LDAP authentication and CGI authorization problem

Mattia Gandolfi matgand at gmail.com
Wed May 26 14:13:51 CEST 2010


Self-replying: I've just discovered the root cause: can_submit_commands was
set to 0 in contacts template definition.
Works as expected now

Mattia

On Tue, May 25, 2010 at 3:08 PM, Mattia Gandolfi <matgand at gmail.com> wrote:

> Hi all,
>
> I'm facing problems while trying to enable LDAP authentication on a Nagios
> 3.2.1 install (using htpasswd.users everything works fine).
> This is how I've configured Apache:
>
> <Directory /usr/share/nagios/>
>     AuthType Basic
>     AuthName "Nagios - Ldap"
>     AuthBasicProvider ldap
>     AuthLDAPUrl
> ldaps://unixautmi-ese01.sky.local:636,unixautca-ese01.sky.local:636/ou=people,dc=sky,dc=local?uid
>     AuthLDAPBindDN "cn=authuser,dc=sky,dc=local"
>     AuthLDAPBindPassword oaj5Phum
>     Require ldap-dn uid=gandolfim,ou=people,dc=sky,dc=local
>     Require ldap-user gandolfim
>     AuthLDAPGroupAttributeIsDN off
>     Require ldap-group cn=systemadminmi,ou=groups,dc=sky,dc=local
>     Require ldap-group cn=infosec,ou=groups,dc=sky,dc=local
>     AuthLDAPGroupAttribute memberUid
> </Directory>
> <Directory "/usr/lib/nagios/cgi">
>     AuthType Basic
>     AuthName "Nagios - Ldap - CGI"
>     AuthBasicProvider ldap
>     AuthLDAPUrl
> ldaps://unixautmi-ese01.sky.local:636,unixautca-ese01.sky.local:636/ou=people,dc=sky,dc=local?uid
>     AuthLDAPBindDN "cn=authuser,dc=sky,dc=local"
>     AuthLDAPBindPassword oaj5Phum
>     Require ldap-dn uid=gandolfim,ou=people,dc=sky,dc=local
>     Require ldap-user gandolfim
>     AuthLDAPGroupAttributeIsDN off
>     Require ldap-group cn=systemadminmi,ou=groups,dc=sky,dc=local
>     Require ldap-group cn=infosec,ou=groups,dc=sky,dc=local
>     AuthLDAPGroupAttribute memberUid
> </Directory>
>
> I've defined my username as a contact
>
> define contact {
>         use             email-contact
>         contact_name    gandolfim
>         alias           Mattia Gandolfi
>         email           mattia.gandolfi at xxxxxxx.com
>         pager           none
> }
>
> and I've set the following options in cgi.cfg
>
> use_authentication=1
> use_ssl_authentication=0
> authorized_for_system_information=gandolfim
> authorized_for_configuration_information=gandolfim
> authorized_for_system_commands=gandolfim
> authorized_for_all_services=gandolfim
> authorized_for_all_hosts=gandolfim
> authorized_for_all_service_commands=gandolfim
>
> Authentication works fine, and I see "Logged in as *gandolfim"* on top of
> the Tactical Monitoring Overview page.
> However, as soon as I try to access the cgi, for example to disable
> notifications for a service, I get "Sorry, but you are not authorized to
> commit the specified command."
>
> What am I missing?
>
> Thanks
>
> Mattia
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20100526/296ecc38/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------

-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null


More information about the Users mailing list