tacacs: T6613: dynamically build exclude_users list to avoid TACACS traffic

There is no need to send local base OS accounts like root or daemon to the
tacacs server. This will only make the CLI experience sluggish.

Build up a dynamic list of user accounts to exclude from TACACS lookup.

1 files changed, 2 insertions, 3 deletions

diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2
index 2a30b1710..1c5402233 100644
--- a/data/templates/login/tacplus_nss.conf.j2
+++ b/data/templates/login/tacplus_nss.conf.j2
@@ -21,7 +21,7 @@
 # Cumulus Linux ships with it set to 1001, so we never lookup our standard
 # local users, including the cumulus uid of 1000.  Should not be greater
 # than the local tacacs{0..15} uids
-min_uid=900
+min_uid={{ tacacs_min_uid }}
 
 # This is a comma separated list of usernames that are never sent to
 # a tacacs server, they cause an early not found return.
@@ -30,7 +30,7 @@ min_uid=900
 # that during pathname completion, bash can do an NSS lookup on "*"
 # To avoid server round trip delays, or worse, unreachable server delays
 # on filename completion, we include "*" in the exclusion list.
-exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }}
+exclude_users=*{{ ',' + exclude_users | join(',') if exclude_users is vyos_defined }}
 
 # The include keyword allows centralizing the tacacs+ server information
 # including the IP address and shared secret
@@ -71,4 +71,3 @@ source_ip={{ tacacs.source_address }}
 # as in tacplus_servers, since tacplus_servers should not be readable
 # by users other than root.
 timeout={{ tacacs.timeout }}
-