LDAP authentication and CGI authorization problem
Mattia Gandolfi
matgand at gmail.com
Wed May 26 14:13:51 CEST 2010
Self-replying: I've just discovered the root cause: can_submit_commands was
set to 0 in contacts template definition.
Works as expected now
Mattia
On Tue, May 25, 2010 at 3:08 PM, Mattia Gandolfi <matgand at gmail.com> wrote:
> Hi all,
>
> I'm facing problems while trying to enable LDAP authentication on a Nagios
> 3.2.1 install (using htpasswd.users everything works fine).
> This is how I've configured Apache:
>
> <Directory /usr/share/nagios/>
> AuthType Basic
> AuthName "Nagios - Ldap"
> AuthBasicProvider ldap
> AuthLDAPUrl
> ldaps://unixautmi-ese01.sky.local:636,unixautca-ese01.sky.local:636/ou=people,dc=sky,dc=local?uid
> AuthLDAPBindDN "cn=authuser,dc=sky,dc=local"
> AuthLDAPBindPassword oaj5Phum
> Require ldap-dn uid=gandolfim,ou=people,dc=sky,dc=local
> Require ldap-user gandolfim
> AuthLDAPGroupAttributeIsDN off
> Require ldap-group cn=systemadminmi,ou=groups,dc=sky,dc=local
> Require ldap-group cn=infosec,ou=groups,dc=sky,dc=local
> AuthLDAPGroupAttribute memberUid
> </Directory>
> <Directory "/usr/lib/nagios/cgi">
> AuthType Basic
> AuthName "Nagios - Ldap - CGI"
> AuthBasicProvider ldap
> AuthLDAPUrl
> ldaps://unixautmi-ese01.sky.local:636,unixautca-ese01.sky.local:636/ou=people,dc=sky,dc=local?uid
> AuthLDAPBindDN "cn=authuser,dc=sky,dc=local"
> AuthLDAPBindPassword oaj5Phum
> Require ldap-dn uid=gandolfim,ou=people,dc=sky,dc=local
> Require ldap-user gandolfim
> AuthLDAPGroupAttributeIsDN off
> Require ldap-group cn=systemadminmi,ou=groups,dc=sky,dc=local
> Require ldap-group cn=infosec,ou=groups,dc=sky,dc=local
> AuthLDAPGroupAttribute memberUid
> </Directory>
>
> I've defined my username as a contact
>
> define contact {
> use email-contact
> contact_name gandolfim
> alias Mattia Gandolfi
> email mattia.gandolfi at xxxxxxx.com
> pager none
> }
>
> and I've set the following options in cgi.cfg
>
> use_authentication=1
> use_ssl_authentication=0
> authorized_for_system_information=gandolfim
> authorized_for_configuration_information=gandolfim
> authorized_for_system_commands=gandolfim
> authorized_for_all_services=gandolfim
> authorized_for_all_hosts=gandolfim
> authorized_for_all_service_commands=gandolfim
>
> Authentication works fine, and I see "Logged in as *gandolfim"* on top of
> the Tactical Monitoring Overview page.
> However, as soon as I try to access the cgi, for example to disable
> notifications for a service, I get "Sorry, but you are not authorized to
> commit the specified command."
>
> What am I missing?
>
> Thanks
>
> Mattia
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20100526/296ecc38/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list