FW: Configuring Active Directory authentication - Nagios 3.0.2
Matt White
lists at matthewjwhite.co.uk
Sun Jun 8 20:54:58 CEST 2008
Hi
Thanks for the reply
I have made a few changes and after running through the config the
nagios.conf under /etc/apache2/conf.d is as follows:
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
# Last Modified: 11-26-2005
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access(LDAP)"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "cn=Matt White,ou=Users,ou=White
Family,dc=home,dc=bisnet"
AuthLDAPBindPassword "###pass###"
AuthLDAPURL "ldap://HOME-DC:389/OU=Users,OU=White
Family,DC=home,DC=bisnet?sAMAccountName?sub?(objectClass=*)"
require group "cn=NagiosAccess,OU=Security Groups,OU=White
Family,DC=Home,DC=bisnet"
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access(LDAP2)"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "cn=Matt White,ou=Users,ou=White
Family,dc=home,dc=bisnet"
AuthLDAPBindPassword "###pass###"
AuthLDAPURL "ldap://HOME-DC:389/OU=Users,OU=White
Family,DC=home,DC=bisnet?sAMAccountName?sub?(objectClass=*)"
require valid-user
</Directory>
When I browse to http://192.168.1.13/nagios I get the Nagios
Access(LDAP2) prompt at which I have tried <domain>\<username> which
errors in /var/log/apache2/error.log but if I use just <username> I get
nothing listed at all but the login prompt just reappears.
If I use LDAPSearch I get the following results:
/usr/bin/ldapsearch -h HOME-DC.Home.bisnet -D "cn=Matt
White,ou=Users,ou=White Family,dc=home,dc=bisnet" -b "OU=Users,OU=White
Family,DC=home,DC=bisnet" -x -w ###pass###
"(&(objectClass=user)(!(objectClass=computer)))" sAMAccountName
# extended LDIF
#
# LDAPv3
# base <OU=Users,OU=White Family,DC=home,DC=bisnet> with scope subtree
# filter: (&(objectClass=user)(!(objectClass=computer)))
# requesting: sAMAccountName
#
# nagios admin, Users, White Family, home.bisnet
dn: CN=nagios admin,OU=Users,OU=White Family,DC=home,DC=bisnet
sAMAccountName: nagiosadmin
# Matt White, Users, White Family, home.bisnet
dn: CN=Matt White,OU=Users,OU=White Family,DC=home,DC=bisnet
sAMAccountName: matt
# Simon White, Users, White Family, home.bisnet
dn: CN=Simon White,OU=Users,OU=White Family,DC=home,DC=bisnet
sAMAccountName: simon
# Liz White, Users, White Family, home.bisnet
dn: CN=Liz White,OU=Users,OU=White Family,DC=home,DC=bisnet
sAMAccountName: liz
# Tony White, Users, White Family, home.bisnet
dn: CN=Tony White,OU=Users,OU=White Family,DC=home,DC=bisnet
sAMAccountName: Tony White
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
As you can see this returns values but I am unsure as to why I am now
getting more error messages.
OS I am running is Ubuntu Server 7
If you need more pieces of config then let me know
Kind regards,
Regards,
Matt White
[ matt at matthewjwhite.co.uk ]
[ http://www.matthewjwhite.co.uk ]
-----Original Message-----
From: nagios-users-bounces at lists.sourceforge.net
[mailto:nagios-users-bounces at lists.sourceforge.net] On Behalf Of Arno
Lehmann
Sent: 06 June 2008 09:08
To: nagios-users at lists.sourceforge.net
Subject: Re: [Nagios-users] FW: Configuring Active Directory
authentication - Nagios 3.0.2
Hello,
06.06.2008 01:26, Lists wrote:
>
>
> Hi,
>
>
>
> I have spent the last week or two building a demo system and one of my
> requirements is that we can configure user access based on LDAP
queries
> to our AD server.
That's merely a question of getting the web server authenticate
against LDAP.
>
> I am currently running the test box on Ubuntu Server 7 and I am having
> problems in getting the LDAP queries setup as my Linux knowledge is
> nowhere near as strong as my Windows.
>
That happens - don't worry, we won't hold that against you.
>
> Has anyone configured this and maybe have the relevant snippets of
code
> I need for my nagios config and also for apache as I don't think what
I
> have in place is currently working for me!
>
I do something like this. Note that I'm not authenticating against an
AD LDAP, but the basic principle should work.
First step is to make sure you can, from your nagios box, access the
AD LDAP. This *might* need kerberos for authentication - I never tried
that, but the OpenLDAP programs do support kerberos as an
authentication scheme, so I'm pretty sure with a bit of manual reading
and experimenting you can do that. The problem is that, as far as I
know, LDAP support in apache does not include kerberos authentication.
A short google search for "apache auth against AD" seems to indicate
that you do not need kerberos, so further experiments are probably
useful...
Then make sure you know how to access the user data in the LDAP tree.
ldapsearch is a good tool for this.
You need to set up your Nagios contacts with user names that are
identifiable in AD LDAP first.
Then use an apache configuration similar to this one (this is a bit
streamlined):
<Directory "/usr/local/nagios3/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthBasicProvider ldap
require ldap-filter objectClass=deitsMonitoringContact
AuthLDAPURL
ldap://localhost:389/ou=people,dc=xxxx,dc=de?uid?sub?(objectC
lass=deitsMonitoringContact)
</Directory>
The additional filter - in my case the deitsMonitoringContact - will
need to be changed or removed for you.
And, of course, you will probably need to adapt the AuthLDAPURL to
your site.
In my case I use the uid attribute to match the supplied username, but
I get the impression that with AD you would use sAMAccountName.
I wish you success!
Arno
>
> Any help is much appreciated as always.
>
>
>
> Regards,
>
>
>
> Matt White
>
> [ matt at matthewjwhite.co.uk ]
>
> [ http://www.matthewjwhite.co.uk ]
>
>
>
> WARNING: Computer viruses can be transmitted via email. The recipient
> should check this email and any attachments for the presence of
viruses.
> Lists accepts no liability for any damage caused by any virus
> transmitted by this email. E-mail transmission cannot be guaranteed to
> be secure or error-free as information could be intercepted,
corrupted,
> lost, destroyed, arrive late or incomplete, or contain viruses.Lists
> therefore does not accept liability for any errors or omissions in the
> contents of this message, which arise as a result of e-mail
transmission.
>
> Warning: Although Lists has taken reasonable precautions to ensure no
> viruses are present in this email, Lists cannot accept responsibility
> for any loss or damage arising from the use of this email or
attachments.
>
>
>
------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
-
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
>
>
>
------------------------------------------------------------------------
>
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
--
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de
------------------------------------------------------------------------
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. Matt White accepts no liability for any damage caused by any virus transmitted by this email. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.Matt White therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
Warning: Although Matt White has taken reasonable precautions to ensure no viruses are present in this email, Matt White cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list