On 2019/05/23 20:09, Jan Vlach wrote:
> Hi Gleydson, Stuart, ports,
>
> I'm running tac_plus with 200+ boxes with IOS, IOS-XE and IOS-XR.
>
> please see attached tgz for updated port.
>
> - I've taken Gleydson's latest work from openbsd-wip (I don't see the
> unexec and/or doc/shared implemented in PLIST) *
> - provided simplified tac_plus.conf.sample of stuff I have tested -
> logging in as full admins with level 15 and limited show users that I
> use for scripting/metrics. I can't really vouch for the functionality of
> dialup users etc. The full-blown config file example is still in the
> manpage
> - fixed typo in manpage for accounting to syslog - using `accounting
> syslog;` (including semicolon) does not work, but parser does not
> complain. If I remove the semicolon, accounting info gets logged to
> syslog as daemon.info (this was nasty :) )
> - fixed paths for tac.acct, tac.log and tac.who - all of them go to
> /var/log/tac_plus directory that's owned by _tacacs:_tacacs
> - ^ This fixes the case where you don't want to log into accounting file
> and want syslog accounting only (disabling accounting file directive
> leads to tacacs complaining of permission denied with with default path
> of /var/log/tac.acct) Changing the default path to
> /var/log/tac_plus/tac.acct and removing `accounting file = ...'
> directive properly disables logging to this file. Go figure :)
> - Updated paths in manpage (tac_plus.conf.5.in) as one is automatically
> substituted from configure variables, while the other is hardcoded.
> - Added README file to remind administrator to rotate his/her files.
>
> * I've tried to add the @extraunexec rm -rf /var/log/tac_plus/*, but I'm
> not sure it works:
>
> On package deletion pkg_delete complains that directory is not empty:
> [20:07][root@samsara:/var/log]# pkg_delete tacacs+
> tacacs+-4.0.4.28v0: ok
> Read shared items: ok
> --- -tacacs+-4.0.4.28v0 -------------------
> You should also remove /etc/tac_plus.conf (which was modified)
> You should also run rm -f /var/log/tac_plus/*
> Error deleting directory /var/log/tac_plus: Directory not empty
> You should also run /usr/sbin/userdel _tacacs
> You should also run /usr/sbin/groupdel _tacacs
>
> I'm sorry, I've wrestled, but I don't understand how the doc/examples directories work -
> what needs to be done in pkg configure phase and what is done in PLIST?
>
> Cluestick please?
>
> I've tested the accounting part with py-tacacs_plus on -current, don't have a real
> network box around at this time. (Gonna dogfood this tomorrow or next
> week)
>
> Could you please have a look if this is okay?
>
> jvl
>
> On Thu, May 23, 2019 at 11:34:23AM -0300, Gleydson Soares wrote:
> > > Can you use the standard locations for doc/examples please rather
> > > than /usr/local/share/tacacs?
> >
> > Yep.
> >
> > > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c.
> >
> > Done.
> > Thanks for the feedback, i'm pushing it to openbsd-wip.
> >
> > PS.: I'm running it and works just fine It has a dozen of Cisco Nexus switches already connected.
> > privdrop (_tacacs) fine.
> >
> > I will add some changes to example files provided by Jan Vlach, for pointing out how to use tac_plus on the fly on OpenBSD.(like features available with and without privdrop / etc).
> >
> > Also should be nice sent patches upstream. Jan Vlach, what do you think about?
> >
> > Cheers,
> >
Slightly tweaked version attached, this one's ok with me:
- https homepage
- PERMIT_*_CDROM is not used for new ports
- whitespace nit in Makefile
- tweak comment in patch
- place @extraunexec above the @sample line, that way pkg_delete -c doesn't
complain about a missing dir. (pkg_delete without -c will complain about
not being able to remove the dir, that is no problem).
- regen plist to include pkg-readme
- adjust pkg-readme to set uid/gid on the files
- change group ownership of log dir to wheel, easier for admins
No comments:
Post a Comment