Authentication using AD

Joe Beck JBeck at urbn.com
Fri Jan 28 19:57:50 CET 2011


The recent thread on this topic was timely.
After looking thru some of the details of these options, its not clear to me which would be best & which I should try to implement first:
Mod_auth_ldap
Mod_cas
Mod_krb

We’re on suse 11, apache 2.2.10 (more details below)
The goal is to allow users to authenticate with their active directory credentials to the nagios web interface.
The #1 requirement is quick setup at this point—most of our users, esp. mgt are using windows & IE. We’re pretty far down the path of getting buy-in from mgt to use Nagios. If I can get them to click on our nagios email notification links (we’re using frank4dd’s send perl plugin) and get right to the page without having to  enter their username/password, that would be great.
The mapping of AD groups to nagios contactgroups would be awesome down the road but right now I’m looking for quickest implementation of AD auth integration into nagios.

Some of my concerns:
when I first looked I saw the need of a user w/out a password but after looking again I see that its just for a “principal” user tied to communications between apache & an AD user.
I have little kerberos experience, lots of ldap experience, and a decent amount of apache & php background.

Any observations or comments are appreciated.
Thanks,
Joe


(more details on env)
/usr/sbin/httpd2-prefork -V
Server version: Apache/2.2.10 (Linux/SUSE)
Server built:   Dec  3 2008 10:04:51
Server's Module Magic Number: 20051115:18
Server loaded:  APR 1.3.3, APR-Util 1.3.4
Compiled using: APR 1.3.3, APR-Util 1.3.4
Architecture:   32-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/srv/www"
 -D SUEXEC_BIN="/usr/sbin/suexec2"
 -D DEFAULT_PIDLOG="/var/run/httpd2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="/var/run/accept.lock"
 -D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"




(Active Directory) to authenticate Nagios web interface users

On 1/27/11 5:18 AM, "Tevfik Karagulle" <tevfik.karagulle at gmail.com> wrote:


I ran an AD-query script periodically. The script could map Nagios contact groups to AD-groups, getting AD-users of those groups and create corresponding Nagios contacts.


On Thu, Jan 27, 2011 at 7:55 AM, Bryan Berry <bryan.berry at gmail.com> wrote:
thanks Jan and Tevfik. I will have to experiment w/ your solutions

How does Nagios application know about the individual accounts? Do you have to create them separately and then mod_cas or mod_krb passes thru the credentials to Active Directory for verification?


On Wed, Jan 26, 2011 at 10:43 AM, Tevfik Karagulle <tevfik.karagulle at gmail.com> wrote:
The link below can be helpful if If you look for single sign-on integration with Active Directory:

http://www.itefix.no/i2/node/11683 (Nagios single sign-on authentication with Active Directory)

That recipe is successfully implemented on a Nagios implementation two years ago.

Tev

On Wed, Jan 26, 2011 at 10:17 AM, <jan.grant at bristol.ac.uk> wrote:
On Wed, 26 Jan 2011, Bryan Berry wrote:

> Anybody using CAS for SSO authentication (
> https://wiki.jasig.org/display/CASC/phpCAS) into Nagios? I would love to
> know if there is an existing solutions for this. haven't managed to find
> anything regarding this on google yet

We just slapped it behind mod_cas (or whatever it's called); seems to
work, although you'll need an alternative route if you want
unauthenticated access too, since there's no "opt-out" with that, unless
you construct a cunning config that lets the front page through
unauthenticated.


--
jan grant, ISYS, University of Bristol. http://www.bris.ac.uk/
Tel +44 (0)117 3317661   http://ioctl.org/jan/
They modified their trousers secretly.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null



Joe
--

Joe Beck | IT-Open Systems Engineer | urban outfitters inc.
5000 South Broad Street | Phila., PA 19112 | 215.454.7737 | jbeck at urbn.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20110128/4a646878/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list