=xxxx,dc=com" #hidden on purpose
setenv LDAP_USER = ****** #hidden on purpose
listen = {
port = 49
}
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
#log authzlog { destination = /var/log/tac_plus/access_%Y-%m-%d.log }
#log authclog { destination = /var/log/tac_plus/auth_%Y-%m-%d.log }
#log acctlog { destination = /var/log/tac_plus/acct_%Y-%m-%d.log }
#accounting log = acctlog
#authentication log = authclog
#authorization log = authzlog
accounting log = /var/log/tac_plus/acct.log
#accounting log = syslog;
authentication log = /var/log/tac_plus/auth.log
#authentication log = syslog;
authorization log = /var/log/tac_plus/access.log
#authorization log = syslog;
retire limit = 1000
debug = ALL
# group = Admins{
# default service = permit
# service = fortigate {
# #default command = permit
# default attribute = permit
# set priv-lvl = 15
# set vdom = "root"
# set admin_prof = "super_admin"
# }
# }
# user = fortildap {
# login = clear "welcome@1"
# pap = clear "welcome@1"
# member = Admins
# }
mavis module = external {
# # Optionally:
# script out = {
# if (undef($TACMEMBER) && $RESULT == ACK) set RESULT = NAK
# }
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://x.x.x.x:389" #hidden on purpose
setenv LDAP_BASE = "dc=xxxx,dc=com" #hidden on purpose
setenv LDAP_USER = ****** #hidden on purpose
setenv LDAP_PASSWD = "*****"
#hidden on purpose
setenv REQUIRE_AD_GROUP_PREFIX = 0 #I have try it with this enabled and get the same results.
setenv FLAG_CHPW = 1
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis # query backend for users
login backend = mavis # authenticate login via backend
pap backend = mavis # authenticate PAP via backend
host = world {
address = ::/0
prompt = "Welcome\n"
key = cisco
}
host = FortiGates {
address = 10.227.0.0/20
key = "******" #hidden on purpose
}
host = helpdesklab {
address = 192.168.34.16/28
}
# A user will be in the "admin" group if he's member of the
# corresponding "tacacsadmin" ADS group. See $tacacsGroupPrefix
# and $require_tacacsGroupPrefix in the code.
group = NetworkAdmins{
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set vdom = "root"
set admin_prof = "super_admin"
}
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
setenv REQUIRE_AD_GROUP_PREFIX = 0 #I have try it with this enabled and get the same results.
setenv FLAG_CHPW = 1
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis # query backend for users
login backend = mavis # authenticate login via backend
pap backend = mavis # authenticate PAP via backend
host = world {
address = ::/0
prompt = "Welcome\n"
key = cisco
}
host = FortiGates {
address = 10.227.0.0/20
key = "******" #hidden on purpose
}
host = helpdesklab {
address = 192.168.34.16/28
}
# A user will be in the "admin" group if he's member of the
# corresponding "tacacsadmin" ADS group. See $tacacsGroupPrefix
# and $require_tacacsGroupPrefix in the code.
group = NetworkAdmins{
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set vdom = "root"
set admin_prof = "super_admin"
}
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
# A user will be in the "helpdesk" group if he's member of the
# corresponding "tacacshelpdesk" ADS group:
group = helpdesk {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
enable = deny
member = admin@helpdesklab
}
}
# corresponding "tacacshelpdesk" ADS group:
group = helpdesk {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
enable = deny
member = admin@helpdesklab
}
}
Script test result
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-12408-1767630432-0
USER username
PASSWORD P0l1ciaNPPR
TACTYPE AUTH
Output attribute-value-pairs:
MEMBEROF "CN=tacacsNetworkAdmins,OU=Grupos,DC=xxxxx,DC=com"
TIMESTAMP mavistest-12408-1767630432-0
USER username
DN CN= username,OU=Grupos,DC=xxxxx,DC=com
RESULT ACK
PASSWORD xxxxxxxx
SERIAL MNbUIZB77D7B3N/8MOnf7w=
IDENTITY_SOURCE 0
TACMEMBER "NetworkAdmins"
TACTYPE AUTH
TACACS DEBUG
12451: 16:36:07.872 0/00000000: - cidr match level 1 = FortiGates
12451: 16:36:07.872 0/00000000: - cidr match level 0 = world
12451: 16:36:07.872 0/00000000: - connection request from 10.227.8.142
12451: 16:36:07.872 0/841450cc: 10.227.8.142 New session
12451: 16:36:07.872 0/841450cc: 10.227.8.142 ---<start packet>---
12451: 16:36:07.872 0/841450cc: 10.227.8.142 key used: *******
12451: 16:36:07.872 0/841450cc: 10.227.8.142 version: 193, type: 1, seq no: 1, flags: unencrypted
12451: 16:36:07.872 0/841450cc: 10.227.8.142 session id: cc501484, data length: 42
12451: 16:36:07.872 0/841450cc: 10.227.8.142 packet body [partially masked] (len: 42): \001\000\002\001\t\000\016\vusername67.206.240.190***********
12451: 16:36:07.872 0/841450cc: 10.227.8.142 0000 01 00 02 01 09 00 0e 0b 66 6f 72 74 69 6c 64 61 ........ fortilda
12451: 16:36:07.872 0/841450cc: 10.227.8.142 0010 70 36 37 2e 32 30 36 2e 32 34 30 2e 31 39 30 2a p67.206. 240.190*
12451: 16:36:07.872 0/841450cc: 10.227.8.142 0020 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a ******** **
12451: 16:36:07.872 0/841450cc: 10.227.8.142 AUTHEN/START, priv_lvl=0
12451: 16:36:07.872 0/841450cc: 10.227.8.142 action=login (1)
12451: 16:36:07.872 0/841450cc: 10.227.8.142 authen_type=pap (2)
12451: 16:36:07.872 0/841450cc: 10.227.8.142 service=login (1)
12451: 16:36:07.872 0/841450cc: 10.227.8.142 user_len=9 port_len=0 rem_addr_len=14
12451: 16:36:07.872 0/841450cc: 10.227.8.142 data_len=11
12451: 16:36:07.872 0/841450cc: 10.227.8.142 user (len: 9): username
12451: 16:36:07.872 0/841450cc: 10.227.8.142 port (len: 0):
12451: 16:36:07.872 0/841450cc: 10.227.8.142 rem_addr (len: 14): 67.206.240.190
12451: 16:36:07.872 0/841450cc: 10.227.8.142 ---<end packet>---
12451: 16:36:07.872 0/841450cc: 10.227.8.142 authen: hdr->seq_no: 1
12451: 16:36:07.872 0/841450cc: 10.227.8.142 looking for user username realm default
12451: 16:36:07.872 0/841450cc: 10.227.8.142 user lookup failed
TYPE TACPLUS
TIMESTAMP mavistest-12408-1767630432-0
USER username
PASSWORD P0l1ciaNPPR
TACTYPE AUTH
Output attribute-value-pairs:
MEMBEROF "CN=tacacsNetworkAdmins,OU=Grupos,DC=xxxxx,DC=com"
TIMESTAMP mavistest-12408-1767630432-0
USER username
DN CN= username,OU=Grupos,DC=xxxxx,DC=com
RESULT ACK
PASSWORD xxxxxxxx
SERIAL MNbUIZB77D7B3N/8MOnf7w=
IDENTITY_SOURCE 0
TACMEMBER "NetworkAdmins"
TACTYPE AUTH
TACACS DEBUG
12451: 16:36:07.872 0/00000000: - cidr match level 1 = FortiGates
12451: 16:36:07.872 0/00000000: - cidr match level 0 = world
12451: 16:36:07.872 0/00000000: - connection request from 10.227.8.142
12451: 16:36:07.872 0/841450cc: 10.227.8.142 New session
12451: 16:36:07.872 0/841450cc: 10.227.8.142 ---<start packet>---
12451: 16:36:07.872 0/841450cc: 10.227.8.142 key used: *******
12451: 16:36:07.872 0/841450cc: 10.227.8.142 version: 193, type: 1, seq no: 1, flags: unencrypted
12451: 16:36:07.872 0/841450cc: 10.227.8.142 session id: cc501484, data length: 42
12451: 16:36:07.872 0/841450cc: 10.227.8.142 packet body [partially masked] (len: 42): \001\000\002\001\t\000\016\vusername67.206.240.190***********
12451: 16:36:07.872 0/841450cc: 10.227.8.142 0000 01 00 02 01 09 00 0e 0b 66 6f 72 74 69 6c 64 61 ........ fortilda
12451: 16:36:07.872 0/841450cc: 10.227.8.142 0010 70 36 37 2e 32 30 36 2e 32 34 30 2e 31 39 30 2a p67.206. 240.190*
12451: 16:36:07.872 0/841450cc: 10.227.8.142 0020 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a ******** **
12451: 16:36:07.872 0/841450cc: 10.227.8.142 AUTHEN/START, priv_lvl=0
12451: 16:36:07.872 0/841450cc: 10.227.8.142 action=login (1)
12451: 16:36:07.872 0/841450cc: 10.227.8.142 authen_type=pap (2)
12451: 16:36:07.872 0/841450cc: 10.227.8.142 service=login (1)
12451: 16:36:07.872 0/841450cc: 10.227.8.142 user_len=9 port_len=0 rem_addr_len=14
12451: 16:36:07.872 0/841450cc: 10.227.8.142 data_len=11
12451: 16:36:07.872 0/841450cc: 10.227.8.142 user (len: 9): username
12451: 16:36:07.872 0/841450cc: 10.227.8.142 port (len: 0):
12451: 16:36:07.872 0/841450cc: 10.227.8.142 rem_addr (len: 14): 67.206.240.190
12451: 16:36:07.872 0/841450cc: 10.227.8.142 ---<end packet>---
12451: 16:36:07.872 0/841450cc: 10.227.8.142 authen: hdr->seq_no: 1
12451: 16:36:07.872 0/841450cc: 10.227.8.142 looking for user username realm default
12451: 16:36:07.872 0/841450cc: 10.227.8.142 user lookup failed
Marc Huber
Jan 6, 2026, 4:49:05 AM (4 days ago) Jan 6
to event-driv...@googlegroups.com
Hi,
that debug output is incomplete. The initial user lookup will always fail for non-local or uncached users, and the omitted lines after the ones you've posted might give more insight. Also, you can reconfigure with "--debug" to see more verbose MAVIS debug output.
Please keep in mind that tac_plus is deprecated.
Cheers,
Marc
On 05.01.2026 17:38, Javo Mora wrote:
<snip>
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/a8fdffeb-9110-4593-93f4-ff11b03338d8n%40googlegroups.com.
Javo Mora
Jan 6, 2026, 11:02:52 AM (4 days ago) Jan 6
to Event-Driven Servers
I Marc
Thanks for your response. We were able to authenticate LDAP users using tac_plus-ng.
Reply all
Reply to author
Forward
0 new messages