MAVIS issues after installing to custom directory

203 views
Skip to first unread message

brandon.s...@spoken.com

unread,
Jul 22, 2016, 2:33:16 PM7/22/16
to Event-Driven Servers
Hi, 

I previously installed tac_plus to the default directory and was able to get it up and running with no real issues. I have a second installation on a different server that I installed to /var/tac_plus/ instead of the default /usr/local/ and am running into MAVIS issues while authenticating against Active Directory.

mavistest returns no output, which I thought was strange:

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-16762-1469121474-0
USER                <user>
PASSWORD            <password>
TACTYPE             AUTH

However manually querying the AD server via ldapquery returns the expected results so I know the two servers can at least talk to each other and all the data is there. 

Manually feeding the variables into  /var/tac_plus/lib/mavis/mavis_tacplus_ldap.pl returns normal looking results as well:

0 TACPLUS
4 <user>
6 ACK
8 <pass>
36 <pass>
47 "admin"
49 AUTH
=0

it appears to successfully authenticate my username against AD but when I run tac_plus I don't get anything. tac_plus debugs show that it cannot find username in default realm, which if I remember correctly is showing that its not even attempting to look at AD:

16833: 17:44:25.145 1/41ecd4f8: 10.15.240.212 looking for user <user> realm default
16833: 17:44:25.145 1/41ecd4f8: 10.15.240.212 user lookup failed

tac_plus.cfg:

#!/var/tac_plus/sbin/tac_plus
debug = ALL
id = spawnd {
        listen = { port = 4949 }
        spawn = {
                instances min = 1
                instances max = 1
        }
        background = no
}
id = tac_plus {
        debug = PACKET AUTHEN AUTHOR
        
        access log = /var/log/tac_plus/access.log
        accounting log = /var/log/tac_plus/acct.log
        authorization log = /var/log/tac_plus/auth.log
        mavis path = /var/tac_plus/lib64/mavis
        mavis module = external {
            setenv LDAP_SERVER_TYPE = "microsoft"
            setenv LDAP_HOSTS = "ldap://<ip>:3268"
            setenv LDAP_BASE = "<base>"
            setenv LDAP_USER = "<user>"
            setenv LDAP_PASSWD = "<pass>"
            setenv AD_GROUP_PREFIX =tacacs-
            #setenv REQUIRE_AD_GROUP_PREFIX = "1"
            setenv UNLIMIT_AD_GROUP_MEMBERSHIP = "1"
            setenv FLAG_USE_MEMBEROF = "1"
            exec = /var/tac_plus/lib/mavis/mavis_tacplus_ldap.pl
        }
        login backend = mavis
        user backend = mavis
        pap backend = mavis
        skip missing groups = yes
        host = global {
                address = 0.0.0.0/0
                prompt = "hi"
                key = <key>
        }
        group = admin {
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        group = readonly {
                service = shell {
                        default command = deny
                        set priv-lvl = 15
                        cmd = show {
                        permit .*
                        }
                        cmd = ping {
                        permit .*
                        }
                        cmd = traceroute {
                        permit .*
                        }
                }
        }
}


My only thought at this point is that the mavis path might be wrong, but /var/tac_plus/lib64/mavis contains libmavis_external.so and if I change the path to  /var/tac_plus/lib64 (where libmavis.so lives) I get an error on startup: 16953: /var/tac_plus/etc/tac_plus.cfg:23: FATAL: module 'external' not found.

Any input would be appreciated, I have about reached the limit of my knowledge trying to troubleshoot this. 


NOTICE: The information contained in this email may be confidential, proprietary and/or legally privileged. It has been sent for the sole use of the intended recipient(s). If the reader of this message is not an intended recipient, you are hereby notified that any unauthorized review, use, disclosure, dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please reply to the sender and destroy all copies of the message. Thank you.

Message has been deleted

brandon.s...@spoken.com

unread,
Jul 25, 2016, 10:02:10 AM7/25/16
to Event-Driven Servers
I've found the issue and would like to document it here for posterity:

The script mavis_tacplus_ldap.pl  uses a hard coded path on line 197:
use lib '/usr/local/lib/mavis/';

This must be changed to point to the install directory, in my case:
use lib '/var/tac_plus/lib/mavis';

After this change mavistest returns the expected output and I am able to authenticate users against the AD backend.

Thanks, 
Reply all
Reply to author
Forward
0 new messages