In place editing (sed -i) seems having some issues with filesystem
interaction. It could leave 0 size file or corrupted file behind.
It would be safer to sed the file contents into a new file and switch
new file with the old file.
Signed-off-by: Ying Xie <ying.xie@microsoft.com>
Present: Servers are listed in the same order as in redis-db
Fix: Save the sort o/p, hence use sorted list to write into pam.d's conf.
As well convert priority to integer for use by sort.
* Switch the nss look up order as "compat" followed by "tacplus".
This helps use the legacy passwd file for user info and go to tacacs only if not found.
This means, we never contact tacacs for local users like "admin".
This isolates local users from any issues with tacacs servers.
W/o this fix, the sudo commands by local users could take <count of servers> * <tacacs timeout> seconds, if the tacacs servers are unreachable.
* Skip tacacs server access for local non-tacacs users.
Revert the order of 'compat tacplus' to original 'tacplus compat' as tacplus
access is required for all tacacs users, who also get created locally.
* Add a log message for each notification of add/del TACACS server.
Signed-off-by: Renuka Manavalan <remanava@microsoft.com>
* Moved another syslog message from DEBUG to INFO to be able to see those notifications.
All these changes are to help with a one-time-seen-bug, that hostcfgd did not act upon changes to redis for TACACS servers. We could not repro the bug.
Signed-off-by: Renuka Manavalan <remanava@microsoft.com>
- Move all minigraph-related action from rc.local to updategraph
- updategraph service is now after database. All feature services are now after and depending on updategraph
* [TACACS+]: Add configDB enforcer for TACACS+
* hostcfgd - configDB enforcer for TACACS+, listen configDB to
modify the pam configuration for Authentication in host
* Add a service script for hostcfgd
Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
* [TACACS+]: Generate conf file by template file
* Generate common-auth-sonic and tacplus_nss.conf by jinja2 template
Signed-off-by: Chenchen Qi <chenchen.qcc@alibaba-inc.com>
