Nagios Authentication with Active Directory (Slightly Off-Topic)
nagios at mm.quex.org
nagios at mm.quex.org
Wed Jan 5 08:01:25 CET 2005
On Tue, Jan 04, 2005 at 10:43:24AM -0800, CWaters at jeld-wen.com wrote:
> I want to use my company's AD to authenticate users against for access
> to Nagios. While I know this is not really a Nagios question, I was
> wondering if anyone in the community is doing this already. If so,
> what issues did you encounter? Any drawbacks? What apache modules
> were used etc.? Any information would be great. Sorry if this has
> already been covered.
In addition to the PAM method in someone else's response, if you only
need to to authenticate against AD for Nagios access (i.e. via Apache)
there's an LDAP authentication module or two available which you can
use.
I'm using this with Apache 2 on a Debian (testing) system with
mod_auth_ldap v2.12, compiled with OpenLDAP TLS.
<http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apache2.html>
You might also want to look at the newer version.
In the Directory configuration block for Apache:
<Directory /foo>
AuthName "Network monitoring"
AuthType Basic
LDAP_Debug off
LDAP_Server dc.myco.internal
LDAP_Port 389
LDAP_Persistent off
LDAP_Protocol_Version 3
Bind_DN "CN=LDAP_User,OU=Service Accounts,DC=myco,DC=internal"
Bind_Pass "xxxxxxxxxxxx"
Base_DN "OU=Staff,DC=myco,DC=internal"
LDAP_StartTLS on
AuthOnBind off
Bind_Tries 1
UID_Attr userPrincipalName
UID_Attr_Alt sAMAccountName
require valid-user
</Directory>
I've got LDAP_Persistent off, as I think it caused me problems when
it was enabled.
The Bind_DN gives the distinguished name of an account it can use
to do the initial searching; I think it's possible to set up your
domain to allow anonymous searches but you might not want to do
that. Bind_Pass gives the password for this account, so you'll
want to make sure only authorised people get to read this config
file, and the Base_DN sets where the search takes place in the
Active Directory tree.
The UID_Attr gives the property that is used to find a match when
a user goes to log in, i.e. what they type in the Username field.
The UID_Attr_Alt is exported into the environment as LDAP_USER_ALT,
which might be useful if you want to hack the CGI's to use this
instead of whatever you're using for the UID_Attr.
Hope some of this is helpful.
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list