[TACACS] Stop authorization after user being rejected by server. (#14249)

Stop authorization after user being rejected by server. #### Why I did it Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server. ##### Work item tracking - Microsoft ADO :15276692 #### How I did it Check authorization result, stop authorization after user being rejected by server. #### How to verify it Pass all E2E test. Create new UT: https://github.com/sonic-net/sonic-mgmt/pull/8345 #### Description for the changelog Stop authorization after user being rejected by server. #### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
2023-05-30 14:54:11 -07:00 · 2023-05-30 14:54:11 -07:00 · b444817e17
commit b444817e17
parent 02b17839c3
1 changed files with 18 additions and 6 deletions
--- a/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch
+++ b/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch
@ -10,6 +10,7 @@ Subject: [PATCH] Modify user map profile
 * Added "many_to_one" mode, create one local user for many TACACS+ users which
  has the same privilege.
 * Modified configuration parse and file to adapt to the new user map profile.
 * Stop authorization after user being rejected by server.
 ---
 Makefile.am                   |    4 +-
 Makefile.in                   |    2 +-
@ -17,9 +18,9 @@ Subject: [PATCH] Modify user map profile
 debian/changelog              |   11 +
 debian/control                |   11 +-
 debian/libnss-tacplus.symbols |    1 -
- nss_tacplus.c                 | 1004 +++++++++++++++++++----------------------
+ nss_tacplus.c                 | 1018 +++++++++++++++------------------
- tacplus_nss.conf              |   91 ++--
+ tacplus_nss.conf              |   91 ++-
- 8 files changed, 518 insertions(+), 608 deletions(-)
+ 8 files changed, 527 insertions(+), 613 deletions(-)
 diff --git a/Makefile.am b/Makefile.am
 index 293951e..b33c455 100644
@ -1153,7 +1154,18 @@ index 79e62b9..ecfa0b0 100644
             done = 1; /* break out of loop after arep cleanup */
         }
         else {
-@@ -692,30 +724,12 @@ lookup_tacacs_user(struct pwbuf *pb)
+@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb)
                     " invalid (%d)", nssname,
                     tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
                     arep.status);
 +
 +                    if (arep.status == TAC_PLUS_AUTHOR_STATUS_FAIL) {
 +                        done = 1; /* break out of loop after server reject user */
 +                    }
         }
         if(arep.msg)
             free(arep.msg);
@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb)
             tac_free_attrib(&arep.attr);
     }
@ -1186,7 +1198,7 @@ index 79e62b9..ecfa0b0 100644
  *
  * We try the lookup to the tacacs server first.  If we can't make a
  * connection to the server for some reason, we also try looking up
-@@ -730,20 +744,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
+@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
     int result;
     struct pwbuf pbuf;
@ -1221,7 +1233,7 @@ index 79e62b9..ecfa0b0 100644
         /* marshal the args for the lower level functions */
         pbuf.name = (char *)name;
         pbuf.pw = pw;
-@@ -751,126 +770,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
+@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
         pbuf.buflen = buflen;
         pbuf.errnop = errnop;