[naemon-users] [NAEMON] : Authentication on Naemon - Nagvis - Nagvis - Pnp4nagios

Aurélien CLAVIER aurelien.clavier at pentasonic.net
Fri Jun 19 16:44:26 CEST 2015



Hi Magnus,

Thanks for your help. I enabled in same time authentication with LDAP and htpasswd file.

This is the configuration you need to do :

    AuthName "Naemon Monitoring"
    AuthType Basic
    AuthBasicProvider file ldap
    AuthUserFile /etc/naemon/htpasswd
    AuthLDAPURL "ldap://IPOFYOURDC/DC=DOMAIN,DC=local?sAMAccountName?sub"
    AuthLDAPBindDN ACCOUNT at DOMAIN
    AuthLDAPBindPassword « PASSWORD »
    Require valid-user

Thanks a lot Magnus for your help. :)

Now, I need to customize the installation path of Naemon in the aim to install it in /opt/. I have posted a new question yesterday about it.

Bye

Aurélien

De : Naemon-users [mailto:naemon-users-bounces+aurelien.clavier=pentasonic.net at monitoring-lists.org] De la part de Magnus
Envoyé : mardi 16 juin 2015 21:48
À : naemon-users at monitoring-lists.org
Objet : Re: [naemon-users] [NAEMON] : Authentication on Naemon - Nagvis - Nagvis - Pnp4nagios

Hello,

I have this ldap configuration. You have to enable the authnz_ldap and perhaps the ldap module of apache with a2enmod also.

I wouldn't call this SSO since that would be using your windows workstation or linux workstation credentials but you will only need to login one time for all naemon/pnp4nagios pages as you already have experienced.

I am going on holiday for a week so if you have any follow up questions it will take a while before I reply. :)

  <Location /thruk>
    Options ExecCGI
        AuthName "Nagios Access"
        AuthType Basic
        AuthBasicProvider ldap

        AuthLDAPURL "ldap://<IPOFDC1> <IPOFDC2>/DC=<XXXX>,DC=local?sAMAccountName?sub"
        AuthLDAPGroupAttribute member
        AuthLDAPGroupAttributeIsDN on
        AuthLDAPBindDN <ad-account>@<domain>
        AuthLDAPBindPassword <PASSWORD>
        #AuthLDAPSubGroupDepth 3
        require ldap-group CN=Grp.Users.Nagios,OU=_Groups,DC=XXXX,DC=local
        #require valid-user

  </Location>

Regards
Magnus

On 2015-06-16 10:04, Aurélien CLAVIER wrote:


Bonjour,

Thank you Magnus ;) I solved my problem !!!!!! I'm also interested in to know how you enabled Active Directory auth and basic auth in same time, can you explain me how to ?

Under, this is the solution to enable SSO with basic auth on Naemon 1.0.3 (on httpd server) :

In fact, when you installed Naemon, Thruk make an Apache configuration's file which is thruk_cookie_auth_vhost.conf with these settings :

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# thruk_cookie_auth_vhost.conf
#


RewriteEngine On
<IfModule !mod_authz_core.c>
  RewriteLock "/var/cache/naemon/thruk/apache_rewrite.lock"
</IfModule>

<VirtualHost *:80>
  # extend default virtual host. put/include these rewrite rules in https or
  # any other virtual host if you want to enable cookie authentication
  Include /usr/share/naemon/thruk_cookie_auth.include
</VirtualHost>

When I renamed this file with thruk_cookie_auth_vhost.conf.OLD and then restart my HTTPD server, I have been prompted only ONE TIME for all components (Naemon, Thruk, Nagvis and PNP4Nagios). So this solved my problem.

For more details, these are my apache configuration files :

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# thruk.conf
#


<IfModule mod_fcgid.c>
  AddHandler fcgid-script .sh
  IPCCommTimeout 120

  <Directory /usr/share/naemon>
    Options FollowSymLinks
    AllowOverride All
    order allow,deny
    allow from all
    # required for apache 2.4
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
  </Directory>
  <Directory /etc/naemon/themes>
    Options FollowSymLinks
    allow from all
    # required for apache 2.4
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
  </Directory>
  <Directory /etc/naemon/plugins>
    Options FollowSymLinks
    allow from all
    # required for apache 2.4
    <IfModule mod_authz_core.c>
      Require all granted
    </IfModule>
  </Directory>

  Alias /naemon/documentation.html /usr/share/naemon/root/thruk/documentation.html
  Alias /naemon/startup.html /usr/share/naemon/root/thruk/startup.html
  AliasMatch ^/naemon/(.*\.cgi|.*\.html)  /usr/share/naemon/fcgid_env.sh/naemon/$1
  AliasMatch ^/naemon/plugins/(.*?)/(.*)$  /etc/naemon/plugins/plugins-enabled/$1/root/$2
  Alias /naemon/themes/  /etc/naemon/themes/themes-enabled/
  Alias /naemon/ /usr/share/naemon/root/thruk/

  <Location /naemon/>
    Options ExecCGI FollowSymLinks
    AuthName "Naemon Monitoring"
    AuthType Basic
    AuthUserFile /etc/naemon/htpasswd
   Require valid-user
  </Location>
  <Location /naemon/cgi-bin/remote.cgi>
    Order Deny,Allow
    Allow from all
    Satisfy any
  </Location>
</IfModule>

# use compressed output if available
<IfModule mod_deflate.c>
  <Location /naemon/>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
  </Location>
</IfModule>

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# nagvis.conf
#
# NagVis Apache2 sample configuration file
#
# #############################################################################

Alias /nagvis "/etc/nagvis/share"

<Directory "/etc/nagvis/share">
  Options FollowSymLinks
  AllowOverride None
  Order allow,deny
  Allow from all

  # To enable Nagios basic auth on NagVis use the following options
  # Just uncomment it. Maybe you need to adjust the path to the
  # Auth user file.
  #
  # If you use the NagVis internal auth mechanism based on the web
  # for you won't need this.
  #
#  AuthName "Naemon Access"
#  AuthType Basic
#  AuthUserFile /etc/naemon/htpasswd
#  Require valid-user

    Options ExecCGI FollowSymLinks
    AuthName "Naemon Monitoring"
    AuthType Basic
    AuthUserFile /etc/naemon/htpasswd
    Require valid-user




  # With installed and enabled mod_rewrite there are several redirections
  # available to fix deprecated and/or wrong urls. None of those rules is
  # mandatory to get NagVis working.
  <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /nagvis

    # Use mod_rewrite for old url redirection even if there are php files which
    # redirect the queries itselfs. In some cases the mod_rewrite redirect
    # is better than the php redirect.
    #
    # Using the php redirect seems to be better in some cases where https/http servers
    # are mixed. For example in OMD setups where using apache own mode and https in the
    # frontend and http in the backend apache servers.
    #
    # Disabling this redirect by default in the hope that the php direct works better.
    #RewriteCond %{REQUEST_URI} ^/nagvis(/config\.php|/index\.php|/|)(\?.*|)$
    #RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/%1%2 [R=301,L]

    # Redirect old regular map links
    RewriteCond %{REQUEST_URI} ^/nagvis/frontend/(wui|nagvis-js)
    RewriteCond %{QUERY_STRING} map=(.*)
    RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/index.php?mod=Map&act=view&show=%1 [R=301,L]

    # Without map= param
    RewriteCond %{REQUEST_URI} ^/nagvis/frontend(/wui)?/?(index.php)?$
    RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/index.php [R=301,L]

    # Redirect old rotation calls
    RewriteCond %{REQUEST_URI} ^/nagvis/frontend/nagvis-js
    RewriteCond %{QUERY_STRING} !mod
    RewriteCond %{QUERY_STRING} rotation=(.*)
    RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/index.php?mod=Rotation&act=view&show=%1 [R=301,L]
  </IfModule>
</Directory>



# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# pnp4nagios.conf
#

Alias /pnp4nagios "/usr/local/pnp4nagios/share"

<Directory "/usr/local/pnp4nagios/share">
                AllowOverride None
                Order allow,deny
                Allow from all
                #
                # Use the same value as defined in nagios.conf
                #
                AuthName "Naemon Monitoring"
                AuthType Basic
                AuthUserFile /etc/naemon/htpasswd
                Require valid-user
                <IfModule mod_rewrite.c>
                               # Turn on URL rewriting
                               RewriteEngine On
                               Options symLinksIfOwnerMatch
                               # Installation directory
                               RewriteBase /pnp4nagios/
                               # Protect application and system files from being viewed
                               RewriteRule "^(?:application|modules|system)/" - [F]
                               # Allow any files or directories that exist to be displayed directly
                               RewriteCond "%{REQUEST_FILENAME}" !-f
                               RewriteCond "%{REQUEST_FILENAME}" !-d
                               # Rewrite all other URLs to index.php/URL
                               RewriteRule "^.*$" "index.php/$0" [PT]
                </IfModule>
</Directory>



Cordialement,

Aurélien CLAVIER
Pôle CSP
Direct : +33(0)2 40 89 89 35 Mobile : +33(0) 6 80 30 59 57
aurelien.clavier at pentasonic.net<mailto:aurelien.clavier at pentasonic.net>

[Description : Description : Description :                          Description :                          cid:image004.jpg at 01CF9B55.53DAD710]

[Description : Description : Description :                            Description :                            cid:image005.png at 01CF9B55.53DAD710]<http://www.pentasonic.net/>
                   Siège : 10 rue du Petit Châtelier 44300 NANTES
    Agence Paris : Resadia, 35 rue victor Hugo 93500 PANTIN
Standard : +33 (0)2 40 89 89 30 Fax : +33 (0)2 40 89 89 39



De : Naemon-users [mailto:naemon-users-bounces+aurelien.clavier=pentasonic.net at monitoring-lists.org]De la part de Magnus
Envoyé : lundi 15 juin 2015 22:25
À : naemon-users at monitoring-lists.org<mailto:naemon-users at monitoring-lists.org>
Objet : Re: [naemon-users] [NAEMON] : Authentication on Naemon - Nagvis - Nagvis - Pnp4nagios

Hello,

If you have your users in a file (like this line in apache config AuthUserFile /etc/nagios3/htpasswd.users) then just make sure the config file for pnp44nagios and so on use the same file.

Personally I connect them to and active directory ldap tree so then they are also the same.

If you use the same AuthName in all the apache config files you wont be prompted for each either.

Regards
Magnus

On 2015-06-15 14:54, Aurélien CLAVIER wrote:


Hi all,

I installed Naemon since 2 weeks in a fesh Centos 7. I installed Nagvis and PNP4nagios wich run like a charm.
But I have a problem with basic authentication of Naemon, Thruk, PNP4nagios and Nagvis. In fact, I want to PNP4nagios and Nagvis use same credentials that Naemon/Thruk is using.

How to do this ?

Thanks in advance

Aurélien



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/naemon-users/attachments/20150619/b6126f1a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 396 bytes
Desc: image001.jpg
URL: <https://www.monitoring-lists.org/archive/naemon-users/attachments/20150619/b6126f1a/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4729 bytes
Desc: image002.png
URL: <https://www.monitoring-lists.org/archive/naemon-users/attachments/20150619/b6126f1a/attachment-0001.png>


More information about the Naemon-users mailing list