Null mailer - no notifications for contacts that want to view CGIs only (maybe notif to an ML)

Bruce Elrick bruce at elrick.ca
Tue Jun 22 00:37:27 CEST 2004

Previous message: Null mailer - no notifications for contacts that want to view CGIs only (maybe notif to an ML)
Next message: hostextinfo templates stopped working
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeremy Russell wrote:

> Ok, I've has a few people wanting to know how I authenticated to our
> Active Directory here.
>  
> Well, I simply used the mod_ntlm module for apache.
>  
> You can find it here http://modntlm.sourceforge.net
>  
> It is very useful.
> 

Here is another way of doing it (your AD server needs to accept authenticated access via LDAP):

In your main httpd.conf:
LoadModule ldap_module        modules/mod_ldap.so
LoadModule auth_ldap_module   modules/mod_auth_ldap.so

(these are "experimental" Apache 2.0 modules)

In the nagios <Directory> or <Location> stanza:
    AuthType Basic
    AuthName "Active Directory Realm"
    AuthLDAPUrl ldap://myadserver.mycompany.com/ou=Personnel,dc=mycompany,dc=com?sAMAccountName?sub
    AuthLDAPBindDN cn=ApacheLDAPUser,ou=ServiceAccounts,ou=_Admin,dc=mycompany,dc=com
    AuthLDAPBindPassword aSecr3t
    Require valid-user

Where:
  - AuthName is arbitrary and is what the browser typically presents to the user when prompting for the user ID and password.
  - in the AuthLDAPUrl:
    - myadserver.mycompany.com is purely a resolvable (DNS) address for your AD server
    - ou=Personnel,dc=mycompany,dc=com is the DN for the portion of the AD tree underwhich all your users live.  In this example, 
the AD domain is mycompany.com; a lot of companies use a fictitious non-DNS style domain (like mycompany).  Also, the OU might be 
anything; ask your AD guy?
    - the ?sAMAccountName?sub tells mod_ldap what attribute to do lookups against.  In this case sAMAccountName is the "NT short 
name" that people usually use as their user ID (as opposed to their Full Name which Windows allows).
  - AuthLDAPBindDN is the DN of the server user that you are going connect to AD using; I'm not sure what priviledges that user 
needs (presumably you'd want that service user to have the minimal privs to accomplish the authentication)
  - AuthLDAPBindPassword is the password of that user

One thing mod_ldap & mod_auth_ldap *doesn't* appear to support is listing multiple points in the tree to search.  This may be a 
problem if you have users in disparate portions of the AD tree such that the common branch in the tree is very high up and you are 
doing searches across a large portion of the AD tree.

Cheers....
Bruce



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Null mailer - no notifications for contacts that want to view CGIs only (maybe notif to an ML)
Next message: hostextinfo templates stopped working
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list