search

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.
GNU Lesser General Public License v3.0
132 stars 100 forks source link

using the PAM_tacplus without local users defined ? #117

Open prsouren opened 6 years ago

prsouren commented 6 years ago

Hi, Would it be possible to have a linux server running without any local users defined and still have the authentication of the clients trying to connect authenticated by the Cisco ACS (AAA) server ?

I now have the setup 1.5.0 running but I do need to create a local user (in disabled state) in order to get access by authentication by ACS. As we have too many users from different groups I wish not to create all those local acounts ?!

Is this possible ?

daveolson53 commented 6 years ago

prsouren notifications@github.com wrote:

Hi, Would it be possible to have a linux server running without any local users defined and still have the authentication of the clients trying to connect authenticated by the Cisco ACS (AAA) server ?

I now have the setup running but I do need to create a local user (in disabled state) in order to get access by authentication by ACS. As we have too many users from different groups I wish not to create all those local acounts ?!

Is this possible ?

Yes, it's possible. You have to either fake out the accounts as being local via NSS (there are several NSS plugins for this), or map the remote users to one or more local users.

I took the latter approach for Cumulus Linux. See the repos at https://github.com/daveolson53 In particular, my modified libpam-tacplus (which is out of date with the current master), libnss-tacplus, and libtacplus-map; those 3 are the minimum you would need.

Dave Olson olson@cumulusnetworks.com