Install Tacacs+ Server integrated with LDAP System

Posted On 31 August 2009

Filed under Linux

Comments Dropped leave a response

Continue from simple install Tacacs+ Server. Now, we will install Tacacs+ server integrated with LDAP system. Here the following step.

Install OpenLDAP
#apt-get install slapd ldap-utils libldap2-dev
#dpkg-reconfigure slapd
(Enter new configuration, like domain name, admin password and supporting LDAP v.2 or not). my ldap domain is tacacs.

#/etc/init.d/slapd stop

Edit file /etc/ldap/ldap.conf
#vi /etc/ldap/ldap.conf

BASE    dc=tacacs
URI     ldap://202.47.74.253
SIZELIMIT       12
TIMELIMIT      15

Make file ldif to inject into LDAP.
#vi /home/rahman/test.ldif

dn: ou=people,dc=tacacs
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=tacacs
objectClass: organizationalUnit
ou: groups

dn: uid=rahman,ou=people,dc=tacacs
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: rahman
sn: rahman
givenName: Rahman
cn: rahman
displayName: Mohamad Surahman
uidNumber: 1000
gidNumber: 10000
userPassword: rahman123
gecos: Mohamad Surahman
loginShell: /bin/bash
homeDirectory: /home/rahman
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: rahman@tacacs
postalCode: 31000
l: Toulouse
o: tacacs
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: ms

#slapadd -l init.ldif

Start LDAP again
#/etc/init.d/slapd start

Test database ldap that we add through file test.ldif
# ldapsearch -xLLL -b “dc=tacacs” dn

dn: dc=tacacs
dn: cn=admin,dc=tacacs
dn: ou=people,dc=tacacs
dn: ou=groups,dc=tacacs
dn: uid=rahman,ou=people,dc=tacacs

#slapcat -b ‘dc=tacacs’

 dn: dc=tacacs
objectClass: top
objectClass: dcObject
objectClass: organization
o: tacacs
dc: tacacs
structuralObjectClass: organization
entryUUID: a7d39be6-2a45-102e-90fd-cf073a966bba
creatorsName:
createTimestamp: 20090831064546Z
entryCSN: 20090831064546.046187Z#000000#000#000000
modifiersName:
modifyTimestamp: 20090831064546Z

dn: cn=admin,dc=tacacs
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e2NyeXB0fXpIeTExTUE4MUF1MVU=
structuralObjectClass: organizationalRole
entryUUID: a7df5ba2-2a45-102e-90fe-cf073a966bba
creatorsName:
createTimestamp: 20090831064546Z
entryCSN: 20090831064546.123307Z#000000#000#000000
modifiersName:
modifyTimestamp: 20090831064546Z

dn: ou=people,dc=tacacs
objectClass: organizationalUnit
ou: people
structuralObjectClass: organizationalUnit
entryUUID: 6ca7ba28-2a47-102e-8ab3-65100f7ceeb4
creatorsName:
createTimestamp: 20090831065825Z
entryCSN: 20090831065825.766495Z#000000#000#000000
modifiersName:
modifyTimestamp: 20090831065825Z

dn: ou=groups,dc=tacacs
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 6ca81842-2a47-102e-8ab4-65100f7ceeb4
creatorsName:
createTimestamp: 20090831065825Z
entryCSN: 20090831065825.769019Z#000000#000#000000
modifiersName:
modifyTimestamp: 20090831065825Z

dn: uid=rahman,ou=people,dc=tacacs
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: rahman
sn: rahman
givenName: Rahman
cn: rahman
displayName: Mohamad Surahman
uidNumber: 1000
gidNumber: 10000
userPassword:: cmFobWFuMTIz
gecos: Mohamad Surahman
loginShell: /bin/bash
homeDirectory: /home/rahman
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: rahman@tacacs
postalCode: 31000
l: Toulouse
o: tacacs
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: ms
structuralObjectClass: inetOrgPerson
entryUUID: 6ca83e26-2a47-102e-8ab5-65100f7ceeb4
creatorsName:
createTimestamp: 20090831065825Z
entryCSN: 20090831080519.808390Z#000000#000#000000
modifiersName: cn=admin,dc=tacacs
modifyTimestamp: 20090831080519Z

Download the latest Tac_Plus Packet
#cd /home/rahman/linux
#wget http://www.gazi.edu.tr/tacacs/get.php?src=tac_plus_v9a.tar.gz
#wget http://www.gazi.edu.tr/tacacs/patches/edmar_borges_ldap.c

Extract Tacacs packet
#tar -zxvf tac_plus_v9a.tar.gz
#cd /home/rahman/linux/tac_plus_v9a
#cp ../edmar_borges_ldap.c ldap.c

Install compiler that needed to install Tacacs+ packet
#apt-get install g++

Configure and compile Tacacs
#./configure –with-ldap
#make tac_plus

We’ll get error (static declaration of nopasswd_str follows non-static declaration). We have to edit file config.c and remove static modifier from nopassword_str.

Before

static char *authen_default = NULL; /* top level authentication default */
static int authen_default_method = 0; /*For method check */
static char *nopasswd_str = “nopasswd” ;

After

static char *authen_default = NULL; /* top level authentication default */
static int authen_default_method = 0; /*For method check */
char *nopasswd_str = “nopasswd” ;

#make tac_plus
#make install

Next, we’ll make directory and file for tacacs configuration.

#mkdir /etc/tac-plus
#vim /etc/tac-plus/tacacs.conf

# comment while debug
#Set up accounting if enableing on NAS
accounting file = /var/log/tac-plus/account.txt

#NAS key below
key = chayank123

default authentication = ldap “ldap://202.47.74.253:389/base=dc=tacacs/attribute=uid”
user = DEFAULT {
service = ppp protocol = ip {
   }
}

#Enable password setup for everyone:
user = $enable$ {
   global = cleartext “login”
}

And then, Create init script for running tacacs service.
#vim /etc/init.d/tac-plus

#!/bin/sh
#
### BEGIN INIT INFO
# Provides: tac-plus
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Start tac-plus server.
# Description: Run the tac-plus server listening for
# AAA ( access, acounting and autorization request )
# from routers or RAS (remote access servers) via
# tacacs+ protocol
### END INIT INFO

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/tac_plus
NAME=tac_plus
DESC=”Tacacs+ server”
OTHER_OPTS=”-d 248″
CONFIG_FILE=”/etc/tac-plus/tacacs.conf”

test -f $DAEMON || exit 0

if [ -r /etc/default/tac-plus ] ; then
. /etc/default/tac-plus
fi

DAEMON_OPTS=”-C $CONFIG_FILE $OTHER_OPTS”
#set -e

case “$1” in
start)
echo -n “Starting $DESC: “
start-stop-daemon –start –quiet –pidfile /var/run/$NAME.pid \
–exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
stop)
echo -n “Stopping $DESC: “
start-stop-daemon –stop –quiet –pidfile /var/run/$NAME.pid \
–exec $DAEMON
echo “$NAME.”
;;
#reload)
#
# The daemon AFAIK have problems reloading its
# config files on the fly. When sending the signal
# it dies trying to bind again to the socket.
# So it has been disabled.
# echo “Reloading $DESC configuration files.”
# start-stop-daemon –stop –signal FIXME –quiet –pidfile \
# /var/run/$NAME.pid –exec $DAEMON
#;;
restart|force-reload)
#
echo -n “Restarting $DESC: “
start-stop-daemon –stop –quiet –pidfile \
/var/run/$NAME.pid –exec $DAEMON
sleep 1
start-stop-daemon –start –quiet –pidfile \
/var/run/$NAME.pid –exec $DAEMON — $DAEMON_OPTS
echo “$NAME.”
;;
*)
N=/etc/init.d/$NAME
# echo “Usage: $N {start|stop|restart|reload|force-reload}” >&2
echo “Usage: $N {start|stop|restart|force-reload}” >&2
exit 1
;;
esac

exit 0

#chmod u+x /etc/init.d/tac-plus

Make Tacacs+ service start when OS booting
#update-rc.d tac-plus start 30 2 3 4 5 . stop 70 0 1 6 .

Set for tacacs+ logging
#mkdir /var/log/tac-plus
#touch /var/log/tac-plus/account.txt

Starting tacacs+
#/etc/init.d/tac-plus start

Check tacacs and LDAP service
#netstat -pln | grep tac
tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN 9497/tac_plus

netstat -pln | grep slapd
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN      26368/slapd    
tcp6       0      0 :::389                  :::*                    LISTEN      26368/slapd    
_____________________________________________________________________________________________

Alright! we’ll test this tacacs authentication server with the real router. My tacacs+ IP is 202.47.70.253/248 and router IP is 202.47.66.253/248.

Let’s figure it out…

TACACS+ Conf
==========
Key for NAS : chayank123

LDAP uid=rahman,ou=people,dc=tacacs
Username : rahman
Password : rahman123
enable pass : login

Router Conf
==========
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
——————————
interface FastEthernet0/0
ip address 202.47.66.253 255.255.255.248
duplex auto
speed auto
——————————
tacacs-server host 202.47.74.253
tacacs-server directed-request
tacacs-server key 7 070C294D5708170E464058              > chayank123

I’ll try login into router 202.47.66.253.

ts@ts04-surahman:~$ telnet 202.47.66.253
Trying 202.47.66.253…
Connected to 202.47.66.253.
Escape character is ‘^]’.

User Access Verification

Username: rahman > my username
Password:               > rahman123

Router>ena
Password:               > login
Router#

Yess… Tacacs+ authentication with LDAP inside works now. We can login into router with this server.

~ T h A n K ‘s    F 0 r    M @ m p I r ~

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s