FW: Configuring Active Directory authentication - Nagios 3.0.2

Arno Lehmann al at its-lehmann.de
Fri Jun 6 10:08:10 CEST 2008


Hello,

06.06.2008 01:26, Lists wrote:
> 
> 
> Hi,
> 
>  
> 
> I have spent the last week or two building a demo system and one of my 
> requirements is that we can configure user access based on LDAP queries 
> to our AD server.

That's merely a question of getting the web server authenticate 
against LDAP.

> 
> I am currently running the test box on Ubuntu Server 7 and I am having 
> problems in getting the LDAP queries setup as my Linux knowledge is 
> nowhere near as strong as my Windows.
> 

That happens - don't worry, we won't hold that against you.

> 
> Has anyone configured this and maybe have the relevant snippets of code 
> I need for my nagios config and also for apache as I don’t think what I 
> have in place is currently working for me!
> 

I do something like this. Note that I'm not authenticating against an 
AD LDAP, but the basic principle should work.

First step is to make sure you can, from your nagios box, access the 
AD LDAP. This *might* need kerberos for authentication - I never tried 
that, but the OpenLDAP programs do support kerberos as an 
authentication scheme, so I'm pretty sure with a bit of manual reading 
and experimenting you can do that. The problem is that, as far as I 
know, LDAP support in apache does not include kerberos authentication. 
A short google search for "apache auth against AD" seems to indicate 
that you do not need kerberos, so further experiments are probably 
useful...

Then make sure you know how to access the user data in the LDAP tree. 
ldapsearch is a good tool for this.

You need to set up your Nagios contacts with user names that are 
identifiable in AD LDAP first.

Then use an apache configuration similar to this one (this is a bit 
streamlined):

<Directory "/usr/local/nagios3/sbin">
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthName "Nagios Access"
    AuthType Basic
    AuthBasicProvider ldap
    require ldap-filter objectClass=deitsMonitoringContact
    AuthLDAPURL 
ldap://localhost:389/ou=people,dc=xxxx,dc=de?uid?sub?(objectC
lass=deitsMonitoringContact)
</Directory>

The additional filter - in my case the deitsMonitoringContact - will 
need to be changed or removed for you.
And, of course, you will probably need to adapt the AuthLDAPURL to 
your site.
In my case I use the uid attribute to match the supplied username, but 
I get the impression that with AD you would use sAMAccountName.

I wish you success!

Arno


> 
> Any help is much appreciated as always.
> 
>  
> 
> Regards,
> 
>  
> 
> Matt White
> 
> [ matt at matthewjwhite.co.uk ]
> 
> [ http://www.matthewjwhite.co.uk ]
> 
>  
> 
> WARNING: Computer viruses can be transmitted via email. The recipient 
> should check this email and any attachments for the presence of viruses. 
> Lists accepts no liability for any damage caused by any virus 
> transmitted by this email. E-mail transmission cannot be guaranteed to 
> be secure or error-free as information could be intercepted, corrupted, 
> lost, destroyed, arrive late or incomplete, or contain viruses.Lists 
> therefore does not accept liability for any errors or omissions in the 
> contents of this message, which arise as a result of e-mail transmission.
> 
> Warning: Although Lists has taken reasonable precautions to ensure no 
> viruses are present in this email, Lists cannot accept responsibility 
> for any loss or damage arising from the use of this email or attachments.
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
> ::: Messages without supporting info will risk being sent to /dev/null

-- 
Arno Lehmann
IT-Service Lehmann
www.its-lehmann.de

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list