Wednesday, March 7, 2012

Apache Active Directory Login for Nagios Access

http://telinit0.blogspot.com/2009/09/apache-active-directory-login-for.html
I initially asked for a new AD group with the nagios users login names as members but it turned out to be unusable. so what i did is to just browse for the
IT department level, filter out the login names and require the specific users that need to access the nagios site.

I did a trial and error for the required fields. The ldapsearch utility (part of openldap-clients) packages came in very handy.

one command i used to test the filtering is this:

ldapsearch -b 'OU=Departments,OU=Users,OU=domain,DC=asia,DC=org' -D 'CN=srv_nagios,OU=Service Accounts,OU=Operations,DC=asia,DC=org' -h ldapsearch -x -W sAMAccountName

(it will ask for the srv_nagios password)

srv_nagios is an unprivileged AD account used to bind the process to the Active Directory (since the AD doesn't allow anonymous browsing). without the account, one error that i had is:

auth_ldap authenticate: user user01 authentication failed; URI /nagios/ [ldap_search_ext_s() for user failed][Operations error]

also, from ldapsearch, as i still don't have the correct parameters to use, i encountered mostly this message:

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
ration a successful bind must be completed on the connection., data 0, vece


in the nagios web config file:

/etc/httpd/conf.d/nagios.conf

the following is the one that worked for me (your requirement will
vary so try to work with your AD admin of the correct fields to use).

ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi"
<Directory "/usr/lib64/nagios/cgi">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative  off
AuthLDAPURL "ldap://ldap_server:389/OU=Departments,OU=Users,OU=domain,DC=asia,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=srv_nagios,OU=Service Accounts,OU=Operations,DC=asia,DC=org"
AuthLDAPBindPassword "secretpassword"
AuthLDAPGroupAttribute  memberOf
AuthLDAPGroupAttributeIsDN off
AuthName "Nagios Access"
AuthType Basic
Require ldap-user user1 user2 user3
Require ldap-user user4 user5
</Directory>

Alias /nagios "/usr/share/nagios"

<Directory "/usr/share/nagios">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative  off
AuthLDAPURL "ldap://ldap_server:389/OU=Departments,OU=Users,OU=domain,DC=asia,DC=org?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=srv_nagios,OU=Service Accounts,OU=Operations,DC=asia,DC=org"
AuthLDAPBindPassword "secretpassword"
AuthLDAPGroupAttribute  memberOf
AuthLDAPGroupAttributeIsDN off
AuthName "Nagios Access"
AuthType Basic
Require ldap-user user1 user2 user3
Require ldap-user user4 user5
</Directory>

Watch for errors in /var/log/httpd/error_log - if there's a problem, log entries are a very big help.

NOTE: this works with 2.2.x. i was trying with a 2.0.x version but the mod_authnz_ldap module is not builtin to it.

Once it is working, i've re-defined the contacts (for each nagios user) and then assigned them to groups. these groups are then used in templates and used by service definitions.

----
I use a setup similar to this that recently broke for no apparent reason - turns out you can use port 3268 for Global Catalog searches. Changing from 389 -> 3268 got my config working again.

===========
radius authentication

ScriptAlias /nagios/cgi-bin "/usr/lib/nagios/cgi"
<Directory "/usr/lib/nagios/cgi">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
#  Allow from 127.0.0.1
###############
#   AuthName "Nagios Access"
#   AuthType Basic
#   AuthUserFile /etc/nagios/htpasswd.users
#   Require valid-user
###############
   AuthName "Login with SecurID"
   AuthType Basic
   AuthBasicProvider xradius
   AuthXRadiusAddServer "radius-server:1645" "radius-secret"
   AuthXRadiusTimeout 5
   AuthXRadiusRetries 1
   AuthXRadiusRejectBlank on
   Require valid-user
###############
</Directory>
Alias /nagios "/usr/share/nagios"
<Directory "/usr/share/nagios">
#  SSLRequireSSL
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
###############
#   AuthName "Nagios Access"
#   AuthType Basic
#   AuthUserFile /etc/nagios/htpasswd.users
#   Require valid-user
###############
   AuthName "Login with SecurID"
   AuthType Basic
   AuthBasicProvider xradius
   AuthXRadiusAddServer "radius-server:1645" "radius-secret"
   AuthXRadiusTimeout 5
   AuthXRadiusRetries 1
   AuthXRadiusRejectBlank on
   Require valid-user
</Directory>













at





















Labels:
,
,


















1 comment:































        

      









Subscribe to:
Post Comments (Atom)