using LDAP-based user authentication

Andrew Grimberg tykeal at bardicgrove.org
Thu Dec 8 23:49:39 CET 2005

Previous message: using LDAP-based user authentication
Next message: using LDAP-based user authentication
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2005-12-09 at 11:17 +1300, Steve Shipway wrote:
> We are running Nagios with LDAP here fine.  We use mod_auth_ldap (in
> Apache2), which is much better (I have no experience with authz_ldap, but I
> tried the Muquit one before and it works OK).  This returns the username as
> whatever we define the uid parameter to be.  We only need to put this:
> 
> AuthLDAPUrl "ldap://ldap.auckland.ac.nz:389/ou=People,o=The University of
> Auckland,c=NZ?uid"
> 
> into our Apache httpd.conf and it will latch onto the correct server, use
> ssl, and return the uid which we can then use within Nagios.
> 
> To make the Muquit mod_auth_ldap work, you need more configuration, like:
> 
> LDAP_Server ldap.auckland.ac.nz
> LDAP_Port 389
> Base_DN "ou=People,o=The University of Auckland,c=NZ"
> 
> since it will default to using the 'uid' parameter.
> 
> For authz_ldap, I had to use this:
> 
> AuthzLDAPServer ldap.auckland.ac.nz:389
> AuthzLDAPUserBase "ou=People,o=The University of Auckland,c=NZ"
> AuthzLDAPUserKey uid
> AuthzLDAPUserScope base
> AuthzLDAPGroupBase "ou=Groups,o=The University of Auckland,c=NZ"
> AuthzLDAPGroupKey cn
> AuthzLDAPGroupScope base
> 
> but it didn't work too well - and besides, we have standardised on the
> mod_auth_ldap now.
> 
> In all these cases, Apache reported just the uid attribute as the username,
> so we only had to define users with that in Nagios.  No need for all the
> LDAP ou= stuff.

Sounds similar to what we're doing.  We went a step further in our
requirements.  Folks that are accessing Nagios must be part of a
particular group to authenticate as well as be defined in Nagios to see
anything.  Note, this is using mod_auth_ldap

ScriptAlias /nagios/cgi-bin /usr/lib/nagios/cgi/
<Directory /usr/lib/nagios/cgi/>
   Options ExecCGI
   order deny,allow
   deny from all
   AuthType Basic
   AuthName "nagios"
   AuthLDAPUrl "ldap://ldap/ou=Users,ou=DoIT,o=Seattle?cn"
   AuthLDAPGroupAttributeIsDN on
   AuthLDAPGroupAttribute member
   require group cn=Nagios,ou=Users,ou=DoIT,o=Seattle
   satisfy any
</Directory>

-Andy-


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: using LDAP-based user authentication
Next message: using LDAP-based user authentication
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list