On 2019/05/23 20:09, Jan Vlach wrote: > Hi Gleydson, Stuart, ports, > > I'm running tac_plus with 200+ boxes with IOS, IOS-XE and IOS-XR. > > please see attached tgz for updated port. > > - I've taken Gleydson's latest work from openbsd-wip (I don't see the > unexec and/or doc/shared implemented in PLIST) * > - provided simplified tac_plus.conf.sample of stuff I have tested - > logging in as full admins with level 15 and limited show users that I > use for scripting/metrics. I can't really vouch for the functionality of > dialup users etc. The full-blown config file example is still in the > manpage > - fixed typo in manpage for accounting to syslog - using `accounting > syslog;` (including semicolon) does not work, but parser does not > complain. If I remove the semicolon, accounting info gets logged to > syslog as daemon.info (this was nasty :) ) > - fixed paths for tac.acct, tac.log and tac.who - all of them go to > /var/log/tac_plus directory that's owned by _tacacs:_tacacs > - ^ This fixes the case where you don't want to log into accounting file > and want syslog accounting only (disabling accounting file directive > leads to tacacs complaining of permission denied with with default path > of /var/log/tac.acct) Changing the default path to > /var/log/tac_plus/tac.acct and removing `accounting file = ...' > directive properly disables logging to this file. Go figure :) > - Updated paths in manpage (tac_plus.conf.5.in) as one is automatically > substituted from configure variables, while the other is hardcoded. > - Added README file to remind administrator to rotate his/her files. > > * I've tried to add the @extraunexec rm -rf /var/log/tac_plus/*, but I'm > not sure it works: > > On package deletion pkg_delete complains that directory is not empty: > [20:07][root@samsara:/var/log]# pkg_delete tacacs+ > tacacs+-4.0.4.28v0: ok > Read shared items: ok > --- -tacacs+-4.0.4.28v0 ------------------- > You should also remove /etc/tac_plus.conf (which was modified) > You should also run rm -f /var/log/tac_plus/* > Error deleting directory /var/log/tac_plus: Directory not empty > You should also run /usr/sbin/userdel _tacacs > You should also run /usr/sbin/groupdel _tacacs > > I'm sorry, I've wrestled, but I don't understand how the doc/examples > directories work - > what needs to be done in pkg configure phase and what is done in PLIST? > > Cluestick please? > > I've tested the accounting part with py-tacacs_plus on -current, don't have a > real > network box around at this time. (Gonna dogfood this tomorrow or next > week) > > Could you please have a look if this is okay? > > jvl > > On Thu, May 23, 2019 at 11:34:23AM -0300, Gleydson Soares wrote: > > > Can you use the standard locations for doc/examples please rather > > > than /usr/local/share/tacacs? > > > > Yep. > > > > > Needs @extraunexec rm -f /var/log/tac_plus/* for pkg_delete -c. > > > > Done. > > Thanks for the feedback, i'm pushing it to openbsd-wip. > > > > PS.: I'm running it and works just fine It has a dozen of Cisco Nexus > > switches already connected. > > privdrop (_tacacs) fine. > > > > I will add some changes to example files provided by Jan Vlach, for > > pointing out how to use tac_plus on the fly on OpenBSD.(like features > > available with and without privdrop / etc). > > > > Also should be nice sent patches upstream. Jan Vlach, what do you think > > about? > > > > Cheers, > >
Slightly tweaked version attached, this one's ok with me: - https homepage - PERMIT_*_CDROM is not used for new ports - whitespace nit in Makefile - tweak comment in patch - place @extraunexec above the @sample line, that way pkg_delete -c doesn't complain about a missing dir. (pkg_delete without -c will complain about not being able to remove the dir, that is no problem). - regen plist to include pkg-readme - adjust pkg-readme to set uid/gid on the files - change group ownership of log dir to wheel, easier for admins
tacacs+,3.tgz
Description: application/tar-gz
