Null mailer - no notifications for contacts that want to view CGIs only (maybe notif to an ML)
Bruce Elrick
bruce at elrick.ca
Tue Jun 22 00:37:27 CEST 2004
Jeremy Russell wrote:
> Ok, I've has a few people wanting to know how I authenticated to our
> Active Directory here.
>
> Well, I simply used the mod_ntlm module for apache.
>
> You can find it here http://modntlm.sourceforge.net
>
> It is very useful.
>
Here is another way of doing it (your AD server needs to accept authenticated access via LDAP):
In your main httpd.conf:
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
(these are "experimental" Apache 2.0 modules)
In the nagios <Directory> or <Location> stanza:
AuthType Basic
AuthName "Active Directory Realm"
AuthLDAPUrl ldap://myadserver.mycompany.com/ou=Personnel,dc=mycompany,dc=com?sAMAccountName?sub
AuthLDAPBindDN cn=ApacheLDAPUser,ou=ServiceAccounts,ou=_Admin,dc=mycompany,dc=com
AuthLDAPBindPassword aSecr3t
Require valid-user
Where:
- AuthName is arbitrary and is what the browser typically presents to the user when prompting for the user ID and password.
- in the AuthLDAPUrl:
- myadserver.mycompany.com is purely a resolvable (DNS) address for your AD server
- ou=Personnel,dc=mycompany,dc=com is the DN for the portion of the AD tree underwhich all your users live. In this example,
the AD domain is mycompany.com; a lot of companies use a fictitious non-DNS style domain (like mycompany). Also, the OU might be
anything; ask your AD guy?
- the ?sAMAccountName?sub tells mod_ldap what attribute to do lookups against. In this case sAMAccountName is the "NT short
name" that people usually use as their user ID (as opposed to their Full Name which Windows allows).
- AuthLDAPBindDN is the DN of the server user that you are going connect to AD using; I'm not sure what priviledges that user
needs (presumably you'd want that service user to have the minimal privs to accomplish the authentication)
- AuthLDAPBindPassword is the password of that user
One thing mod_ldap & mod_auth_ldap *doesn't* appear to support is listing multiple points in the tree to search. This may be a
problem if you have users in disparate portions of the AD tree such that the common branch in the tree is very high up and you are
doing searches across a large portion of the AD tree.
Cheers....
Bruce
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list