|Main index||Section 3||日本語||한국인||Options|
Before issuing any TACACS+ requests, the library must be made aware of the servers it can contact. The easiest way to configure the library is to call tac_config(). tac_config() causes the library to read a configuration file whose format is described in tacplus.conf(5). The pathname of the configuration file is passed as the file argument to tac_config(). This argument may also be given as NULL, in which case the standard configuration file /etc/tacplus.conf is used. tac_config() returns 0 on success, or -1 if an error occurs.
The library can also be configured programmatically by calls to tac_add_server(). The host parameter specifies the server host, either as a fully qualified domain name or as a dotted-quad IP address in text form. The port parameter specifies the TCP port to contact on the server. If port is given as 0, the library uses port 49, the standard TACACS+ port. The shared secret for the server host is passed to the secret parameter. It may be any null-terminated string of bytes. The timeout for receiving replies from the server is passed to the timeout parameter, in units of seconds. The flags parameter is a bit mask of flags to specify various characteristics of the server. It may contain:
|Causes the library to attempt to negotiate single connection mode when communicating with the server. In single connection mode, the original TCP connection is held open for multiple TACACS+ sessions. Older servers do not support this mode, and some of them become confused if the client attempts to negotiate it.|
tac_add_server() returns 0 on success, or -1 if an error occurs.
tac_add_server() may be called multiple times, and it may be used together with tac_config(). At most 10 servers may be specified. When multiple servers are given, they are tried in round-robin fashion until a working, accessible server is found. Once the library finds such a server, it continues to use it as long as it works.
tac_set_av() only applies to the context of an authorization request. The format for an attribute value pair is defined in the TACACS+ protocol specification. The index specified can be any value between 0 and 255 inclusive and indicates the position in the list to place the attribute value pair. Calling tac_set_av() with same index twice effectively replaces the value at that position. Use tac_clear_avs() to clear all attribute value pairs that may have been set.
The only flag is the no-echo flag, which can be tested using the macro TAC_AUTHEN_NOECHO().
In the case of tac_get_data(), the len argument points to a location into which the library will store the actual length of the received data, not including the null terminator. This argument may be given as NULL if the caller is not interested in the length.
When it receives the CONTINUE packet, the server may again request more information by returning TAC_AUTHEN_STATUS_GETDATA, TAC_AUTHEN_STATUS_GETUSER, or TAC_AUTHEN_STATUS_GETPASS. The application should send further CONTINUEs until some other status is received from the server.
The number of AV pairs received is obtained using TAC_AUTHEN_AV_COUNT().
An authorization response packet from the server may also contain attribute value (AV) pairs. To extract these, use tac_get_av() or tac_get_av_value(). tac_get_av() takes the index of the AV pair as it is positioned in the list. The indexes start at 0 (use TAC_AUTHEN_AV_COUNT() on the return value of tac_send_author() to get the total number of items in this list). Alternatively, tac_get_av_value() can be used. tac_get_av_value() takes the attribute name and returns the corresponding value only, not the AV pair. These functions return dynamically-allocated copies of the information from the packet. The caller is responsible for freeing the copies when it no longer needs them. The data returned from these functions is guaranteed to be terminated by a null byte.
The following functions return a non- NULL pointer on success. If they are unable to allocate sufficient virtual memory, they return NULL and record an error message which can be retrieved using tac_strerror().
The following functions return a non- NULL pointer on success. If they are unable to allocate sufficient virtual memory, they return NULL, without recording an error message.
draft-grant-tacacs-02.txt (Internet Draft), The TACACS+ Protocol, Version 1.78,, ,
|LIBTACPLUS (3)||December 11, 2009|
|Main index||Section 3||日本語||한국인||Options|
|“||Not only is UNIX dead, it's starting to smell really bad.||”|
|— Rob Pike|