Mini-HowTo: Integrating TACACS+ (NG) with ActiveDirectory

This page will give you a starting point. However, to use any of the advanced tac_plus features you'll really have to read the documentation.

Having said that, the steps to get you up and running are:

  1. Download the distribution. It's available from GitHub:

    git clone
  2. Compile the code:

    cd event-driven-servers
  3. Install the distribution. You'll probably have to do so as the root user, so either

    sudo make install
    make install
    will be required to make this work.

At this point, installation is complete, but this was indeed just the generic (and easy) part of these instructions. What's still missing is the configuration file, plus a couple of assorted ActiveDirectory entries:

  1. ActiveDirectory

  2. Copy the sample configuration file from the your local /usr/local/lib/mavis/extra/ directory to /usr/local/etc/tac_plus-ng.cfg. Again, you'll obviously need root privileges for that, but I'll silently ignore this requirement for now:

    cp /usr/local/lib/mavis/extra/tac_plus-ng.cfg-ads /usr/local/etc/tac_plus-ng.cfg
  3. Edit /usr/local/etc/tac_plus-ng.cfg with your favorite editor. As a minimum, you'll have to modify the setenv variables starting with LDAP_ to match your local environment. Feel free to modify other stuff, too.

  4. The authentication backend requires a couple of Perl modules which may or may not be already installed on your system. Run

    /usr/local/lib/mavis/ < /dev/null
    If there's some error message saying Can't locate Net/ in @INC you'll first have to install the Net::LDAP Perl module. If there's any other error message you should abort right here as this would be plainly out of the scope of this document.
  5. Check whether there are any syntax errors in the configuration file:

    /usr/local/sbin/tac_plus-ng -P /usr/local/etc/tac_plus-ng.cfg
    If there are any errors, well, fix them.
  6. Check whether communication with the AD server is functional:

    /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus-ng.cfg tac_plus-ng TAC_PLUS someusername
    (replace someusername with one from any of the tacacs groups)
  7. That's it. Almost. If you want the daemon to start at boot time, you should probably

    cp /usr/local/lib/mavis/extra/etc_init.d_tac_plus-ng /etc/init.d/tac_plus-ng
    and add the assorted links from a couple of init directories. Some other launch mechanisms are supported, too, just dig through /usr/local/lib/mavis/extra/, there are samples for launchd and systemd.

    If you've performed that last step (the etc_init.d copying thing), then

    /etc/init.d/tac_plus-ng start
    should start the daemon. Or just call
    /usr/local/sbin/tac_plus-ng /usr/local/etc/tac_plus-ng.cfg

Again, reading the documentation for spawnd, mavis and tac_plus-ng is highly recommended.