You need something like this:
http://www.padl.com/OSS/nss_ldap.html
But for TACACS. The problem is, TACACS is an authentication protocol, not
a diretory lookup protocol.
Basically, the user information needs to be able to be looked up at anytime.
Seperate from user authentication.
Think, when I do "ls -l" what translates the UID on the files into an
account name?
This is why, even for Microsoft ADS, they have Kerberos for
authentication and LDAP
for user accounts and pretty much everything else.
Even for Kerberos, you can authenticate, but all other account
information needs to
be available to the machine. So, for Kerberos installs, you don't
need the /etc/shadow
file, but you still need the /etc/passwd file. Unless you locate the
/etc/passwd
information somewhere else, where it is readily availabe, ie. NIS or LDAP.
On 8/4/06, Gary Schlachter <[EMAIL PROTECTED]> wrote:
Asif,
Thank you for your offer. However, I fear you just answered my
question. Your comment:
"Also make sure you do have a local user account and it is not
locked.
You must need a local account even though the authentication is
done
thru tacacs server. "
is exactly what is was trying to avoid. I was wanting to NOT
have a local account on the server. I am trying to have sshd use the
local account as defined on the TACACS server. I was hoping there was a
way to configure OpenSSH to not look for a local account. I am able to
authenticate perfectly if the local account is created on the server.
Gary
--
And, did Guloka think the Ulus were too ugly to save?
-Centauri
