tacplus_nss.conf.5

.TH tacplus_nss.conf 5
.\" Copyright 2018, 2019 Cumulus Networks, Inc.  All rights reserved.
.SH NAME
/etc/tacplus_nss.conf \- TACACS+ client configuration file
.SH SYNOPSIS
.B /etc/tacplus_nss.conf
is the primary configuration file for the NSS tacplus client plugin.
.SH DESCRIPTION
All NSS passwd and group lookups for the tacplus client use this configuration file.
This plugin
does lookups on TACACS+ user information, and for group lookups, substitutes the
login name of tacacs users for the mapping names
.IR tacacs0 ... tacacs15 .
These accounts must be listed in the
.B /etc/passwd
and
.B /etc/group
files for the client-side mapping based on privilege level to work successful.
.PP
The
.I tacplus_nss.conf
file is minimal, because it uses the
.I include
directive to read the
.I /etc/tacplus_servers
file for most of the configuration items.
.P
However, non-root accounts will not be able to read the
.I /etc/tacplus_servers
contents due to required security file permissions.  This normally is not an issue,
due to the use of the tacplus client mapping database.
.P
Configuration variables set prior to the
.I include
directive may be modified or extended by the common configuration file.
Those that follow the
.I include
directive will override those in the common configuration file.
.PP
Most commonly, the
.I timeout
and
.I debug
variables are set in this configuration file, so they can use different
values than the PAM libraries, etc.
.PP
Programs using the NSS tacplus plugin may not be able to read this
file when running as a non-root user (because
.I tacplus_servers
has permissions that do not allow world-access, because it contains the
shared secret key.
Typically the
.B secret
keyword should not be used in this NSS configuration files, for that reason.
.PP
.I debug=Number
Output debugging information via syslog(3).
Debugging is heavy, including passwords. Do not leave debugging enabled on a production switch once you have completed troubleshooting.  Currently most components only check to see if it is non-zero.  Some components will print additional debug if set to
.BR 2 .
.TP
.I timeout=SECONDS
Sets the per-connection timeout for reaching the TACACS+ server(s).  For the NSS plugin,
there is typically only one connection per lookup.
The libnss functionality typically sets a smaller timeout in it's
own configuration file than the value set in
.IR /etc/tacplus_servers ,
because NSS lookups are more frequent and less important than logins.
.TP
.I include=/file/name
Open the listed file, and continue to read configuration from that file,
if the open is successful.  This avoids duplication of configuration information.
A maximum of 8 configuration files may be used.
.TP
.I min_uid=value
This is the minimum uid the NSS plugin will lookup.  Setting this to 0
means uid 0 (root) is never looked up, good for robustness and performance
Cumulus Linux ships with it set to 1001, to ignore system users and the
.I cumulus
user, which typically has the uid 1000.  Should not be greater
than the local
.IR tacacs0 ... tacacs15
usernames, or they will not be looked up.
.TP
.I exclude_users=user1,user2,*,...
This is a comma separated list of usernames that are never looked up
by this NSS plugin, instead they cause an early not found return.
.B *
(asterisk) is not a wild card in this list.  While it's not a legal username,
bash may lookup this as a user name during pathname completion, so
it is included in this list as a username string.
.PP
For all the other configuration variables, see the
.I /etc/tacplus_servers
file and it's man page.
.SH "SEE ALSO"
.BR tacplus_servers (5),
.IR getpwnam (3),
.IR getpwnam_r (3),
.IR getpwuid (3),
.IR getpwuid_r (3).
.IR getgrnam (3),
.IR getpgram_r (3),
and
.IR getpgrent (3).
.SH FILES
.I /etc/tacplus_nss.conf
- configuration file for TACACS+ NSS lookups
.br
.I /etc/tacplus_servers -
default top-level TACSCS+ client configuration, that is included by
.I /etc/tacplus_nss.conf
to avoid duplicating configuration information.
.SH AUTHOR
Dave Olson <olson@cumulusnetworks.com>