Active directory tac_plus活动目录配置
我似乎对免费的tac_plus配置有意见 我的交换机正在向我发送以下日志消息 5月4日20:58:52 sv5-c1-r104-ae02 Aaa:%Aaa-4-EXEC_AUTHZ_失败:用户jdambly启动shell的授权失败 如果我查看tac_plus日志,就会发现我的组映射配置不正确,下面是日志Active directory tac_plus活动目录配置,active-directory,Active Directory,我似乎对免费的tac_plus配置有意见 我的交换机正在向我发送以下日志消息 5月4日20:58:52 sv5-c1-r104-ae02 Aaa:%Aaa-4-EXEC_AUTHZ_失败:用户jdambly启动shell的授权失败 如果我查看tac_plus日志,就会发现我的组映射配置不正确,下面是日志 May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: Start authorization request May 4 14:04:22 n
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: Start authorization request
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: cfg_get: checking user/group jdambly, tag (NULL)
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: cfg_get: checking user/group jdambly, tag (NULL)
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: user 'jdambly' found
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: cfg_get: checking user/group jdambly, tag (NULL)
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: jdambly@192.168.0.19: not found: svcname=shell@world protocol=
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: jdambly@192.168.0.19: not found: svcname=shell protocol=
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: jdambly@192.168.0.19: svcname=shell protocol= not found, default is <unknown>
May 4 14:04:22 neteng tac_plus[14476]: 1/9a920270: Writing AUTHOR/FAIL size=18
}
我正在尝试将广告组devops映射到配置中的组,但我认为这是失败的,我不明白为什么这么长时间以来,我使用以下配置实现了这一点
#!../../../sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = no
}
id = tac_plus {
debug = PACKET AUTHEN AUTHOR MAVIS
access log = /var/log/tac_plus/access.log
accounting log = /var/log/tac_plus/acct.log
authorization log = /var/log/tac_plus/auth.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
#setenv LDAP_HOSTS = "ldaps://xxxxxxxxx:3268"
setenv LDAP_HOSTS = "xxxxxxxxx:3268"
#setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "cn=Users,dc=nskope,dc=net"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "xxxxxxxx"
setenv LDAP_PASSWD = "xxxxxxxx"
#setenv FLAG_FALLTHROUGH=1
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = "1"
#setenv EXPAND_AD_GROUP_MEMBERSHIP=1
#setenv FLAG_USE_MEMBEROF = 1
setenv AD_GROUP_PREFIX = ""
# setenv REQUIRE_AD_GROUP_PREFIX = 1
# setenv USE_TLS = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
user backend = mavis
login backend = mavis
pap backend = mavis
skip missing groups = yes
host = world {
address = 0.0.0/0
#prompt = "Welcome\n"
key = cisco
}
group = devops {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
}
真正起作用的是添加
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = "1"
setenv AD_GROUP_PREFIX = ""
通过这些设置,它不会为所有广告组寻找前缀。此配置允许ad组直接映射到此文件中配置的组,在我的示例中,该组称为dev ops。还需要注意的是,我必须在1周围使用引号。如果没有这些任务,它不会将var UNLIMIT_AD_GROUP_成员设置为1,因此请注意这一点。希望这能帮助其他人,使他们不必经历我所经历的所有痛苦;)
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = "1"
setenv AD_GROUP_PREFIX = ""