Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
LIBTACPLUS(3)	       FreeBSD Library Functions Manual		 LIBTACPLUS(3)

NAME
     libtacplus	-- TACACS+ client library

SYNOPSIS
     #include <taclib.h>

     int
     tac_add_server(struct tac_handle *h, const	char *host, int	port,
	 const char *secret, int timeout, int flags);

     void
     tac_clear_avs(struct tac_handle *h);

     void
     tac_close(struct tac_handle *h);

     int
     tac_config(struct tac_handle *h, const char *path);

     int
     tac_create_authen(struct tac_handle *h, int action, int type,
	 int service);

     int
     tac_create_author(struct tac_handle *h, int method, int type,
	 int service);

     int
     tac_create_acct(struct tac_handle *h, int acct, int action, int type,
	 int service);

     char *
     tac_get_av(struct tac_handle *h, u_int index);

     char *
     tac_get_av_value(struct tac_handle	*h, const char *attribute);

     void *
     tac_get_data(struct tac_handle *h,	size_t *len);

     char *
     tac_get_msg(struct	tac_handle *h);

     struct tac_handle *
     tac_open(void);

     int
     tac_send_authen(struct tac_handle *h);

     int
     tac_send_author(struct tac_handle *h);

     int
     tac_send_acct(struct tac_handle *h);

     int
     tac_set_av(struct tac_handle *h, u_int index, const char *av_pair);

     int
     tac_set_data(struct tac_handle *h,	const void *data, size_t data_len);

     int
     tac_set_msg(struct	tac_handle *h, const char *msg);

     int
     tac_set_port(struct tac_handle *h,	const char *port);

     int
     tac_set_priv(struct tac_handle *h,	int priv);

     int
     tac_set_rem_addr(struct tac_handle	*h, const char *addr);

     int
     tac_set_user(struct tac_handle *h,	const char *user);

     const char	*
     tac_strerror(struct tac_handle *h);

DESCRIPTION
     The libtacplus library implements the client side of the TACACS+ network
     access control protocol.  TACACS+ allows clients to perform authentica-
     tion, authorization, and accounting by means of network requests to
     remote servers.  This library currently supports only the authentication
     and authorization portion of the protocol.

INITIALIZATION
     To	use the	library, an application	must first call	tac_open() to obtain a
     struct tac_handle *, which	provides context for subsequent	operations.
     Calls to tac_open() always	succeed	unless insufficient virtual memory is
     available.	 If the	necessary memory cannot	be allocated, tac_open()
     returns NULL.

     Before issuing any	TACACS+	requests, the library must be made aware of
     the servers it can	contact.  The easiest way to configure the library is
     to	call tac_config().  tac_config() causes	the library to read a configu-
     ration file whose format is described in tacplus.conf(5).	The pathname
     of	the configuration file is passed as the	file argument to tac_config().
     This argument may also be given as	NULL, in which case the	standard con-
     figuration	file /etc/tacplus.conf is used.	 tac_config() returns 0	on
     success, or -1 if an error	occurs.

     The library can also be configured	programmatically by calls to
     tac_add_server().	The host parameter specifies the server	host, either
     as	a fully	qualified domain name or as a dotted-quad IP address in	text
     form.  The	port parameter specifies the TCP port to contact on the
     server.  If port is given as 0, the library uses port 49, the standard
     TACACS+ port.  The	shared secret for the server host is passed to the
     secret parameter.	It may be any null-terminated string of	bytes.	The
     timeout for receiving replies from	the server is passed to	the timeout
     parameter,	in units of seconds.  The flags	parameter is a bit mask	of
     flags to specify various characteristics of the server.  It may contain:

     TAC_SRVR_SINGLE_CONNECT
		 Causes	the library to attempt to negotiate single connection
		 mode when communicating with the server.  In single connec-
		 tion mode, the	original TCP connection	is held	open for mul-
		 tiple TACACS+ sessions.  Older	servers	do not support this
		 mode, and some	of them	become confused	if the client attempts
		 to negotiate it.

     tac_add_server() returns 0	on success, or -1 if an	error occurs.

     tac_add_server() may be called multiple times, and	it may be used
     together with tac_config().  At most 10 servers may be specified.	When
     multiple servers are given, they are tried	in round-robin fashion until a
     working, accessible server	is found.  Once	the library finds such a
     server, it	continues to use it as long as it works.

CREATING A TACACS+ AUTHENTICATION REQUEST
     To	begin constructing a new authentication	request, call
     tac_create_authen().  The action, type, and service arguments must	be set
     to	appropriate values as defined in the TACACS+ protocol specification.
     The <taclib.h> header file	contains symbolic constants for	these values.

CREATING A TACACS+ AUTHORIZATION REQUEST
     To	begin constructing a new authorization request,	call
     tac_create_author().  The method, type, and service arguments must	be set
     to	appropriate values as defined in the TACACS+ protocol specification.
     The <taclib.h> header file	contains symbolic constants for	these values.

CREATING A TACACS+ ACCOUNTING REQUEST
     To	begin constructing a new accounting request, call tac_create_acct().
     The acct, action, type, and service arguments must	be set to appropriate
     values as defined in the TACACS+ protocol specification.  The <taclib.h>
     header file contains symbolic constants for these values.

SETTING	OPTIONAL PARAMETERS ON A REQUEST
     After creating a request, various optional	parameters may be attached to
     it	through	calls to tac_set_av(), tac_set_data(), tac_set_port(),
     tac_set_priv(), tac_set_rem_addr(), and tac_set_user().  The library cre-
     ates its own copies of any	strings	provided to these functions, so	that
     it	is not necessary for the caller	to preserve them.  By default, each of
     these parameters is empty except for the privilege	level, which defaults
     to	`USER' privilege.

     tac_set_av() only applies to the context of an authorization request.
     The format	for an attribute value pair is defined in the TACACS+ protocol
     specification.  The index specified can be	any value between 0 and	255
     inclusive and indicates the position in the list to place the attribute
     value pair.  Calling tac_set_av() with same index twice effectively
     replaces the value	at that	position.  Use tac_clear_avs() to clear	all
     attribute value pairs that	may have been set.

SENDING	THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE
     After the TACACS+ authentication request has been constructed, it is sent
     by	means of tac_send_authen().  This function connects to a server	if not
     already connected,	sends the request, and waits for a reply.  On failure,
     tac_send_authen() returns -1.  Otherwise, it returns the TACACS+ status
     code and flags, packed into an integer value.  The	status can be
     extracted using the macro TAC_AUTHEN_STATUS().  Possible status codes,
     defined in	<taclib.h>, include:

	   TAC_AUTHEN_STATUS_PASS
	   TAC_AUTHEN_STATUS_FAIL
	   TAC_AUTHEN_STATUS_GETDATA
	   TAC_AUTHEN_STATUS_GETUSER
	   TAC_AUTHEN_STATUS_GETPASS
	   TAC_AUTHEN_STATUS_RESTART
	   TAC_AUTHEN_STATUS_ERROR
	   TAC_AUTHEN_STATUS_FOLLOW

     The only flag is the no-echo flag,	which can be tested using the macro
     TAC_AUTHEN_NOECHO().

EXTRACTING INFORMATION FROM THE	SERVER'S AUTHENTICATION	RESPONSE
     An	authentication response	packet from the	server may contain a server
     message, a	data string, or	both.  After a successful call to
     tac_send_authen(),	this information may be	retrieved from the response by
     calling tac_get_msg() and tac_get_data().	These functions	return dynami-
     cally-allocated copies of the information from the	packet.	 The caller is
     responsible for freeing the copies	when it	no longer needs	them.  The
     data returned from	these functions	is guaranteed to be terminated by a
     null byte.

     In	the case of tac_get_data(), the	len argument points to a location into
     which the library will store the actual length of the received data, not
     including the null	terminator.  This argument may be given	as NULL	if the
     caller is not interested in the length.

SENDING	AUTHENTICATION CONTINUE	PACKETS
     If	tac_send_authen() returns a value containing one of the	status codes
     TAC_AUTHEN_STATUS_GETDATA,	TAC_AUTHEN_STATUS_GETUSER, or
     TAC_AUTHEN_STATUS_GETPASS,	then the client	must provide additional	infor-
     mation to the server by means of a	TACACS+	CONTINUE packet.  To do	so,
     the application must first	set the	packet's user message and/or data
     fields using tac_set_msg()	and tac_set_data().  The client	then sends the
     CONTINUE packet with tac_send_authen().  N.B., tac_create_authen()	should
     not be called to construct	a CONTINUE packet; it is used only for the
     initial authentication request.

     When it receives the CONTINUE packet, the server may again	request	more
     information by returning TAC_AUTHEN_STATUS_GETDATA,
     TAC_AUTHEN_STATUS_GETUSER,	or TAC_AUTHEN_STATUS_GETPASS.  The application
     should send further CONTINUEs until some other status is received from
     the server.

SENDING	THE AUTHORIZATION REQUEST AND RECEIVING	THE RESPONSE
     After the TACACS+ authorization request has been constructed, it is sent
     by	means of tac_send_author().  This function connects to a server	if not
     already connected,	sends the request, and waits for a reply.  On failure,
     tac_send_author() returns -1.  Otherwise, it returns the TACACS+ status
     code and number of	attribute value	(AV) pairs received packed into	an
     integer value.  The status	can be extracted using the macro
     TAC_AUTHOR_STATUS().  Possible status codes, defined in <taclib.h>,
     include:

	   TAC_AUTHOR_STATUS_PASS_ADD
	   TAC_AUTHOR_STATUS_PASS_REPL
	   TAC_AUTHOR_STATUS_FAIL
	   TAC_AUTHOR_STATUS_ERROR

     The number	of AV pairs received is	obtained using TAC_AUTHEN_AV_COUNT().

SENDING	THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE
     After the TACACS+ authorization request has been constructed, it is sent
     by	means of tac_send_acct().  This	function connects to a server if not
     already connected,	sends the request, and waits for a reply.  On failure,
     tac_send_acct() returns -1.  Otherwise, it	returns	the TACACS+ status
     code.  Possible status codes, defined in <taclib.h>, include:

	   TAC_ACCT_STATUS_SUCCESS
	   TAC_ACCT_STATUS_ERROR
	   TAC_ACCT_STATUS_FOLLOW

EXTRACTING INFORMATION FROM THE	SERVER'S AUTHORIZATION RESPONSE
     Like an authentication response packet, an	authorization response packet
     from the server may contain a server message, a data string, or both.
     Refer to EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE
     for instruction on	extraction of those values.

     An	authorization response packet from the server may also contain
     attribute value (AV) pairs.  To extract these, use	tac_get_av() or
     tac_get_av_value().  tac_get_av() takes the index of the AV pair as it is
     positioned	in the list.  The indexes start	at 0 (use
     TAC_AUTHEN_AV_COUNT() on the return value of tac_send_author() to get the
     total number of items in this list).  Alternatively, tac_get_av_value()
     can be used.  tac_get_av_value() takes the	attribute name and returns the
     corresponding value only, not the AV pair.	 These functions return	dynam-
     ically-allocated copies of	the information	from the packet.  The caller
     is	responsible for	freeing	the copies when	it no longer needs them.  The
     data returned from	these functions	is guaranteed to be terminated by a
     null byte.

OBTAINING ERROR	MESSAGES
     Those functions which accept a struct tac_handle *	argument record	an
     error message if they fail.  The error message can	be retrieved by	call-
     ing tac_strerror().  The message text is overwritten on each new error
     for the given struct tac_handle *.	 Thus the message must be copied if it
     is	to be preserved	through	subsequent library calls using the same	han-
     dle.

CLEANUP
     To	free the resources used	by the TACACS+ library,	call tac_close().

RETURN VALUES
     The following functions return a non-negative value on success.  If they
     detect an error, they return -1 and record	an error message which can be
     retrieved using tac_strerror().

	   tac_add_server()
	   tac_config()
	   tac_create_authen()
	   tac_create_author()
	   tac_create_acct()
	   tac_send_authen()
	   tac_send_author()
	   tac_send_acct()
	   tac_set_av()
	   tac_set_data()
	   tac_set_msg()
	   tac_set_port()
	   tac_set_priv()
	   tac_set_rem_addr()
	   tac_set_user()

     The following functions return a non-NULL pointer on success.  If they
     are unable	to allocate sufficient virtual memory, they return NULL	and
     record an error message which can be retrieved using tac_strerror().

	   tac_get_av()
	   tac_get_av_value()
	   tac_get_data()
	   tac_get_msg()

     The following functions return a non-NULL pointer on success.  If they
     are unable	to allocate sufficient virtual memory, they return NULL, with-
     out recording an error message.

	   tac_open()

FILES
     /etc/tacplus.conf

SEE ALSO
     tacplus.conf(5)

     D.	Carrel and Lol Grant, The TACACS+ Protocol, Version 1.78, draft-grant-
     tacacs-02.txt (Internet Draft).

AUTHORS
     This software was written by John Polstra and Paul	Fraley,	and donated to
     the FreeBSD project by Juniper Networks, Inc.

FreeBSD	10.1		       December	11, 2009		  FreeBSD 10.1

NAME | SYNOPSIS | DESCRIPTION | INITIALIZATION | CREATING A TACACS+ AUTHENTICATION REQUEST | CREATING A TACACS+ AUTHORIZATION REQUEST | CREATING A TACACS+ ACCOUNTING REQUEST | SETTING OPTIONAL PARAMETERS ON A REQUEST | SENDING THE AUTHENTICATION REQUEST AND RECEIVING THE RESPONSE | EXTRACTING INFORMATION FROM THE SERVER'S AUTHENTICATION RESPONSE | SENDING AUTHENTICATION CONTINUE PACKETS | SENDING THE AUTHORIZATION REQUEST AND RECEIVING THE RESPONSE | SENDING THE ACCOUNTING REQUEST AND RECEIVING THE RESPONSE | EXTRACTING INFORMATION FROM THE SERVER'S AUTHORIZATION RESPONSE | OBTAINING ERROR MESSAGES | CLEANUP | RETURN VALUES | FILES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<http://www.freebsd.org/cgi/man.cgi?query=libtacplus&manpath=FreeBSD+10.0-RELEASE>

home | help