From a1332024816b66174a96559b0be94dc9452a5ad8 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 15 Dec 2024 09:33:28 +0100 Subject: tacacs: T6613: dynamically build exclude_users list to avoid TACACS traffic There is no need to send local base OS accounts like root or daemon to the tacacs server. This will only make the CLI experience sluggish. Build up a dynamic list of user accounts to exclude from TACACS lookup. --- data/templates/login/tacplus_nss.conf.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'data') diff --git a/data/templates/login/tacplus_nss.conf.j2 b/data/templates/login/tacplus_nss.conf.j2 index 2a30b1710..1c5402233 100644 --- a/data/templates/login/tacplus_nss.conf.j2 +++ b/data/templates/login/tacplus_nss.conf.j2 @@ -21,7 +21,7 @@ # Cumulus Linux ships with it set to 1001, so we never lookup our standard # local users, including the cumulus uid of 1000. Should not be greater # than the local tacacs{0..15} uids -min_uid=900 +min_uid={{ tacacs_min_uid }} # This is a comma separated list of usernames that are never sent to # a tacacs server, they cause an early not found return. @@ -30,7 +30,7 @@ min_uid=900 # that during pathname completion, bash can do an NSS lookup on "*" # To avoid server round trip delays, or worse, unreachable server delays # on filename completion, we include "*" in the exclusion list. -exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }} +exclude_users=*{{ ',' + exclude_users | join(',') if exclude_users is vyos_defined }} # The include keyword allows centralizing the tacacs+ server information # including the IP address and shared secret @@ -71,4 +71,3 @@ source_ip={{ tacacs.source_address }} # as in tacplus_servers, since tacplus_servers should not be readable # by users other than root. timeout={{ tacacs.timeout }} - -- cgit v1.2.3