A minor post – mostly for my own notes..
I was setting up an instance of Trac and I wanted Active Directory authentication going. I’ve had this before, but I recently learned of Centrify which provides a VERY easy means to setup system authentication with AD. This meant I needed to find a Centrify-specific way to get AD authentication going in Trac.
I was close to an obvious simple solution for a fair while, but I kept running in to error messages like:
[error] [client jay] GROUP: mrjay not in required group(s)., referer: http://trac/
Here’s the steps I followed that not only get this far, but got past through to working just fine…
Step 1. Set up Centrify
I used something like this to guide me.
Step 2. Perform basic install of Trac and configure Apache for logins in trac, in my case:
Â Â Â <Location /login> Â Â Â Â Â Â Â AuthType Basic Â Â Â Â Â Â Â AuthName "Please login with your network account" Â Â Â Â Â Â Â AuthBasicProvider external Â Â Â Â Â Â Â AuthExternal pwauth Â Â Â Â Â Â Â AuthzUnixgroup on Â Â Â Â Â Â Â Require valid-user Â Â Â Â Â Â Â Require group ActiveDirectoryUsers </Location>
Step 3: Add ActiveDirectoryUsers group to system
You could use another group name, or skip this step and use something pre-existing, like “users”Â – just make sure your “Require group” setting in your Apache Virtual Host’s config corresponds to whatever you pick.
Step 4: Edit your Centrify Config:
cp /etc/centrifydc/group.ovr.sample /etc/centrifydc/group.ovr
and edit to look something like:
-email@example.com +Domain Admins:root::0: +local.domain/Users/Domain Users:ActiveDirectoryUsers::114: +::::
Be sure to set that gid (‘114’ above) to whatever the gid of the group you made in Step 3 was (see it in /etc/group)
Step 5: Run “adflush”, restart Apache and try to login
That should be it – hopefully I haven’t missed anything I did. Leave a comment if need be.