#%NSS_TACPLUS-1.0 # Install this file as /etc/tacplus_nss.conf # Edit /etc/nsswitch.conf to add tacplus to the passwd lookup, similar to this # where tacplus precede compat (or files), and depending on local policy can # follow or precede ldap, nis, etc. # passwd: tacplus compat # # Servers are tried in the order listed, and once a server # replies, no other servers are attempted in a given process instantiation # # This configuration is similar to the libpam_tacplus configuration, but # is maintained as a configuration file, since nsswitch.conf doesn't # support passing parameters. Parameters must start in the first # column, and parsing stops at the first whitespace # if set, errors and other issues are logged with syslog #debug=1 # min_uid is the minimum uid to lookup via tacacs. Setting this to 0 # means uid 0 (root) is never looked up, good for robustness and performance # Cumulus Linux ships with it set to 1001, so we never lookup our standard # local users, including the cumulus uid of 1000. Should not be greater # than the local tacacs{0..15} uids min_uid=900 # This is a comma separated list of usernames that are never sent to # a tacacs server, they cause an early not found return. # # "*" is not a wild card. While it's not a legal username, it turns out # that during pathname completion, bash can do an NSS lookup on "*" # To avoid server round trip delays, or worse, unreachable server delays # on filename completion, we include "*" in the exclusion list. exclude_users=root,telegraf,radvd,strongswan,tftp,conservr,frr,ocserv,pdns,_chrony,_lldpd,sshd,openvpn,radius_user,radius_priv_user,*{{ ',' + user | join(',') if user is vyos_defined }} # The include keyword allows centralizing the tacacs+ server information # including the IP address and shared secret # include=/etc/tacplus_servers # The server IP address can be optionally followed by a ':' and a port # number (server=1.1.1.1:49). It is strongly recommended that you NOT # add secret keys to this file, because it is world readable. {% if tacacs.server is vyos_defined %} {% for server, server_config in tacacs.server.items() %} secret={{ server_config.key }} server={{ server }}:{{ server_config.port }} {% endfor %} {% endif %} {% if tacacs.vrf is vyos_defined %} # If the management network is in a vrf, set this variable to the vrf name. # This would usually be "mgmt". When this variable is set, the connection to the # TACACS+ accounting servers will be made through the named vrf. vrf={{ tacacs.vrf }} {% endif %} {% if tacacs.source_address is vyos_defined %} # Sets the IPv4 address used as the source IP address when communicating with # the TACACS+ server. IPv6 addresses are not supported, nor are hostnames. # The address must work when passsed to the bind() system call, that is, it must # be valid for the interface being used. source_ip={{ tacacs.source_address }} {% endif %} # The connection timeout for an NSS library should be short, since it is # invoked for many programs and daemons, and a failure is usually not # catastrophic. Not set or set to a negative value disables use of poll(). # This follows the include of tacplus_servers, so it can override any # timeout value set in that file. # It's important to have this set in this file, even if the same value # as in tacplus_servers, since tacplus_servers should not be readable # by users other than root. timeout={{ tacacs.timeout }}