[TACACS+]: Add support to specify source address for TACACS+ #4610
Conversation
… in kernel Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
…alingam/sonic-buildimage into tacacs+_src_ip_support
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
src/tacacs/nss/0007-Add-support-for-TACACS-source-address.patch
Outdated
Show resolved
Hide resolved
|
Is there a PR for unit test for this change ? |
|
When we enforce src-IP, should not we enforce the route too? If the right route not available, the default route might get used. If the default route is not the right one, each TACACS server would take 5 seconds to timeout. Say there are 3 servers, each login attempt would take 15 seconds before it falls back to local. |
No, I dont see any UT in the original PR (#1238), may be I'll try to add few test cases, can you share some reference tests to add the UT for the source_ip changes? |
No, the scope of this PR is to change the source IP of the TACACS+ packet, the actual routing to reach the TACACS+ server is expected to happen based on the route table lookup in the kernel. |
|
Are we changing code to resolve the comments? |
Yes Renuka, will change the code. |
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
|
From a build failure log: |
# The first commit's message is: [TACACS+]: Add support to specify source address for TACACS+ Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com> # This is the 2nd commit message: [TACACS+]: Add support to specify source address for TACACS+ Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com> # This is the 3rd commit message: Reverted the changes not applicable for this pull request Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com> # This is the 4th commit message: Addressed the comment Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com> # This is the 5th commit message: Initialised the source address to NULL after free. Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
…alingam/sonic-buildimage into tacacs+_src_ip_support
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
…alingam/sonic-buildimage into tacacs+_src_ip_support
Sorry, this issue has been fixed. |
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
…alingam/sonic-buildimage into tacacs+_src_ip_support Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
|
Hi Venkat, |
Yes Renuka, we have tested it, it works fine, we'll have to test again with new changes and post the UT logs, please let me know once you are done with the review. |
Thanks, will do it soon. |
Signed-off-by: Venkatesan Mahalingam <venkatesan_mahalinga@dell.com>
|
retest baseimage please |
…et#4610) This pull request was cherry picked from "sonic-net#1238" to resolve the conflicts. - Why I did it Add support to specify source address for TACACS+ - How I did it Add patches for libpam-tacplus and libnss-tacplus. The patches parse the new option 'src_ip' and store the converted addrinfo. Then the addrinfo is used for TACACS+ connection. Add a attribute 'src_ip' for table "TACPLUS|global" in configDB Add some code to adapt to the attribute 'src_ip'. - How to verify it Config command for source address PR in sonic-utilities config tacacs src_ip <ip_address> - Description for the changelog Add patches to specify source address for the TACACS+ outgoing packets. - A picture of a cute animal (not mandatory but encouraged) **UT logs: ** UT_tacacs_source_intf.txt
This pull request was cherry picked from "#1238" to resolve the conflicts.
- Why I did it
Add support to specify source address for TACACS+
- How I did it
Add patches for libpam-tacplus and libnss-tacplus. The patches parse the new option 'src_ip' and store the converted addrinfo. Then the addrinfo is used for TACACS+ connection.
Add a attribute 'src_ip' for table "TACPLUS|global" in configDB
Add some code to adapt to the attribute 'src_ip'.
- How to verify it
Config command for source address PR in sonic-utilities
config tacacs src_ip <ip_address>
- Description for the changelog
Add patches to specify source address for the TACACS+ outgoing packets.
- A picture of a cute animal (not mandatory but encouraged)
**UT logs: **
UT_tacacs_source_intf.txt