Unexpected EOF while trying mavis and openLDAP Backend

[whis...@googlemail.com]

Hi Marc,

I tried to implement tac_plus in a test environment together with openLDAP. Thank you for this project and the well written documentation.

I always get the Message “Unexpected EOF” but the TACACS Server never asks the LDAP Server (Wireshark Capture shows now communication between them)

2014-06-02 21:08:26 +0200    192.168.11.10: shell login for 'fred' from async on tty0 failed (Unexpected EOF)

My config file must have a mistake:

#!/usr/local/sbin/tac_plus
id = spawnd {
    listen = { port = 49 }
    spawn = {
        instances min = 1
        instances max = 10
        }
    background = no    }


id = tac_plus {
    access log = /tmp/tac_plus/access.log
    accounting log = /tmp/log/tac_plus/account.log
    authentication log = /tmp/tac_plus/authentication.log
    authorization log = /tmp/tac_plus/authorization.log

    mavis module = external {
#        setenv LDAP_SERVER_TYPE = "tacacs_schema"
        setenv LDAP_SERVER_TYPE = "generic"
        setenv LDAP_HOSTS = "192.168.11.202:636"
        setenv LDAP_BASE = "dc=example,dc=com"
#        setenv LDAP_USER = "ad...@example.com"
#        setenv LDAP_PASSWD = "admin"
#        setenv REQUIRE_TACACS_GROUP_PREFIX = 1
        exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
                }

    login backend = mavis
    user backend = mavis
    pap backend = mavis

    host = world {
        address = ::/0
        prompt = "Welcome\n"
        enable 15 = clear cisco
        key = key
            }   

    group = admin {
        default service = permit
        service = shell {
            default command = permit
            default attribute = permit
            set priv-lvl = 15
                }       
        }

    group = guest {
        default service = permit
        enable = deny
        service = shell {
            default command = permit
            default attribute = permit
            set priv-lvl = 1
        }
    }

    user = cisco {
        password = clear cisco
        member = admin
        service = shell {
            default command = permit
            default attribute = permit
            set priv-lvl = 15
        }
    }

    user = readonly {
        password = clear readonly
        member = guest
    }
}


mavis test:

mavistest -d 1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS admin admin

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2891-1401739415-0
USER                admin
PASSWORD            admin
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-2891-1401739415-0
USER                admin
RESULT              ERR
PASSWORD            admin
SERIAL              p6azAaIIo022Oo0ZGY1+sQ=
USER_RESPONSE       Unexpected EOF
TACTYPE             AUTH

Ping and ldapsearch works very well. Local tacacs authentication also works. But I am not able to use the openLDAP backend.

Thanks for any suggestions!
Regards
Chris

[Marc Huber]

Hi Chris,

On 03.06.14 22:23, whis...@googlemail.com wrote:
> I always get the Message “Unexpected EOF” but the TACACS Server never
> asks the LDAP Server (Wireshark Capture shows now communication
> between them)

please try calling the Perl script manually. Chances are that some Perl
dependencies are missing.

env LDAP_SERVER_TYPE="generic" LDAP_HOSTS="192.168.11.202:636"
LDAP_BASE="dc=example,dc=com" printf "0 TACPLUS\n4 admin\n8 admin\n49
AUTH\n=\n" | /usr/local/lib/mavis/mavis_tacplus_ldap.pl

Cheers,

Marc

[whis...@googlemail.com]

Hi Marc,

sorry for overlapping posts.
My troubleshooting was not that good documented to give a clear answer...

openssl s_client -host server -port 636 -->no error

IO::Socket::SSL Perl module is installed? -> perl -e "use IO::Socket::SSL"  -> no answer

change from 192.168.11.202:636 to  ldaps://192.168.11.202:636 --> it works!

Now I am struggeling with granting privileges via groups. I will open a new topic therefor.

Thank you!
Chris