[TACACS] Stop authorization after user being rejected by server. (#14249

) Stop authorization after user being rejected by server. #### Why I did it Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server. ##### Work item tracking - Microsoft ADO :15276692 #### How I did it Check authorization result, stop authorization after user being rejected by server. #### How to verify it Pass all E2E test. Create new UT: sonic-net/sonic-mgmt#8345 #### Description for the changelog Stop authorization after user being rejected by server. #### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
sonic-net · May 30, 2023 · b444817 · b444817
1 parent 02b1783
commit b444817
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch b/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch
@@ -10,16 +10,17 @@ Subject: [PATCH] Modify user map profile
 * Added "many_to_one" mode, create one local user for many TACACS+ users which
   has the same privilege.
 * Modified configuration parse and file to adapt to the new user map profile.
+* Stop authorization after user being rejected by server.
 ---
  Makefile.am                   |    4 +-
  Makefile.in                   |    2 +-
  configure.ac                  |    2 +-
  debian/changelog              |   11 +
  debian/control                |   11 +-
  debian/libnss-tacplus.symbols |    1 -
- nss_tacplus.c                 | 1004 +++++++++++++++++++----------------------
- tacplus_nss.conf              |   91 ++--
- 8 files changed, 518 insertions(+), 608 deletions(-)
+ nss_tacplus.c                 | 1018 +++++++++++++++------------------
+ tacplus_nss.conf              |   91 ++-
+ 8 files changed, 527 insertions(+), 613 deletions(-)
 
 diff --git a/Makefile.am b/Makefile.am
 index 293951e..b33c455 100644
@@ -1153,7 +1154,18 @@ index 79e62b9..ecfa0b0 100644
              done = 1; /* break out of loop after arep cleanup */
          }
          else {
-@@ -692,30 +724,12 @@ lookup_tacacs_user(struct pwbuf *pb)
+@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb)
+                     " invalid (%d)", nssname,
+                     tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
+                     arep.status);
++
++                    if (arep.status == TAC_PLUS_AUTHOR_STATUS_FAIL) {
++                        done = 1; /* break out of loop after server reject user */
++                    }
+         }
+         if(arep.msg)
+             free(arep.msg);
+@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb)
              tac_free_attrib(&arep.attr);
      }
 
@@ -1186,7 +1198,7 @@ index 79e62b9..ecfa0b0 100644
   *
   * We try the lookup to the tacacs server first.  If we can't make a
   * connection to the server for some reason, we also try looking up
-@@ -730,20 +744,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
+@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
      int result;
      struct pwbuf pbuf;
 
@@ -1221,7 +1233,7 @@ index 79e62b9..ecfa0b0 100644
          /* marshal the args for the lower level functions */
          pbuf.name = (char *)name;
          pbuf.pw = pw;
-@@ -751,126 +770,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
+@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
          pbuf.buflen = buflen;
          pbuf.errnop = errnop;