This repository has been archived by the owner on Oct 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 13
/
tacplus_nss.conf
53 lines (47 loc) · 2.39 KB
/
tacplus_nss.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#%NSS_TACPLUS-1.0
# Install this file as /etc/tacplus_nss.conf
# Edit /etc/nsswitch.conf to add tacplus to the passwd lookup, similar to this
# where tacplus precede compat (or files), and depending on local policy can
# follow or precede ldap, nis, etc.
# passwd: tacplus compat
#
# Servers are tried in the order listed, and once a server
# replies, no other servers are attempted in a given process instantiation
#
# This configuration is similar to the libpam_tacplus configuration, but
# is maintained as a configuration file, since nsswitch.conf doesn't
# support passing parameters. Parameters must start in the first
# column, and parsing stops at the first whitespace
# if set, errors and other issues are logged with syslog
# debug=1
# min_uid is the minimum uid to lookup via tacacs. Setting this to 0
# means uid 0 (root) is never looked up, good for robustness and performance
# Cumulus Linux ships with it set to 1001, so we never lookup our standard
# local users, including the cumulus uid of 1000. Should not be greater
# than the local tacacs{0..15} uids
min_uid=1001
# This is a comma separated list of usernames that are never sent to
# a tacacs server, they cause an early not found return.
#
# "*" is not a wild card. While it's not a legal username, it turns out
# that during pathname completion, bash can do an NSS lookup on "*"
# To avoid server round trip delays, or worse, unreachable server delays
# on filename completion, we include "*" in the exclusion list.
exclude_users=root,cumulus,quagga,sshd,ntp,*
# The include keyword allows centralizing the tacacs+ server information
# including the IP address and shared secret
include=/etc/tacplus_servers
# The server IP address can be optionally followed by a ':' and a port
# number (server=1.1.1.1:49). It is strongly recommended that you NOT
# add secret keys to this file, because it is world readable.
#secret=SECRET1
#server=1.1.1.1
# The connection timeout for an NSS library should be short, since it is
# invoked for many programs and daemons, and a failure is usually not
# catastrophic. Not set or set to a negative value disables use of poll().
# This follows the include of tacplus_servers, so it can override any
# timeout value set in that file.
# It's important to have this set in this file, even if the same value
# as in tacplus_servers, since tacplus_servers should not be readable
# by users other than root.
timeout=5