| Main index | Section 8 | Options |
Due to the limitations of the TACACS+ protocol, the functionality provided by the nss_tacplus module is very limited: it can look up a user by name, but not by uid, and it cannot enumerate users.
To look up a user, the nss_tacplus module submits an authorization request with authentication method TAC_PLUS_AUTHEN_METH_NOT_SET, authentication type TAC_PLUS_AUTHEN_TYPE_NOT_SET, and authentication service TAC_PLUS_AUTHEN_SVC_LOGIN, for the "shell" service. If the response status is either TAC_PLUS_AUTHOR_STATUS_PASS_ADD or TAC_PLUS_AUTHOR_STATUS_PASS_REPL, the user is considered to exist and the nss_tacplus module fills out a struct passwd for it.
The following attributes, if included in the response from the TACACS+ server, are used to construct the response:
| UID | |
| Numeric user ID. Must be between 0 and UID_MAX. Defaults to 65534. | |
| GID | |
| Numeric primary group ID. Must be between 0 and GID_MAX. Defaults to 65534. | |
| CLASS | |
| Login class. Left blank if not provided. | |
| GECOS | |
| Display name. If not provided, the user name is used instead. | |
| HOME | |
| Home directory. Defaults to /. | |
| SHELL | |
| Shell. Defaults to /bin/sh. | |
Case is ignored when matching attribute names. If an attribute is included multiple times, the last value takes effect.
| NSS_TACPLUS (8) | June 13, 2023 |
| Main index | Section 8 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
