This repository has been archived by the owner on Mar 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
require override for insecure JWT key verification
I've done a few things with this commit. 1. Added more documentation to the pod. 2. made a new flag OAUTH_JWT_INSECURE which is required if the client doesn't want to verify JWT tokens 3. Added a sample config I wanted to add the INSECURE flag so that we would no longer fall through to ignoring the signature. It should be someones decision to do this only when needed.
- Loading branch information
Showing
4 changed files
with
97 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,4 +10,5 @@ bin/mavis_tacplus_aad.pl | |
dist.ini | ||
t/Mavis.pm | ||
t/everything.t | ||
tac_plus.cfg.sample | ||
xt/author/pod-syntax.t |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
id = spawnd { | ||
listen = { | ||
port = 49 | ||
} | ||
spawn = { | ||
instances min = 1 | ||
instances max = 10 | ||
} | ||
background = no | ||
} | ||
|
||
id = tac_plus { | ||
access log = /var/log/tacacs/%Y/%m/%d/access.log | ||
accounting log = /var/log/tacacs/%Y/%m/%d/acct.log | ||
|
||
mavis module = external { | ||
setenv OAUTH_ENDPOINT = "https://login.microsoftonline.com/06ab1719-d1f8-4cae-87fa-824768230090/oauth2/v2.0/token" | ||
setenv OAUTH_CLIENT_ID = "c45aecee-71fa-4c6e-96c5-7397df677112" | ||
setenv OAUTH_CLIENT_SECRET = "secretkey" | ||
setenv OAUTH_DOMAIN = "example.com" | ||
setenv FLAG_USE_MEMBEROF = 1 | ||
setenv REQUIRE_TACACS_GROUP_PREFIX = 1 | ||
setenv AD_GROUP_PREFIX = "tacacs" | ||
setenv OAUTH_OPENID_CONFIG_URL = https://login.microsoftonline.com/common/.well-known/openid-configuration | ||
exec = /usr/local/lib/mavis/mavis_tacplus_aad.pl | ||
} | ||
|
||
user backend = mavis # query backend for users | ||
login backend = mavis # authenticate login via backend | ||
pap backend = mavis # authenticate PAP via backend | ||
|
||
host = world { | ||
address = ::/0 | ||
prompt = "Welcome\n" | ||
key = cisco | ||
} | ||
|
||
host = helpdesklab { | ||
address = 192.168.34.16/28 | ||
} | ||
|
||
# A user will be in the "admin" group if he's member of the | ||
# corresponding "tacacsadmin" AD group. See $tacacsGroupPrefix | ||
# and $require_tacacsGroupPrefix in the code. | ||
|
||
group = admin { | ||
default service = permit | ||
service = shell { | ||
default command = permit | ||
default attribute = permit | ||
set priv-lvl = 15 | ||
} | ||
} | ||
|
||
# A user will be in the "helpdesk" group if he's member of the | ||
# corresponding "tacacshelpdesk" AD group: | ||
|
||
group = helpdesk { | ||
default service = permit | ||
service = shell { | ||
default command = permit | ||
default attribute = permit | ||
set priv-lvl = 1 | ||
} | ||
enable = deny | ||
member = admin@helpdesklab | ||
} | ||
} | ||
|
||
|