If you're starting from scratch: Please consider using tac_plus-ng and have a look at The tac_plus-ng AD Integration HowTo first. tac_plus-ng supports multi-group membership and direct evaluation of mmemberOf attributes.
This page will give you a starting point. However, to use any of the advanced tac_plus features you'll really have to read the documentation.Having said that, the steps to get you up and running are:
Download the distribution. It's available from GitHub:
git clone https://github.com/MarcJHuber/event-driven-servers.git
Compile the code:
cd event-driven-servers ./configure make
Install the distribution. You'll probably have to do so as the root user, so either
sudo make installor
su make install exitwill be required to make this work.
At this point, installation is complete, but this was indeed just the generic (and easy) part of these instructions. What's still missing is the configuration file, plus a couple of assorted ActiveDirectory entries:
ActiveDirectory
AD doesn't permit anonymous LDAP queries. You should add a dedicated account to your AD server, e.g. tacacs that isn't a member of any group and has a fixed (non-expiring, not changeable) password.
Add TACACS+ specific user groups, e.g. tacacsadmin and tacacsguest, to your AD server, and add users to those groups. A user cannot be in multiple TACACS+ groups, so he/she shouldn't be member of more than one group starting with tacacs (but you can bypass this requirement by using the nas default restriction configuration directive, see the TACACS+ documentation for that one).
Copy the sample configuration file from the your local /usr/local/lib/mavis/extra/ directory to /usr/local/etc/tac_plus.cfg. Again, you'll obviously need root privileges for that, but I'll silently ignore this requirement for now:
cp /usr/local/lib/mavis/extra/tac_plus.cfg-ads /usr/local/etc/tac_plus.cfg
Edit /usr/local/etc/tac_plus.cfg with your favorite editor. As a minimum, you'll have to modify the setenv variables starting with LDAP_ to match your local environment. Feel free to modify other stuff, too.
The authentication backend requires a couple of Perl modules which may or may not be already installed on your system. Run
/usr/local/lib/mavis/mavis_tacplus_ads.pl < /dev/nullIf there's some error message saying Can't locate Net/LDAP.pm in @INC you'll first have to install the Net::LDAP Perl module. If there's any other error message you should abort right here as this would be plainly out of the scope of this document.
Check whether there are any syntax errors in the configuration file:
/usr/local/sbin/tac_plus -P /usr/local/etc/tac_plus.cfgIf there are any errors, well, fix them.
Check whether communication with the AD server is functional:
/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TAC_PLUS someusername(replace someusername with one from any of the tacacs groups)
That's it. Almost. If you want the daemon to start at boot time, you should probably
cp /usr/local/lib/mavis/extra/etc_init.d_tac_plus /etc/init.d/tac_plusand add the assorted links from a couple of init directories. Some other launch mechanisms are supported, too, just dig through /usr/local/lib/mavis/extra/, there are samples for launchd and systemd.
If you've performed that last step (the etc_init.d copying thing), then
/etc/init.d/tac_plus startshould start the daemon. Or just call
/usr/local/sbin/tac_plus /usr/local/etc/tac_plus.cfgdirectly.
Again, reading the documentation for spawnd, mavis and tac_plus is highly recommended.