using LDAP-based user authentication

Steve Shipway s.shipway at auckland.ac.nz
Thu Dec 8 23:17:39 CET 2005


> Purdue has implemented a new security policy that says that 
> all passwords, whatever they are for, must be changed every 
> 30 days.  

Ouch.  Sounds like a knee-jerk response.  Be prepared for less security as
people find they have to write down these constantly change passwords...
but anyway, back to the real issue.

> (2) Failing that, has anyone had any experience using nagios 
> with mod_auth_ldap?  I used mod_authz_ldap (a third-party 
> product) only because it came with Red Hat EL, but I don't 
> want to bother compiling the official apache module if it 
> does exactly the same thing.

We are running Nagios with LDAP here fine.  We use mod_auth_ldap (in
Apache2), which is much better (I have no experience with authz_ldap, but I
tried the Muquit one before and it works OK).  This returns the username as
whatever we define the uid parameter to be.  We only need to put this:

AuthLDAPUrl "ldap://ldap.auckland.ac.nz:389/ou=People,o=The University of
Auckland,c=NZ?uid"

into our Apache httpd.conf and it will latch onto the correct server, use
ssl, and return the uid which we can then use within Nagios.

To make the Muquit mod_auth_ldap work, you need more configuration, like:

LDAP_Server ldap.auckland.ac.nz
LDAP_Port 389
Base_DN "ou=People,o=The University of Auckland,c=NZ"

since it will default to using the 'uid' parameter.

For authz_ldap, I had to use this:

AuthzLDAPServer ldap.auckland.ac.nz:389
AuthzLDAPUserBase "ou=People,o=The University of Auckland,c=NZ"
AuthzLDAPUserKey uid
AuthzLDAPUserScope base
AuthzLDAPGroupBase "ou=Groups,o=The University of Auckland,c=NZ"
AuthzLDAPGroupKey cn
AuthzLDAPGroupScope base

but it didn't work too well - and besides, we have standardised on the
mod_auth_ldap now.

In all these cases, Apache reported just the uid attribute as the username,
so we only had to define users with that in Nagios.  No need for all the
LDAP ou= stuff.

Hope this helps,

Steve




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list