FW: Configuring Active Directory authentication - Nagios 3.0.2

[Arno Lehmann]

Hi Matt,

please, send replies to the list so the whole discussion is in the 
archives...

08.06.2008 16:27, Matt White wrote:
> Hi Arno,
> 
> I have just looked at the relevant part of my httpd.conf and I have two
> sections listed:
> Directory "/usr/local/nagios/sbin"
> And
> Directory "/usr/local/nagios/share"
> 
> Do I need to put the same config settings in for both Directory
> listings?

Yes. At least, I'd say that is the normal way because you want users 
to authenticate when accessing the dynamically created pages as well 
as the static ones.

Arno

> 
> Regards,
> 
> Matt White
> [ matt at matthewjwhite.co.uk ]
> [ http://www.matthewjwhite.co.uk ]
> 
> -----Original Message-----
> From: nagios-users-bounces at lists.sourceforge.net
> [mailto:nagios-users-bounces at lists.sourceforge.net] On Behalf Of Arno
> Lehmann
> Sent: 06 June 2008 09:08
> To: nagios-users at lists.sourceforge.net
> Subject: Re: [Nagios-users] FW: Configuring Active Directory
> authentication - Nagios 3.0.2
> 
> Hello,
> 
> 06.06.2008 01:26, Lists wrote:
>>
>> Hi,
>>
>>  
>>
>> I have spent the last week or two building a demo system and one of my
> 
>> requirements is that we can configure user access based on LDAP
> queries 
>> to our AD server.
> 
> That's merely a question of getting the web server authenticate 
> against LDAP.
> 
>> I am currently running the test box on Ubuntu Server 7 and I am having
> 
>> problems in getting the LDAP queries setup as my Linux knowledge is 
>> nowhere near as strong as my Windows.
>>
> 
> That happens - don't worry, we won't hold that against you.
> 
>> Has anyone configured this and maybe have the relevant snippets of
> code 
>> I need for my nagios config and also for apache as I don't think what
> I 
>> have in place is currently working for me!
>>
> 
> I do something like this. Note that I'm not authenticating against an 
> AD LDAP, but the basic principle should work.
> 
> First step is to make sure you can, from your nagios box, access the 
> AD LDAP. This *might* need kerberos for authentication - I never tried 
> that, but the OpenLDAP programs do support kerberos as an 
> authentication scheme, so I'm pretty sure with a bit of manual reading 
> and experimenting you can do that. The problem is that, as far as I 
> know, LDAP support in apache does not include kerberos authentication. 
> A short google search for "apache auth against AD" seems to indicate 
> that you do not need kerberos, so further experiments are probably 
> useful...
> 
> Then make sure you know how to access the user data in the LDAP tree. 
> ldapsearch is a good tool for this.
> 
> You need to set up your Nagios contacts with user names that are 
> identifiable in AD LDAP first.
> 
> Then use an apache configuration similar to this one (this is a bit 
> streamlined):
> 
> <Directory "/usr/local/nagios3/sbin">
>     Options ExecCGI
>     AllowOverride None
>     Order allow,deny
>     Allow from all
>     AuthName "Nagios Access"
>     AuthType Basic
>     AuthBasicProvider ldap
>     require ldap-filter objectClass=deitsMonitoringContact
>     AuthLDAPURL 
> ldap://localhost:389/ou=people,dc=xxxx,dc=de?uid?sub?(objectC
> lass=deitsMonitoringContact)
> </Directory>
> 
> The additional filter - in my case the deitsMonitoringContact - will 
> need to be changed or removed for you.
> And, of course, you will probably need to adapt the AuthLDAPURL to 
> your site.
> In my case I use the uid attribute to match the supplied username, but 
> I get the impression that with AD you would use sAMAccountName.
> 
> I wish you success!
> 
> Arno
> 
> 
>> Any help is much appreciated as always.
>>
>>  
>>
>> Regards,
>>
>>  
>>
>> Matt White
>>
>> [ matt at matthewjwhite.co.uk ]
>>
>> [ http://www.matthewjwhite.co.uk ]
>>
>>  
>>
>> WARNING: Computer viruses can be transmitted via email. The recipient 
>> should check this email and any attachments for the presence of
> viruses. 
>> Lists accepts no liability for any damage caused by any virus 
>> transmitted by this email. E-mail transmission cannot be guaranteed to
> 
>> be secure or error-free as information could be intercepted,
> corrupted, 
>> lost, destroyed, arrive late or incomplete, or contain viruses.Lists 
>> therefore does not accept liability for any errors or omissions in the
> 
>> contents of this message, which arise as a result of e-mail
> transmission.
>> Warning: Although Lists has taken reasonable precautions to ensure no 
>> viruses are present in this email, Lists cannot accept responsibility 
>> for any loss or damage arising from the use of this email or
> attachments.
>>
>>
> ------------------------------------------------------------------------
>>
> ------------------------------------------------------------------------
> -
>> Check out the new SourceForge.net Marketplace.
>> It's the best place to buy or sell services for
>> just about anything Open Source.
>> http://sourceforge.net/services/buy/index.php
>>
>>
>>
> ------------------------------------------------------------------------
>> _______________________________________________
>> Nagios-users mailing list
>> Nagios-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nagios-users
>> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue. 
>> ::: Messages without supporting info will risk being sent to /dev/null
> 

-- 
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null