-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.LDAP
146 lines (97 loc) · 5.28 KB
/
README.LDAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
LDAP Authentification with Tacacs+
----------------------------------
Author : Harpes Patrick ([email protected])
Jahnen Andreas ([email protected])
Date : 16.03.2001
License:
--------
tac_ldap is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2,
or (at your option) any later version.
This document aim to describe how to perform LDAP authentification for tacacs+.
Requirements:
-------------
1) tac_plus.F5.0.0.alpha.tar.gz
This package includes the original CISCO tacacs+ package from http://www.gazi.edu.tr/tacacs/
2) openldap package
This package has been developped using the openldap libraries version 2.0.7
OpenLDAP is available from www.openldap.org
3) GCC and other GNU developpment tools (make...)
4) A running LDAP server (test has been made using Lotus Domino LDAP server version 5.0.x and
OpenLDAP)
Overview:
---------
------------ ----------------
- Server - - Notes DOMINO -
---------------- - running -____LDAP____- LDAP Server -
- CISCO Dialup -__tacacs+_____- tacacs+ - - or -
- Router - - - - other LDAP -
---------------- ------------ - Server -
---------------
The CISCO router sends tacacs+ request to the tacacs+ server. This one uses the LDAP
server to authentificate the user.
HowTo configure the CISCO router?
---------------------------------
There are good documentations available on how to set up the CISCO router for using
tacacs+. This documents can be found on the tacacs+ homepage http://www.gazi.edu.tr/tacacs/
HowTo install the tacacs+ package with LDAP support?
----------------------------------------------------
To enable the LDAP support on the tacacs+ package, you have to perform the following steps:
1. Install the Open LDAP package (version 2.0.7) (www.openldap.org)
Refer to the INSTALL document to build this package.
2. Unpack the tacacs+ package in /usr/local/src
# tar -zxvf tac_plus.F5.0.0.alpha.tar.gz
3. Use the configure script to create the Makefiles
# cd /usr/local/src/tac_plus.F5.0.0.alpha/
# ./configure --with-ldap
You can use ./configure --help to get more options
4. Compile the package
# make tac_plus
5. Set your LD_LIBRARY_PATH to include the LDAP libraries
# LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
HowTo configure tacacs+ for using the LDAP support
--------------------------------------------------
To use the LDAP authentification, use the following simple tacacs+ configuration file
key = "your tacacs key"
accounting file = /var/log/tac-plus/tac_plus.log
default authentification = ldap "ldap://<Hostname of your LDAP server>"
user=DEFAULT {
service = ppp protocol = ip {
}
}
For more information on the configuration file please use the complete tacacs+ documentation.
How to start the tacacs+ daemon
-------------------------------
Make sure your LD_LIBRARY_PATH includes the LDAP libraries.
As root, start the tacacs daemon:
# /usr/local/src/tac_plus.F5.0.0.alpha/tac_plus -C tac_plus.cfg
How to configure the LDAP server
--------------------------------
a) Notes Domino LDAP server
---------------------------
You have to enable the Domino server task "LDAP" with the Administration Tool. You
can do this with the command "laod ldap" at the server console or with the help of
the Tools Menu of the server tab (Tools -> Task -> Start "LDAP Server").
You can define which attributes of your Domino Directory are accessible by
anonymous users and if it is allowed to write to your Domino Directory using LDAP in
a Configuration document. You have to specify "Use these settings as the default
settings for all servers" in the Basic tab of the Configuration document to display
the LDAP options tab. There you are able to adjust the settings for a your LDAP server.
For additional information see the IBM Red Book "Getting the most from your Domino
Directory" (11/2000), which you can downlaod from http://www.redbooks.ibm.com.
b) Open LDAP
------------
It is also possible to use OpenLDAP for this kind of authentification. Please look at
the documentation at http://www.openldap.org for details how to install the server.
Security
---------
The here described tacacs+ queries are not quering any of the fields stored in your LDAP
server. We only try to log in and this is the "test" we perform here.
Pleae note that the passwords are not send encrypted. You have to make sure that it is
not possible to sniff them. In general is there no support from tacacs+ to support encrypted
passwords.
It is maybe possible to use OpenLDAP with TLS support to encrypt the passwords and use a
secure LDAP server. This is also supported by Domino and OpenLDAP. But this is not implemented.
Good luck,
Harpes Patrick ([email protected]) and Jahnen Andreas ([email protected])