Mini-HowTo: Integrating TACACS+ with ActiveDirectory

This page will give you a starting point. However, to use any of the advanced tac_plus features you'll really have to read the documentation.

Having said that, the steps to get you up and running are:

  1. Download the distribution. It's available from

    (or, same file with version timestamp, here).

  2. Unpack the distribution:

    bzip2 -dc DEVEL.tar.bz2 | tar xvfp -
    This will create a directory named PROJECTS.
  3. Enter the PROJECTS directory and compile the code:

  4. Install the distribution. You'll probably have to do so as the root user, so either

    sudo make install
    make install
    will be required to make this work.

At this point, installation is complete, but this was indeed just the generic (and easy) part of these instructions. What's still missing is the configuration file, plus a couple of assorted ActiveDirectory entries:

  1. ActiveDirectory

  2. Copy the sample configuration file from the your local /usr/local/lib/mavis/extra/ directory to /usr/local/etc/tac_plus.cfg. Again, you'll obviously need root privileges for that, but I'll silently ignore this requirement for now:

    cp /usr/local/lib/mavis/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg
  3. Edit /usr/local/etc/tac_plus.cfg with your favorite editor. As a minimum, you'll have to modify the setenv variables starting with LDAP_ to match your local environment. Feel free to modify other stuff, too.

  4. The authentication backend requires a couple of Perl modules which may or may not be already installed on your system. Run

    /usr/local/lib/mavis/ < /dev/null
    If there's some error message saying Can't locate Net/ in @INC you'll first have to install the Net::LDAP Perl module. If there's any other error message you should abort right here as this would be plainly out of the scope of this document.
  5. Check whether there are any syntax errors in the configuration file:

    /usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfg
    If there are any errors, well, fix them.
  6. Check whether communication with the AD server is functional:

    /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS someusername
    (replace someusername with one from any of the tacacs groups)
  7. That's it. Almost. If you want the daemon to start at boot time, you should probably

    cp /usr/local/lib/mavis/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
    and add the assorted links from a couple of init directories. Some other launch mechanisms are supported, too, just dig through /usr/local/lib/mavis/extra/, there are samples for launchd and systemd.

    If you've performed that last step (the etc_init.d copying thing), then

    /etc/init.d/tac_plus start
    should start the daemon. Or just call
    /usr/local/sbin/tac_plus /usr/local/etc/tac_plus.cfg

Again, reading the documentation for spawnd, mavis and tac_plus is highly recommended.

 Made with VI 
 Valid CSS 
 Valid HTML 4.0