[naemon-users] [NAEMON] : Authentication on Naemon - Nagvis - Nagvis - Pnp4nagios
Aurélien CLAVIER
aurelien.clavier at pentasonic.net
Fri Jun 19 16:44:26 CEST 2015
Hi Magnus,
Thanks for your help. I enabled in same time authentication with LDAP and htpasswd file.
This is the configuration you need to do :
AuthName "Naemon Monitoring"
AuthType Basic
AuthBasicProvider file ldap
AuthUserFile /etc/naemon/htpasswd
AuthLDAPURL "ldap://IPOFYOURDC/DC=DOMAIN,DC=local?sAMAccountName?sub"
AuthLDAPBindDN ACCOUNT at DOMAIN
AuthLDAPBindPassword « PASSWORD »
Require valid-user
Thanks a lot Magnus for your help. :)
Now, I need to customize the installation path of Naemon in the aim to install it in /opt/. I have posted a new question yesterday about it.
Bye
Aurélien
De : Naemon-users [mailto:naemon-users-bounces+aurelien.clavier=pentasonic.net at monitoring-lists.org] De la part de Magnus
Envoyé : mardi 16 juin 2015 21:48
À : naemon-users at monitoring-lists.org
Objet : Re: [naemon-users] [NAEMON] : Authentication on Naemon - Nagvis - Nagvis - Pnp4nagios
Hello,
I have this ldap configuration. You have to enable the authnz_ldap and perhaps the ldap module of apache with a2enmod also.
I wouldn't call this SSO since that would be using your windows workstation or linux workstation credentials but you will only need to login one time for all naemon/pnp4nagios pages as you already have experienced.
I am going on holiday for a week so if you have any follow up questions it will take a while before I reply. :)
<Location /thruk>
Options ExecCGI
AuthName "Nagios Access"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://<IPOFDC1> <IPOFDC2>/DC=<XXXX>,DC=local?sAMAccountName?sub"
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
AuthLDAPBindDN <ad-account>@<domain>
AuthLDAPBindPassword <PASSWORD>
#AuthLDAPSubGroupDepth 3
require ldap-group CN=Grp.Users.Nagios,OU=_Groups,DC=XXXX,DC=local
#require valid-user
</Location>
Regards
Magnus
On 2015-06-16 10:04, Aurélien CLAVIER wrote:
Bonjour,
Thank you Magnus ;) I solved my problem !!!!!! I'm also interested in to know how you enabled Active Directory auth and basic auth in same time, can you explain me how to ?
Under, this is the solution to enable SSO with basic auth on Naemon 1.0.3 (on httpd server) :
In fact, when you installed Naemon, Thruk make an Apache configuration's file which is thruk_cookie_auth_vhost.conf with these settings :
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# thruk_cookie_auth_vhost.conf
#
RewriteEngine On
<IfModule !mod_authz_core.c>
RewriteLock "/var/cache/naemon/thruk/apache_rewrite.lock"
</IfModule>
<VirtualHost *:80>
# extend default virtual host. put/include these rewrite rules in https or
# any other virtual host if you want to enable cookie authentication
Include /usr/share/naemon/thruk_cookie_auth.include
</VirtualHost>
When I renamed this file with thruk_cookie_auth_vhost.conf.OLD and then restart my HTTPD server, I have been prompted only ONE TIME for all components (Naemon, Thruk, Nagvis and PNP4Nagios). So this solved my problem.
For more details, these are my apache configuration files :
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# thruk.conf
#
<IfModule mod_fcgid.c>
AddHandler fcgid-script .sh
IPCCommTimeout 120
<Directory /usr/share/naemon>
Options FollowSymLinks
AllowOverride All
order allow,deny
allow from all
# required for apache 2.4
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>
<Directory /etc/naemon/themes>
Options FollowSymLinks
allow from all
# required for apache 2.4
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>
<Directory /etc/naemon/plugins>
Options FollowSymLinks
allow from all
# required for apache 2.4
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>
Alias /naemon/documentation.html /usr/share/naemon/root/thruk/documentation.html
Alias /naemon/startup.html /usr/share/naemon/root/thruk/startup.html
AliasMatch ^/naemon/(.*\.cgi|.*\.html) /usr/share/naemon/fcgid_env.sh/naemon/$1
AliasMatch ^/naemon/plugins/(.*?)/(.*)$ /etc/naemon/plugins/plugins-enabled/$1/root/$2
Alias /naemon/themes/ /etc/naemon/themes/themes-enabled/
Alias /naemon/ /usr/share/naemon/root/thruk/
<Location /naemon/>
Options ExecCGI FollowSymLinks
AuthName "Naemon Monitoring"
AuthType Basic
AuthUserFile /etc/naemon/htpasswd
Require valid-user
</Location>
<Location /naemon/cgi-bin/remote.cgi>
Order Deny,Allow
Allow from all
Satisfy any
</Location>
</IfModule>
# use compressed output if available
<IfModule mod_deflate.c>
<Location /naemon/>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
</Location>
</IfModule>
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# nagvis.conf
#
# NagVis Apache2 sample configuration file
#
# #############################################################################
Alias /nagvis "/etc/nagvis/share"
<Directory "/etc/nagvis/share">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
# To enable Nagios basic auth on NagVis use the following options
# Just uncomment it. Maybe you need to adjust the path to the
# Auth user file.
#
# If you use the NagVis internal auth mechanism based on the web
# for you won't need this.
#
# AuthName "Naemon Access"
# AuthType Basic
# AuthUserFile /etc/naemon/htpasswd
# Require valid-user
Options ExecCGI FollowSymLinks
AuthName "Naemon Monitoring"
AuthType Basic
AuthUserFile /etc/naemon/htpasswd
Require valid-user
# With installed and enabled mod_rewrite there are several redirections
# available to fix deprecated and/or wrong urls. None of those rules is
# mandatory to get NagVis working.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /nagvis
# Use mod_rewrite for old url redirection even if there are php files which
# redirect the queries itselfs. In some cases the mod_rewrite redirect
# is better than the php redirect.
#
# Using the php redirect seems to be better in some cases where https/http servers
# are mixed. For example in OMD setups where using apache own mode and https in the
# frontend and http in the backend apache servers.
#
# Disabling this redirect by default in the hope that the php direct works better.
#RewriteCond %{REQUEST_URI} ^/nagvis(/config\.php|/index\.php|/|)(\?.*|)$
#RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/%1%2 [R=301,L]
# Redirect old regular map links
RewriteCond %{REQUEST_URI} ^/nagvis/frontend/(wui|nagvis-js)
RewriteCond %{QUERY_STRING} map=(.*)
RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/index.php?mod=Map&act=view&show=%1 [R=301,L]
# Without map= param
RewriteCond %{REQUEST_URI} ^/nagvis/frontend(/wui)?/?(index.php)?$
RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/index.php [R=301,L]
# Redirect old rotation calls
RewriteCond %{REQUEST_URI} ^/nagvis/frontend/nagvis-js
RewriteCond %{QUERY_STRING} !mod
RewriteCond %{QUERY_STRING} rotation=(.*)
RewriteRule ^(.*)$ /nagvis/frontend/nagvis-js/index.php?mod=Rotation&act=view&show=%1 [R=301,L]
</IfModule>
</Directory>
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# pnp4nagios.conf
#
Alias /pnp4nagios "/usr/local/pnp4nagios/share"
<Directory "/usr/local/pnp4nagios/share">
AllowOverride None
Order allow,deny
Allow from all
#
# Use the same value as defined in nagios.conf
#
AuthName "Naemon Monitoring"
AuthType Basic
AuthUserFile /etc/naemon/htpasswd
Require valid-user
<IfModule mod_rewrite.c>
# Turn on URL rewriting
RewriteEngine On
Options symLinksIfOwnerMatch
# Installation directory
RewriteBase /pnp4nagios/
# Protect application and system files from being viewed
RewriteRule "^(?:application|modules|system)/" - [F]
# Allow any files or directories that exist to be displayed directly
RewriteCond "%{REQUEST_FILENAME}" !-f
RewriteCond "%{REQUEST_FILENAME}" !-d
# Rewrite all other URLs to index.php/URL
RewriteRule "^.*$" "index.php/$0" [PT]
</IfModule>
</Directory>
Cordialement,
Aurélien CLAVIER
Pôle CSP
Direct : +33(0)2 40 89 89 35 Mobile : +33(0) 6 80 30 59 57
aurelien.clavier at pentasonic.net<mailto:aurelien.clavier at pentasonic.net>
[Description : Description : Description : Description : cid:image004.jpg at 01CF9B55.53DAD710]
[Description : Description : Description : Description : cid:image005.png at 01CF9B55.53DAD710]<http://www.pentasonic.net/>
Siège : 10 rue du Petit Châtelier 44300 NANTES
Agence Paris : Resadia, 35 rue victor Hugo 93500 PANTIN
Standard : +33 (0)2 40 89 89 30 Fax : +33 (0)2 40 89 89 39
De : Naemon-users [mailto:naemon-users-bounces+aurelien.clavier=pentasonic.net at monitoring-lists.org]De la part de Magnus
Envoyé : lundi 15 juin 2015 22:25
À : naemon-users at monitoring-lists.org<mailto:naemon-users at monitoring-lists.org>
Objet : Re: [naemon-users] [NAEMON] : Authentication on Naemon - Nagvis - Nagvis - Pnp4nagios
Hello,
If you have your users in a file (like this line in apache config AuthUserFile /etc/nagios3/htpasswd.users) then just make sure the config file for pnp44nagios and so on use the same file.
Personally I connect them to and active directory ldap tree so then they are also the same.
If you use the same AuthName in all the apache config files you wont be prompted for each either.
Regards
Magnus
On 2015-06-15 14:54, Aurélien CLAVIER wrote:
Hi all,
I installed Naemon since 2 weeks in a fesh Centos 7. I installed Nagvis and PNP4nagios wich run like a charm.
But I have a problem with basic authentication of Naemon, Thruk, PNP4nagios and Nagvis. In fact, I want to PNP4nagios and Nagvis use same credentials that Naemon/Thruk is using.
How to do this ?
Thanks in advance
Aurélien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/naemon-users/attachments/20150619/b6126f1a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 396 bytes
Desc: image001.jpg
URL: <https://www.monitoring-lists.org/archive/naemon-users/attachments/20150619/b6126f1a/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4729 bytes
Desc: image002.png
URL: <https://www.monitoring-lists.org/archive/naemon-users/attachments/20150619/b6126f1a/attachment-0001.png>
More information about the Naemon-users
mailing list