LDAP issues

98 views
Skip to first unread message

Eveline

unread,
May 14, 2025, 8:46:21 AM5/14/25
to Event-Driven Servers
Hi Marc! I managed to install and configure basic tac_plus-ng, local accounts work and it's great, but now I have to connect LDAP and use a single account. Here is the configuration for LDAP
!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}

id = tac_plus-ng {
 access log = /var/log/tac_plus-ng/access/%Y%m%d.log
 accounting log = /var/log/tac_plus-ng/acct/%Y%m%d.log

# mavis module = groups {
# groups filter = /^(admins|guest|readonly)$/ # these are defined below
# memberof filter = /^CN=tacacs_/ # enforce prefix
# }


mavis module = external {
setenv LDAP_HOSTS = "10.1.50.110:389"
setenv LDAP_BASE = "ou=RTDC,dc=rt-dc,dc=local"
setenv LDAP_USER = "EFROSDO-test"
setenv LDAP_PASSWD = "password"
                setenv AD_GROUP_PREFIX = "ALL_GG_KSPD_"
#
# Filtering the memberOf results is highly recommended, e.g.:
# setenv LDAP_MEMBEROF_REG>EX = "^cn=tacacs_([^,]+),.*"
#
# Also, recursive memberOf lookups can be limited. Example:
# setenv LDAP_NESTED_GROUP_DEPTH = 3
#
# See the comments at the start of
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
# for further environment variables.
#
}

login backend = mavis
user backend = mavis
pap backend = mavis

device any {
address = 10.0.0.0/8
welcome banner = "Welcome\n"
enable 15 = clear secret
key = key
}

profile admins {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}

profile guest {
enable = deny
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 1
permit
}
}
}

group admins
group guest

user test{
password login = clear test
member = admins
}

user = readonly {
password login = clear readonly
member = guest
}
ruleset {
rule {
script {
if (memberof =~ /^CN=ALL_GG_KSPD_Network_Group,/) { profile = admins permit }
if (member == admins ) { profile = admins permit }
}
}
rule {
script {
if (member == guest) { profile = guest permit }
}
}
}
}

When I do a check /usr/local/lib/mavis/mavis_tacplus_ldap.pl < /dev/null
I get an error that LDAP hosts not defined
Then when I do /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus-ng.cfg tac_plus-ng TACPLUS someusername , everything is fine, it sends ACK. It sees all groups, etc. Trying to connect to the equipment from AD account. Then I see in journalctl such logs ....
authen: hdr->seq_no:1
user lookup failed (local user i guess)
authen: hdr->seq_no:3
looking for user user realm default
user lookup failed
looking for user user in MAVIS backend
result for user user is ACK
looking for user user realm default
user lookup succeded
shell login for user from 10.0.0.10 on shh0 denied by ACL

What am I doing wrong?
And one more question, how to run tactrace correctly? 

Javo Mora

unread,
Jan 5, 2026, 12:33:17 PM (10 days ago) Jan 5
to Event-Driven Servers
Hi  Eveline.
I'm having some issues also with the pl sript.
Did you were able to fix it?

Eveline

unread,
9:50 AM (11 hours ago) 9:50 AM
to Event-Driven Servers
Hi! 
Yes i did. 
mavis module = external {
                exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
                setenv LDAP_SERVER_TYPE ="microsoft"
                setenv LDAP_HOSTS = "ldap://10.1.50.110:389 ldap://10.1.50.111:389 "
                setenv LDAP_BASE = "ou=yourOU,dc=YourDC,dc=local"
                setenv LDAP_SCOPE = sub
                setenv LDAP_USER = test@-local
                setenv LDAP_PASSWD = xxXxxxXXXxxxxxx
                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
                setenv EXPAND_AD_GROUP_MEMBERSHIP = 3

I use this config, it works fine

понедельник, 5 января 2026 г. в 20:33:17 UTC+3, Javo Mora:
Reply all
Reply to author
Forward
0 new messages