3

How do you configure a TACACS+ tac_plus server on Ubuntu 16.04 that authenticates against Microsoft Active Directory?

I ran all the tac_plus commands as per above but I cant seem to get answers for the following errors:

/usr/local/etc/tac_plus.cfg:49: Expected 'service', but got 'servive'
19500: /usr/local/etc/tac_plus.cfg:49: Expected 'service', but got 'servive'
19500: Detected fatal configuration error. Exiting.

Below is my config:

#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { port = 49 }
        listen = { port = 4949 }
        listen = { address = 0.0.0.0 port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
        accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
        authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                #If you are using Microsoft Global Catalog with secure LDAP (SSL)
                #setenv LDAP_HOSTS = "ldaps://192.168.0.97:3269"
                #If you are using Microsoft Global Catalog with regular LDAP (non-SSL)
                setenv LDAP_HOSTS = "192.168.0.54:3268"
                setenv LDAP_BASE = "DC=xxxxxxx,DC=xxx"
                setenv LDAP_SCOPE = sub
                setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
                setenv LDAP_USER = "tacacs@xxxxx.xxx"
                setenv LDAP_PASSWD = "xxxxxxxx"
                setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
                setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
                setenv AD_GROUP_PREFIX = ""
                setenv REQUIRE_TACACS_GROUP_PREFIX = 0
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = world {
                #Allow any IPv4 device
                address = 0.0.0.0/0
                #address = ::/0
                prompt = "Enter Windows Crendetails.\n"
                key = "xxxxxxxxxx"
                }

                group = ops {

                            default servive = permit
                            login = PAM
                            service = shell {
                            default command = permit
                            default attribute = permit
                            set priv-lvl = 15
                        }
                }

                group = noc {
                        default service = deny
                                login = PAM
                                service = exec {
                                priv-lvl = 15
                                }
                                cmd = show {
                                permit .*
                                }
                                cmd = exit {
                                permit .*
                                }
                                cmd = quit {
                                permit .*
                                }
                                cmd = ping {
                                permit .*
                                }
                                cmd = traceroute {
                                permit .*
                                }
                                cmd = end {
                                permit .*
                        }
        }

                ### USER DEFINITION ###
                user = khensani.baloyi {
                member = ops
                }

    }
Mike Pennington
  • 30,049
  • 12
  • 82
  • 153
Khensani Baloyi
  • 31
  • 1

1 Answers1

5

You misspelled the word service:

default servive = permit

YLearn
  • 27,511
  • 5
  • 62
  • 130
Ricky
  • 32,810
  • 2
  • 45
  • 85