tail head cat sleep
QR code linking to this page

Manual Pages  — NSS_TACPLUS

NAME

nss_tacplus – TACACS+ nsswitch module

CONTENTS

SYNOPSIS

passwd: files tacplus

DESCRIPTION

The nss_tacplus module is a loadable NSS module which provides a minimal identity service using a TACACS+ backend.

Due to the limitations of the TACACS+ protocol, the functionality provided by the nss_tacplus module is very limited: it can look up a user by name, but not by uid, and it cannot enumerate users.

To look up a user, the nss_tacplus module submits an authorization request with authentication method TAC_PLUS_AUTHEN_METH_NOT_SET, authentication type TAC_PLUS_AUTHEN_TYPE_NOT_SET, and authentication service TAC_PLUS_AUTHEN_SVC_LOGIN, for the "shell" service. If the response status is either TAC_PLUS_AUTHOR_STATUS_PASS_ADD or TAC_PLUS_AUTHOR_STATUS_PASS_REPL, the user is considered to exist and the nss_tacplus module fills out a struct passwd for it.

The following attributes, if included in the response from the TACACS+ server, are used to construct the response:
UID
  Numeric user ID. Must be between 0 and UID_MAX. Defaults to 65534.
GID
  Numeric primary group ID. Must be between 0 and GID_MAX. Defaults to 65534.
CLASS
  Login class. Left blank if not provided.
GECOS
  Display name. If not provided, the user name is used instead.
HOME
  Home directory. Defaults to /.
SHELL
  Shell. Defaults to /bin/sh.

Case is ignored when matching attribute names. If an attribute is included multiple times, the last value takes effect.

SEE ALSO

libtacplus(3), tacplus.conf(5), pam_tacplus(8)

HISTORY

The nss_tacplus module and this manual page were written by Dag-Erling Smørgrav <Mt des@FreeBSD.org> for Klara Systems.

NSS_TACPLUS (8) June 13, 2023

tail head cat sleep
QR code linking to this page


Please direct any comments about this manual page service to Ben Bullock. Privacy policy.