Trac Authenticating Through Active Directory

A minor post – mostly for my own notes..

I was setting up an instance of Trac and I wanted Active Directory authentication going. I’ve had this before, but I recently learned of Centrify which provides a VERY easy means to setup system authentication with AD. This meant I needed to find a Centrify-specific way to get AD authentication going in Trac.

I was close to an obvious simple solution for a fair while, but I kept running in to error messages like:

[error] [client jay] GROUP: mrjay not in required group(s)., referer: http://trac/

Here’s the steps I followed that not only get this far, but got past through to working just fine…

Step 1. Set up Centrify

I used something like this to guide me.
Step 2. Perform basic install of Trac and configure Apache for logins in trac, in my case:

    <Location /login>
        AuthType Basic
        AuthName "Please login with your network account"
        AuthBasicProvider external
        AuthExternal pwauth
        AuthzUnixgroup on
        Require valid-user
        Require group ActiveDirectoryUsers

Step 3: Add ActiveDirectoryUsers group to system

You could use another group name, or skip this step and use something pre-existing, like “users”  – just make sure your “Require group” setting in your Apache Virtual Host’s config corresponds to whatever you pick.

Step 4: Edit your Centrify Config:

cp /etc/centrifydc/group.ovr.sample /etc/centrifydc/group.ovr

and edit to look something like:

+Domain Admins:root::0:
+local.domain/Users/Domain Users:ActiveDirectoryUsers::114:

Be sure to set that gid (‘114’ above) to whatever the gid of the group you made in Step 3 was (see it in /etc/group)

Step 5: Run “adflush”, restart Apache and try to login

That should be it – hopefully I haven’t missed anything I did. Leave a comment if need be.

Have fun!