1.\"- 2.\" Copyright (c) 2023 Klara, Inc. 3.\" 4.\" SPDX-License-Identifier: BSD-2-Clause 5.\" 6.Dd May 17, 2023 7.Dt NSS_TACPLUS 8 8.Os 9.Sh NAME 10.Nm nss_tacplus 11.Nd TACACS+ nsswitch module 12.Sh SYNOPSIS 13.Ic passwd : files tacplus 14.Sh DESCRIPTION 15The 16.Nm 17module is a loadable NSS module which provides a minimal identity 18service using a TACACS+ backend. 19.Pp 20Due to the limitations of the TACACS+ protocol, the functionality 21provided by the 22.Nm 23module is very limited: it can look up a user by name, but not by uid, 24and it cannot enumerate users. 25.Pp 26To look up a user, the 27.Nm 28module submits an authorization request with authentication method 29.Dv TAC_PLUS_AUTHEN_METH_NOT_SET , 30authentication type 31.Dv TAC_PLUS_AUTHEN_TYPE_NOT_SET , 32and authentication service 33.Dv TAC_PLUS_AUTHEN_SVC_LOGIN , 34for the 35.Dq shell 36service. 37If the response status is either 38.Dv TAC_PLUS_AUTHOR_STATUS_PASS_ADD 39or 40.Dv TAC_PLUS_AUTHOR_STATUS_PASS_REPL , 41the user is considered to exist and the 42.Nm 43module fills out a 44.Vt struct passwd 45for it. 46.Pp 47The following attributes, if included in the response from the TACACS+ 48server, are used to construct the response: 49.Bl -tag -width GECOS 50.It Va UID 51Numeric user ID. 52Must be between 0 and 53.Dv UID_MAX . 54Defaults to 65534. 55.It Va GID 56Numeric primary group ID. 57Must be between 0 and 58.Dv GID_MAX . 59Defaults to 65534. 60.It Va GECOS 61Display name. 62If not provided, the user name is used instead. 63.It Va HOME 64Home directory. 65Defaults to 66.Pa / . 67.It Va SHELL 68Shell. 69Defaults to 70.Pa /bin/sh . 71.El 72.Pp 73Case is ignored when matching attribute names. 74If an attribute is included multiple times, the last value takes 75effect. 76.Sh SEE ALSO 77.Xr libtacplus 3 , 78.Xr tacplus.conf 5 , 79.Xr pam_tacplus 8 80.Sh HISTORY 81.An -nosplit 82The 83.Nm 84module and this manual page were written by 85.An Dag-Erling Smørgrav Aq Mt des@FreeBSD.org 86for Klara Systems. 87