FreeBSD manual
download PDF document: nss_tacplus.8.pdf
NSS_TACPLUS(8) FreeBSD System Manager's Manual NSS_TACPLUS(8)
NAME
nss_tacplus - TACACS+ nsswitch module
SYNOPSIS
passwd: files tacplus
DESCRIPTION
The nss_tacplus module is a loadable NSS module which provides a minimal
identity service using a TACACS+ backend.
Due to the limitations of the TACACS+ protocol, the functionality
provided by the nss_tacplus module is very limited: it can look up a user
by name, but not by uid, and it cannot enumerate users.
To look up a user, the nss_tacplus module submits an authorization
request with authentication method TAC_PLUS_AUTHEN_METH_NOT_SET,
authentication type TAC_PLUS_AUTHEN_TYPE_NOT_SET, and authentication
service TAC_PLUS_AUTHEN_SVC_LOGIN, for the "shell" service. If the
response status is either TAC_PLUS_AUTHOR_STATUS_PASS_ADD or
TAC_PLUS_AUTHOR_STATUS_PASS_REPL, the user is considered to exist and the
nss_tacplus module fills out a struct passwd for it.
The following attributes, if included in the response from the TACACS+
server, are used to construct the response:
UID Numeric user ID. Must be between 0 and UID_MAX. Defaults to
65534.
GID Numeric primary group ID. Must be between 0 and GID_MAX.
Defaults to 65534.
CLASS Login class. Left blank if not provided.
GECOS Display name. If not provided, the user name is used instead.
HOME Home directory. Defaults to /.
SHELL Shell. Defaults to /bin/sh.
Case is ignored when matching attribute names. If an attribute is
included multiple times, the last value takes effect.
SEE ALSO
libtacplus(3), tacplus.conf(5), pam_tacplus(8)
HISTORY
The nss_tacplus module and this manual page were written by Dag-Erling
Smorgrav <des@FreeBSD.org> for Klara Systems.
FreeBSD 14.0-RELEASE-p11 June 13, 2023 FreeBSD 14.0-RELEASE-p11