Nagios Authentication with Active Directory (Slightly Off-Topic)

Jeremy Russell Jeremy.Russell at chickasaw.net
Wed Jan 5 15:58:45 CET 2005

Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I use modntlm with our Nagios implementation.

This provides pass through authentication with ie (we try to run a
single sign on/single source authentication environment)  It seems to be
working very well,  however it is still NTLM for now.  The ultimate
method would be to use Kerberos.

http://modntlm.sourceforge.net/

I would recommend it for internal usage for sure.

-----Original Message-----
From: nagios at mm.quex.org [mailto:nagios at mm.quex.org] 
Sent: Wednesday, January 05, 2005 1:01 AM
To: nagios-users at lists.sourceforge.net
Subject: Re: [Nagios-users] Nagios Authentication with Active Directory
(Slightly Off-Topic)

On Tue, Jan 04, 2005 at 10:43:24AM -0800, CWaters at jeld-wen.com wrote:

> I want to use my company's AD to authenticate users against for access
> to Nagios.  While I know this is not really a Nagios question, I was
> wondering if anyone in the community is doing this already.  If so,
> what issues did you encounter?  Any drawbacks?  What apache modules
> were used etc.?  Any information would be great.  Sorry if this has
> already been covered.

In addition to the PAM method in someone else's response, if you only
need to to authenticate against AD for Nagios access (i.e. via Apache)
there's an LDAP authentication module or two available which you can
use.

I'm using this with Apache 2 on a Debian (testing) system with
mod_auth_ldap v2.12, compiled with OpenLDAP TLS.

<http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap_apach
e2.html>

You might also want to look at the newer version.

In the Directory configuration block for Apache:

  <Directory /foo>

    AuthName "Network monitoring"
    AuthType Basic

    LDAP_Debug off
    LDAP_Server dc.myco.internal
    LDAP_Port 389
    LDAP_Persistent off
    LDAP_Protocol_Version 3

    Bind_DN "CN=LDAP_User,OU=Service Accounts,DC=myco,DC=internal"
    Bind_Pass "xxxxxxxxxxxx"
    Base_DN "OU=Staff,DC=myco,DC=internal"

    LDAP_StartTLS on
    AuthOnBind off
    Bind_Tries 1

    UID_Attr userPrincipalName
    UID_Attr_Alt sAMAccountName

    require valid-user

  </Directory>

I've got LDAP_Persistent off, as I think it caused me problems when
it was enabled.

The Bind_DN gives the distinguished name of an account it can use
to do the initial searching; I think it's possible to set up your
domain to allow anonymous searches but you might not want to do
that.  Bind_Pass gives the password for this account, so you'll
want to make sure only authorised people get to read this config
file, and the Base_DN sets where the search takes place in the
Active Directory tree.

The UID_Attr gives the property that is used to find a match when
a user goes to log in, i.e. what they type in the Username field.
The UID_Attr_Alt is exported into the environment as LDAP_USER_ALT,
which might be useful if you want to hack the CGI's to use this
instead of whatever you're using for the UID_Attr.

Hope some of this is helpful.

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when
reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list