<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <meta name=Generator content="Microsoft Word 12 (filtered medium)"> <style>  </style>  </head> <body lang=EN-US link=blue vlink=purple> <div class=Section1> I don’t mind the users authenticating from one source, but the submit commands don’t appear to work when authenticating against Windows AD (see my mail below). The reason I am using the NTLM auth module is to get “single sign-on” so that users are not prompted for their username/passwords once they are already logged into the Windows domain (which works).<o:p></o:p> If I go with the apache password text file, then I will have another credential database to maintain (user account maintenance) and it means my users will have to learn another set of passwords. I also don’t want to go the way of setting up a full SAMBA installation just to proxy the authentication to the domain controller.<o:p></o:p> Thanks.<o:p></o:p> "This mail is from a Gimper"<o:p></o:p> <o:p> </o:p> <div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'> From: Alex Dehaini [mailto:alexdehaini@gmail.com] Sent: Saturday, May 23, 2009 2:32 PM To: Ayotunde Itayemi Cc: nagios-users@lists.sourceforge.net Subject: Re: [Nagios-users] Using both NTLM and htpasswd file authentication for NAGIOS web interface<o:p></o:p> </div> <o:p> </o:p> You want to send this to the nagios developer mailing list. Seems you are spoiling your users - why can't they all authenticate from one source - apache? Regards, Alex<o:p></o:p> <div> On Sat, May 23, 2009 at 1:11 PM, Ayotunde Itayemi <<a href="mailto:Ayotunde.Itayemi@zain.com">Ayotunde.Itayemi@zain.com</a>> wrote:<o:p></o:p> <div> <div> Hi,<o:p></o:p> Thanks for the response. Each authentication method works OK alone, but I need to allow regular Windows AD users “read-only” access to the Nagios web interface while allowing admin users (from the htpasswd) access to the same interface. Actually, I wouldn’t need to do this if I could get Nagios to allow designated Windows AD users submit commands via the web interface.<o:p></o:p> Thanks.<o:p></o:p> "This mail is from a Gimper"<o:p></o:p> <o:p></o:p> <div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in; border-color:-moz-use-text-color -moz-use-text-color'> From: Alex Dehaini [mailto:<a href="mailto:alexdehaini@gmail.com" target="_blank">alexdehaini@gmail.com</a>] Sent: Saturday, May 23, 2009 2:00 PM To: Ayotunde Itayemi Cc: <a href="mailto:nagios-users@lists.sourceforge.net" target="_blank">nagios-users@lists.sourceforge.net</a> Subject: Re: [Nagios-users] Using both NTLM and htpasswd file authentication for NAGIOS web interface<o:p></o:p> </div> <div> <div> <o:p></o:p> Hi Tunde, I have never tried this before but I will suggest you try your auth systems one at a time to know they are working before implementing them. Nagios uses apache http authentication by default so you should not have any issues with this. Or maybe I am missing something, please correct if I am. Never tried NTLM authentication with nagios so I can't help in that area but you can look at this link <a href="http://www.itefix.no/i2/node/11683" target="_blank">http://www.itefix.no/i2/node/11683</a> I am sure there are pam or kerberos modules that can talk to a dbase like ldap or AD. Regards, Alex <o:p></o:p> <div> On Sat, May 23, 2009 at 12:34 PM, Ayotunde Itayemi <<a href="mailto:Ayotunde.Itayemi@zain.com" target="_blank">Ayotunde.Itayemi@zain.com</a>> wrote:<o:p></o:p> <div> <div> Hi All,<o:p></o:p> I would like to use both NTLM authentication and htpasswd authentication to grant access to the NAGIOS web interface. If possible, authenticate against Windows AD first, and if not successful, authenticate against the apache htpasswd file (possibly use the htpasswd file like a fall-back/default authentication mechanism).<o:p></o:p> <o:p></o:p> My /etc/httpd/conf.d/nagios.conf file’s content is listed below. I suspect I need to incorporate “AuthType Basic” in there somehow, but I have tried various option (specifying the htppasswd file too, but I usually end up with the authentication not functioning at all)<o:p></o:p> <o:p></o:p> The first access dialog box has the text “Enter username and password for <a href="http://mynagios" target="_blank">http://mynagios</a>” and if I enter a valid Windows AD credential, I get logged in. If instead, I select cancel on this dialog box, I get a second access dialog box with the text “A username and password are being requested by <a href="http://znlnagios" target="_blank">http://znlnagios</a>. The site says: "NAGIOS". If I supply a valid Windows AD credential, I get logged in also.<o:p></o:p> <o:p></o:p> This also brings me to a related issue, I cannot use the “Downtime” module – and any other module by which I can submit a command. I get the message that I am not authorized to submit the command to Nagios. Yet, I have added the user (MYDOMAIN\username and also username) to the relevant sections of the cgi.cgi file.<o:p></o:p> Thanks.<o:p></o:p> <o:p></o:p> The content of /etc/httpd/conf.d/nagios.conf<o:p></o:p> # cat /etc/httpd/conf.d/nagios.conf<o:p></o:p> NTLMAuth on<o:p></o:p> NTLMAuthoritative on<o:p></o:p> NTLMBasicAuth on<o:p></o:p> NTLMBasicRealm NAGIOS<o:p></o:p> AuthUserFile /usr/local/nagios/etc/htpasswd.users<o:p></o:p> NTLMDomain MY-WINDOWS-DOMAIN<o:p></o:p> NTLMLockfile /tmp/_my.lck<o:p></o:p> NTLMServer my-winaddc1<o:p></o:p> NTLMBackup my-winaddc2<o:p></o:p> Require valid-user<o:p></o:p> # Satisfy all<o:p></o:p> </Directory><o:p></o:p> <o:p></o:p> Alias /nagios "/usr/local/nagios/share"<o:p></o:p> <o:p></o:p> <Directory "/usr/local/nagios/share"><o:p></o:p> AuthName NTAuth<o:p></o:p> AuthType NTLM<o:p></o:p> NTLMAuth on<o:p></o:p> NTLMAuthoritative on<o:p></o:p> NTLMBasicAuth on<o:p></o:p> NTLMBasicRealm NAGIOS<o:p></o:p> AuthUserFile /usr/local/nagios/etc/htpasswd.users<o:p></o:p> NTLMDomain MY-WINDOWS-DOMAIN<o:p></o:p> NTLMLockfile /tmp/_my.lck<o:p></o:p> NTLMServer my-winaddc1<o:p></o:p> NTLMBackup my-winaddc2<o:p></o:p> Require valid-user<o:p></o:p> Satisfy all<o:p></o:p> </Directory><o:p></o:p> <o:p></o:p> </div> </div> ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. <a href="http://www.creativitycat.com" target="_blank">http://www.creativitycat.com</a> _______________________________________________ Nagios-users mailing list <a href="mailto:Nagios-users@lists.sourceforge.net" target="_blank">Nagios-users@lists.sourceforge.net</a> <a href="https://lists.sourceforge.net/lists/listinfo/nagios-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/nagios-users</a> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null<o:p></o:p> </div> -- Alex Dehaini Developer Site - <a href="http://www.alexdehaini.com" target="_blank">www.alexdehaini.com</a> Email - <a href="mailto:alexdehaini@gmail.com" target="_blank">alexdehaini@gmail.com</a><o:p></o:p> </div> </div> </div> </div> </div> -- Alex Dehaini Developer Site - <a href="http://www.alexdehaini.com">www.alexdehaini.com</a> Email - <a href="mailto:alexdehaini@gmail.com">alexdehaini@gmail.com</a><o:p></o:p> </div> </body> </html>