Using both NTLM and htpasswd file authentication for NAGIOS web interface

[Kevin Keane]

This is really more of an Apache question than a Nagios question. You 
can set up Apache to use two separate authentication sources. Basically, 
you set it up to authenticate using htaccess, and if that fails, it 
"falls through" to AD authentication - or vice versa. How to configure 
this fall-through should be documented with the Apache modules you are 
using for authentication. Most, if not all, modules support it in some 
form or other.

Another option, if your admins are also AD users, might be to have 
everybody, including admins, log on using Windows AD, and distinguishing 
permissions within Nagios.

Ayotunde Itayemi wrote:
>
> Hi,
>
> Thanks for the response. Each authentication method works OK alone, 
> but I need to allow regular Windows AD users “read-only” access to the 
> Nagios web interface while allowing admin users (from the htpasswd) 
> access to the same interface. Actually, I wouldn’t need to do this if 
> I could get Nagios to allow designated Windows AD users submit 
> commands via the web interface.
>
> Thanks.
>
> "This mail is from a Gimper"
>
> *From:* Alex Dehaini [mailto:alexdehaini at gmail.com]
> *Sent:* Saturday, May 23, 2009 2:00 PM
> *To:* Ayotunde Itayemi
> *Cc:* nagios-users at lists.sourceforge.net
> *Subject:* Re: [Nagios-users] Using both NTLM and htpasswd file 
> authentication for NAGIOS web interface
>
> Hi Tunde,
>
> I have never tried this before but I will suggest you try your auth 
> systems one at a time to know they are working before implementing them.
>
> Nagios uses apache http authentication by default so you should not 
> have any issues with this. Or maybe I am missing something, please 
> correct if I am.
>
> Never tried NTLM authentication with nagios so I can't help in that 
> area but you can look at this link
>
> http://www.itefix.no/i2/node/11683
>
> I am sure there are pam or kerberos modules that can talk to a dbase 
> like ldap or AD.
>
> Regards,
> Alex
>
>
>
> On Sat, May 23, 2009 at 12:34 PM, Ayotunde Itayemi 
> <Ayotunde.Itayemi at zain.com <mailto:Ayotunde.Itayemi at zain.com>> wrote:
>
> Hi All,
>
> I would like to use both NTLM authentication and htpasswd 
> authentication to grant access to the NAGIOS web interface. If 
> possible, authenticate against Windows AD first, and if not 
> successful, authenticate against the apache htpasswd file (possibly 
> use the htpasswd file like a fall-back/default authentication mechanism).
>
> My /etc/httpd/conf.d/nagios.conf file’s content is listed below. I 
> suspect I need to incorporate “AuthType Basic” in there somehow, but I 
> have tried various option (specifying the htppasswd file too, but I 
> usually end up with the authentication not functioning at all)
>
> The first access dialog box has the text “Enter username and password 
> for http://mynagios” and if I enter a valid Windows AD credential, I 
> get logged in. If instead, I select cancel on this dialog box, I get a 
> second access dialog box with the text “A username and password are 
> being requested by http://znlnagios. The site says: "NAGIOS". If I 
> supply a valid Windows AD credential, I get logged in also.
>
> This also brings me to a related issue, I cannot use the “Downtime” 
> module – and any other module by which I can submit a command. I get 
> the message that I am not authorized to submit the command to Nagios. 
> Yet, I have added the user (MYDOMAIN\username and also username) to 
> the relevant sections of the cgi.cgi file.
>
> Thanks.
>
> The content of /etc/httpd/conf.d/nagios.conf
>
> # cat /etc/httpd/conf.d/nagios.conf
>
> NTLMAuth on
>
> NTLMAuthoritative on
>
> NTLMBasicAuth on
>
> NTLMBasicRealm NAGIOS
>
> AuthUserFile /usr/local/nagios/etc/htpasswd.users
>
> NTLMDomain MY-WINDOWS-DOMAIN
>
> NTLMLockfile /tmp/_my.lck
>
> NTLMServer my-winaddc1
>
> NTLMBackup my-winaddc2
>
> Require valid-user
>
> # Satisfy all
>
> </Directory>
>
> Alias /nagios "/usr/local/nagios/share"
>
> <Directory "/usr/local/nagios/share">
>
> AuthName NTAuth
>
> AuthType NTLM
>
> NTLMAuth on
>
> NTLMAuthoritative on
>
> NTLMBasicAuth on
>
> NTLMBasicRealm NAGIOS
>
> AuthUserFile /usr/local/nagios/etc/htpasswd.users
>
> NTLMDomain MY-WINDOWS-DOMAIN
>
> NTLMLockfile /tmp/_my.lck
>
> NTLMServer my-winaddc1
>
> NTLMBackup my-winaddc2
>
> Require valid-user
>
> Satisfy all
>
> </Directory>
>

-- 
Kevin Keane
Owner
The NetTech
Find the Uncommon: Expert Solutions for a Network You Never Have to Think About

Office: 866-642-7116
http://www.4nettech.com

This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof.


------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com 
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null