summaryrefslogtreecommitdiff
path: root/tacplus_nss.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'tacplus_nss.conf.5')
-rw-r--r--tacplus_nss.conf.5114
1 files changed, 114 insertions, 0 deletions
diff --git a/tacplus_nss.conf.5 b/tacplus_nss.conf.5
new file mode 100644
index 0000000..f8fcac2
--- /dev/null
+++ b/tacplus_nss.conf.5
@@ -0,0 +1,114 @@
+.TH tacplus_nss.conf 5
+.\" Copyright 2018, 2019 Cumulus Networks, Inc. All rights reserved.
+.SH NAME
+/etc/tacplus_nss.conf \- TACACS+ client configuration file
+.SH SYNOPSIS
+.B /etc/tacplus_nss.conf
+is the primary configuration file for the NSS tacplus client plugin.
+.SH DESCRIPTION
+All NSS passwd and group lookups for the tacplus client use this configuration file.
+This plugin
+does lookups on TACACS+ user information, and for group lookups, substitutes the
+login name of tacacs users for the mapping names
+.IR tacacs0 ... tacacs15 .
+These accounts must be listed in the
+.B /etc/passwd
+and
+.B /etc/group
+files for the client-side mapping based on privilege level to work successful.
+.PP
+The
+.I tacplus_nss.conf
+file is minimal, because it uses the
+.I include
+directive to read the
+.I /etc/tacplus_servers
+file for most of the configuration items.
+.P
+However, non-root accounts will not be able to read the
+.I /etc/tacplus_servers
+contents due to required security file permissions. This normally is not an issue,
+due to the use of the tacplus client mapping database.
+.P
+Configuration variables set prior to the
+.I include
+directive may be modified or extended by the common configuration file.
+Those that follow the
+.I include
+directive will override those in the common configuration file.
+.PP
+Most commonly, the
+.I timeout
+and
+.I debug
+variables are set in this configuration file, so they can use different
+values than the PAM libraries, etc.
+.PP
+Programs using the NSS tacplus plugin may not be able to read this
+file when running as a non-root user (because
+.I tacplus_servers
+has permissions that do not allow world-access, because it contains the
+shared secret key.
+Typically the
+.B secret
+keyword should not be used in this NSS configuration files, for that reason.
+.PP
+.I debug=Number
+Output debugging information via syslog(3).
+Debugging is heavy, including passwords. Do not leave debugging enabled on a production switch once you have completed troubleshooting. Currently most components only check to see if it is non-zero. Some components will print additional debug if set to
+.BR 2 .
+.TP
+.I timeout=SECONDS
+Sets the per-connection timeout for reaching the TACACS+ server(s). For the NSS plugin,
+there is typically only one connection per lookup.
+The libnss functionality typically sets a smaller timeout in it's
+own configuration file than the value set in
+.IR /etc/tacplus_servers ,
+because NSS lookups are more frequent and less important than logins.
+.TP
+.I include=/file/name
+Open the listed file, and continue to read configuration from that file,
+if the open is successful. This avoids duplication of configuration information.
+A maximum of 8 configuration files may be used.
+.TP
+.I min_uid=value
+This is the minimum uid the NSS plugin will lookup. Setting this to 0
+means uid 0 (root) is never looked up, good for robustness and performance
+Cumulus Linux ships with it set to 1001, to ignore system users and the
+.I cumulus
+user, which typically has the uid 1000. Should not be greater
+than the local
+.IR tacacs0 ... tacacs15
+usernames, or they will not be looked up.
+.TP
+.I exclude_users=user1,user2,*,...
+This is a comma separated list of usernames that are never looked up
+by this NSS plugin, instead they cause an early not found return.
+.B *
+(asterisk) is not a wild card in this list. While it's not a legal username,
+bash may lookup this as a user name during pathname completion, so
+it is included in this list as a username string.
+.PP
+For all the other configuration variables, see the
+.I /etc/tacplus_servers
+file and it's man page.
+.SH "SEE ALSO"
+.BR tacplus_servers (5),
+.IR getpwnam (3),
+.IR getpwnam_r (3),
+.IR getpwuid (3),
+.IR getpwuid_r (3).
+.IR getgrnam (3),
+.IR getpgram_r (3),
+and
+.IR getpgrent (3).
+.SH FILES
+.I /etc/tacplus_nss.conf
+- configuration file for TACACS+ NSS lookups
+.br
+.I /etc/tacplus_servers -
+default top-level TACSCS+ client configuration, that is included by
+.I /etc/tacplus_nss.conf
+to avoid duplicating configuration information.
+.SH AUTHOR
+Dave Olson <olson@cumulusnetworks.com>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 08:22:12 +0000