#!/usr/local/sbin/tac_plus-ng

id = spawnd {
    listen = {
        port = 49
    }
    background = yes
}

id = tac_plus-ng {
    mavis module = external {
        setenv LDAP_SERVER_TYPE = "generic"
        setenv LDAP_HOSTS = "ldaps://duo1:12346"
        setenv LDAP_BASE = "cn=users,cn=accounts,dc=company,dc=net"
        setenv LDAP_BASE_GROUP = "cn=groups,cn=accounts,dc=company,dc=net"
        setenv LDAP_USER = "uid=tacacsuser,cn=users,cn=accounts,dc=company,dc=net"
        setenv LDAP_PASSWD = "bind_password"
        setenv LDAP_MEMBEROF_REGEX = "^cn=(tacacs[^,]+),.*"
        setenv LDAP_NESTED_GROUP_DEPTH = 0
        exec = /tacacs/lib/mavis/mavis_tacplus-ng_ldap.pl
    }

    login backend = mavis
    user backend = mavis
    pap backend = mavis
    mavis noauthcache
    authentication fallback = yes

    host IPv4_switches {
        address = 0.0.0.0/0
        key = "theKey"
        password max-attempts = 5
    }

    profile netadmin {
        script {
            if (service == shell) {
                if (cmd == "") {
                    set priv-lvl = 15
                    permit
                }
            }
        }
    }

    group tacacsadmin

    ruleset {
        rule {
            script {
                if (group == tacacsadmin) {
                    profile = netadmin
                    permit
                }
            }
        }
    }
}