Add support for mgmt vrf

When management vrf is enabled and vrf is present in the tacacs config,
if we are unable to reach any configured tacacs server, try setting
vrf context on the socket.

Previously libnss-tacplus worked only with ssh@mgmt, now works with normal
ssh in mgmt vrf

Setting via the socket (rather than vrf context) is required so we don't
set the VRF context for arbitrary processes that do uid or username
lookups.

3 files changed, 12 insertions, 5 deletions

diff --git a/debian/changelog b/debian/changelog
index ad8a1e1..fefa524 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,8 +9,9 @@ libnss-tacplus (1.0.2) unstable; urgency=low
     libraries can connect to a TACACS+ server without being tacacs aware.
   * Improved debugging messages.
   * Minor corrections to Copyright and licensing
+  * Added vrf config variable, so NSS lookups work correctly$
 
- -- Dave Olson <olson@cumulusnetworks.com>  Tue, 29 Nov 2016 16:55:16 -0800
+ -- Dave Olson <olson@cumulusnetworks.com>  Tue, 07 Mar 2017 12:58:03 -0800
 
 libnss-tacplus (1.0.2-1) unstable; urgency=low
 
diff --git a/debian/control b/debian/control
index 3d95156..ea65d0b 100644
--- a/debian/control
+++ b/debian/control
@@ -1,14 +1,17 @@
 Source: libnss-tacplus
 Priority: optional
 Maintainer: Dave Olson <olson@cumulusnetworks.com>
-Build-Depends: debhelper (>= 9), autotools-dev, libtac-dev, libtacplus-map-dev, libaudit-dev, autoconf, libpam-tacplus-dev, dpkg-dev (>= 1.16.1)
+Build-Depends: debhelper (>= 9), autotools-dev, libtac-dev (>= 1.4.1~),
+    libtacplus-map-dev, libaudit-dev, autoconf, libpam-tacplus-dev,
+    dpkg-dev (>= 1.16.1), git
 Section: libs
 Standards-Version: 3.9.6
 Homepage: http://www.cumulusnetworks.com
 
 Package: libnss-tacplus
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libtac2, libtacplus-map1, libaudit1
+Depends: ${shlibs:Depends}, ${misc:Depends}, libtac2 (>= 1.4.1~),
+    libtacplus-map1, libaudit1
 Description: NSS module for TACACS+ authentication without local passwd entry
 	Performs getpwname and getpwuid lookups via NSS for users logged in via
 	tacacs authentication, and mapping done with libtacplus_map
diff --git a/nss_tacplus.c b/nss_tacplus.c
index 75cbdb7..635327a 100644
--- a/nss_tacplus.c
+++ b/nss_tacplus.c
@@ -67,6 +67,7 @@ static tacplus_server_t tac_srv[TAC_PLUS_MAXSERVERS];
 static int tac_srv_no, tac_key_no;
 static char tac_service[] = "shell";
 static char tac_protocol[] = "ssh";
+static char vrfname[64];
 static char *exclude_users;
 static uid_t min_uid = ~0U; /*  largest possible */
 static int debug;
@@ -157,6 +158,8 @@ static int nss_tacplus_config(int *errnop, const char *cfile, int top)
             if (valid > (lbuf+8))
                 min_uid = (uid_t)uid;
         }
+        else if(!strncmp(lbuf, "vrf=", 4))
+            strncpy(vrfname, lbuf + 4, sizeof(vrfname));
         else if(!strncmp(lbuf, "server=", 7)) {
             if(tac_srv_no < TAC_PLUS_MAXSERVERS) {
                 struct addrinfo hints, *servers, *server;
@@ -454,7 +457,8 @@ connect_tacacs(struct tac_attrib **attr, int srvr)
     if(!*tac_service) /* reported at config file processing */
         return -1;
 
-    fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL);
+    fd = tac_connect_single(tac_srv[srvr].addr, tac_srv[srvr].key, NULL,
+        vrfname[0]?vrfname:NULL);
     if(fd >= 0) {
         *attr = NULL; /* so tac_add_attr() allocates memory */
         tac_add_attrib(attr, "service", tac_service);
@@ -505,7 +509,6 @@ lookup_tacacs_user(struct pwbuf *pb)
                 return 2;
         }
     }
-
     for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
         arep.msg = NULL;
         arep.attr = NULL;