Nagios Authentication with Active Directory (Slightly Off-Topic)
Shawn Iverson
shawn at nccsc.k12.in.us
Wed Jan 5 01:46:08 CET 2005
Yes, this can be done, and I am doing it right now. It rocks! You have
to edit numerous files within your system, though, making it a bit hairy
for the faint at heart. The good news is that if you are successful,
you can authenticate against AD with any pam-enabled program in linux!
This method uses winbind for directory user/group UID/GID
mappings/lookups and kerberos V5 for authentication.
The following are instructions for Fedora Core 3 in a typical Active
Directory environment, but they should be adaptable to other distros.
You will need the following packages and their dependencies (preferrably
most recent):
krb5-workstation
pam_krb5
mod_auth_pam (http://pam.sourceforge.net/mod_auth_pam)
Optional, but highly recommended:
nscd (to cache authentication requests)
The instructions that follow assume that you are using Apache v2.x with
module support and SSL, and that you are wanting to authenticate against
a Windows 2003 Server DC.
Make sure that the following services are enabled in your init scripts
for your runlevel (chkconfig):
winbind
nscd (if being used--highly recommended so that your DC is not pounded
with numerous requests)
Add the following to your /etc/krb5.conf as follows. Automatic kdc and
realm lookup will save you a lot of headaches (may be less secure since
it informs kerberos to locate the nearest kdc, a.k.a. domain controller.
Read the docs if you want to hard wire it to a specific kdc). Note that
your realms must be ALL CAPS:
[libdefaults]
default_realm = YOUR.FULLY.QUALIFIED.DOMAIN
dns_lookup_realm = true
dns_lookup_kdc = true
Edit /etc/samba/smb.conf for winbind. Note that I have set the shell to
/sbin/nologin to guard against console logins since I have my pam_krb5
configuration in /etc/pam.d/system_auth. Also, I had trouble with DNS
for some reason on the password server line, so I had to use an IP
address.
workgroup = yourdomain
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
winbind use default domain = yes
password server = your_domain_controller
realm = YOUR.FULLY.QUALIFIED.DOMAIN
client use spnego = yes
Add this to /etc/httpd/conf/httpd.conf. I highly recommend that you use
SSL to protect your domain passwords from being sent across the network
in plain text (Note that statuswrl.cgi will not load in Internet
Explorer when using SSL, a small price to pay. You should also set up a
certificate, which I will not delve into here.):
LoadModule auth_pam_module modules/mod_auth_pam.so
SSLProtocol -all +SSLv2
SSLVerifyClient none
Also, add a nagios.conf to your /etc/httpd/conf.d/ to configure
authentication and disregard the instructions that come with nagios for
configuring web authorization (they are somewhat outdated):
ScriptAlias /nagios/cgi-bin/ /usr/local/nagios/sbin/
<Directory "/usr/local/nagios/sbin/">
Options ExecCGI
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from x.x.x.x/x ;your subnet(s)
AuthType Basic
AuthName "Nagios Web Access"
Require user your_domain_users ;(or use 'require group', read the
docs)
AuthPAM_Enabled on
AuthPAM_FallThrough off
SSLCipherSuite -all:SSLv2:+HIGH
</Directory>
Alias /nagios /usr/local/nagios/share/
<Directory "/usr/local/nagios/share/">
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from x.x.x.x/x ;your subnet(s)
AuthType Basic
AuthName "Nagios Web Access"
Require user your_domain_users
AuthPAM_Enabled on
AuthPAM_FallThrough off
SSLCipherSuite -all:SSLv2:+HIGH
</Directory>
Edit /etc/pam.d/httpd to enable kerberos authentication with pam.
Something similar to this will work:
#%PAM-1.0
auth sufficient /lib/security/pam_krb5.so
auth required /lib/security/pam_unix.so
account sufficient /lib/security/pam_krb5.so
account required /lib/security/pam_unix.so
Edit /etc/nsswitch.conf and modify the following lines:
passwd: files winbind
shadow: files winbind
group: files winbind
Now you must join your linux box to your directory and test your
configuration. See chapter 6 of the Official Samba-3 HOWTO for more
information
(http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-membe
r.html#ads-member). You will also probably want to set up ntp so that
your time stays synchronized.
In a nutshell, do the following:
service winbind restart
service nscd restart
killall -HUP httpd
getent passwd ;you will see domain accounts scrolling off of the screen
if this works
getent group
net ads join -U your_domain_administrator_account
kinit your_dom_admin at YOUR.REALM
net ads join "your_organizational_unit"
Check to make sure you now have a computer account in your OU and that
you now have a kerberos ticket:
klist tickets
Finally, test your authentication into nagios with your web browser
(https://yourserver/nagios). If it fails, pay close attention to
/var/log/messages and the httpd server logs for clues on what is going
wrong.
If you encounter errors during the process, double check everything and
keep trying. Good luck!
Shawn Iverson
Technology Associate
MCP W2K3S and W2KP, Linux+, Network+, A+
New Castle Community School Corporation
shawn at nccsc.k12.in.us
On Tuesday, January 04, 2005 1:43 PM, Chris Waters wrote:
>I want to use my company's AD to authenticate users against for access
to Nagios.
>While I know this is not really a Nagios question, I was wondering if
anyone in
>the community is doing this already. If so, what issues did you
encounter? Any
>drawbacks? What apache modules were used etc.? Any information would
be great.
>Sorry if this has already been covered.
>
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list