Nagios Authentication with Active Directory (Slightly Off-Topic)
Shawn Iverson
shawn at nccsc.k12.in.us
Wed Jan 5 20:00:30 CET 2005
Something else I probably should mention is that if you are strictly
using web authentication on your linux server, you won't need to have
winbind running at all. That part of the configuration can be skipped.
Below is a annotated set of instructions. You may also be able to use
pam_ccred if you wish to cache authorization in pam.
Shawn Iverson
Technology Associate
MCP W2K3S and W2KP, Linux+, Network+, A+
New Castle Community School Corporation
shawn at nccsc.k12.in.us
>The following are instructions for Fedora Core 3 in a typical Active
>Directory environment, but they should be adaptable to other distros.
>
>You will need the following packages and their dependencies
>(preferrably
>most recent):
>
>krb5-workstation
>pam_krb5
>mod_auth_pam (http://pam.sourceforge.net/mod_auth_pam)
>
>Optional, but highly recommended:
>nscd (to cache authentication requests)
>
>The instructions that follow assume that you are using Apache v2.x with
>module support and SSL, and that you are wanting to
>authenticate against
>a Windows 2003 Server DC.
>
>Make sure that the following services are enabled in your init scripts
>for your runlevel (chkconfig):
>
>winbind
>nscd (if being used--highly recommended so that your DC is not pounded
>with numerous requests)
>
>Add the following to your /etc/krb5.conf as follows. Automatic kdc and
>realm lookup will save you a lot of headaches (may be less secure since
>it informs kerberos to locate the nearest kdc, a.k.a. domain
>controller.
>Read the docs if you want to hard wire it to a specific kdc). Note that
>your realms must be ALL CAPS:
>
>[libdefaults]
>default_realm = YOUR.FULLY.QUALIFIED.DOMAIN
>dns_lookup_realm = true
>dns_lookup_kdc = true
>
>Add this to /etc/httpd/conf/httpd.conf. I highly recommend
>that you use
>SSL to protect your domain passwords from being sent across the network
>in plain text (Note that statuswrl.cgi will not load in Internet
>Explorer when using SSL, a small price to pay. You should also set up a
>certificate, which I will not delve into here.):
>
>LoadModule auth_pam_module modules/mod_auth_pam.so
>SSLProtocol -all +SSLv2
>SSLVerifyClient none
>
>Also, add a nagios.conf to your /etc/httpd/conf.d/ to configure
>authentication and disregard the instructions that come with nagios for
>configuring web authorization (they are somewhat outdated):
>ScriptAlias /nagios/cgi-bin/ /usr/local/nagios/sbin/
><Directory "/usr/local/nagios/sbin/">
> Options ExecCGI
> AllowOverride None
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1
> Allow from x.x.x.x/x ;your subnet(s)
> AuthType Basic
> AuthName "Nagios Web Access"
> Require user your_domain_users ;(or use 'require group', read the
>docs)
> AuthPAM_Enabled on
> AuthPAM_FallThrough off
> SSLCipherSuite -all:SSLv2:+HIGH
></Directory>
>
>Alias /nagios /usr/local/nagios/share/
><Directory "/usr/local/nagios/share/">
> Options None
> AllowOverride None
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1
> Allow from x.x.x.x/x ;your subnet(s)
> AuthType Basic
> AuthName "Nagios Web Access"
> Require user your_domain_users
> AuthPAM_Enabled on
> AuthPAM_FallThrough off
> SSLCipherSuite -all:SSLv2:+HIGH
></Directory>
>
>Edit /etc/pam.d/httpd to enable kerberos authentication with pam.
>Something similar to this will work:
>
>#%PAM-1.0
>auth sufficient /lib/security/pam_krb5.so
>auth required /lib/security/pam_unix.so
>account sufficient /lib/security/pam_krb5.so
>account required /lib/security/pam_unix.so
>
>Now you must join your linux box to your directory and test your
>configuration. See chapter 6 of the Official Samba-3 HOWTO for more
>information
>(http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/dom
>ain-membe
>r.html#ads-member). You will also probably want to set up ntp so that
>your time stays synchronized.
>
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list