<html><head> <meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"><title>Re: [Nagios-users] Authentication using AD</title> </head> <body> Thanks for the heads up. Over the last few days I’ve had other priorities/fires but hope to get back on this by early next week. It would be good to share our experiences. Nagios-XI, at least I think, is a commercial/supported implementation of nagios. I saw this & figured it only applied to their tweaked version of nagios? Joe On 2/2/11 4:49 AM, "Bryan Berry" <<a href="bryan.berry@gmail.com">bryan.berry@gmail.com</a>> wrote: <blockquote>Joe I am in the same boat as you except I have much less experience w/ cas, krb, ldap, etc. I am going to try out this plugin today <a href="http://exchange.nagios.org/directory/Addons/Components/Active-Directory-Integration-for-Nagios-XI/details">http://exchange.nagios.org/directory/Addons/Components/Active-Directory-Integration-for-Nagios-XI/details</a> and will let you know how it goes for me <<a href="http://exchange.nagios.org/directory/Addons/Components/Active-Directory-Integration-for-Nagios-XI/details">http://exchange.nagios.org/directory/Addons/Components/Active-Directory-Integration-for-Nagios-XI/details</a>> On Fri, Jan 28, 2011 at 7:57 PM, Joe Beck <<a href="JBeck@urbn.com">JBeck@urbn.com</a>> wrote: <blockquote>The recent thread on this topic was timely. After looking thru some of the details of these options, its not clear to me which would be best & which I should try to implement first: Mod_auth_ldap Mod_cas Mod_krb We’re on suse 11, apache 2.2.10 (more details below) The goal is to allow users to authenticate with their active directory credentials to the nagios web interface. The #1 requirement is quick setup at this point—most of our users, esp. mgt are using windows & IE. We’re pretty far down the path of getting buy-in from mgt to use Nagios. If I can get them to click on our nagios email notification links (we’re using frank4dd’s send perl plugin) and get right to the page without having to enter their username/password, that would be great. The mapping of AD groups to nagios contactgroups would be awesome down the road but right now I’m looking for quickest implementation of AD auth integration into nagios. Some of my concerns: when I first looked I saw the need of a user w/out a password but after looking again I see that its just for a “principal” user tied to communications between apache & an AD user. I have little kerberos experience, lots of ldap experience, and a decent amount of apache & php background. Any observations or comments are appreciated. Thanks, Joe (more details on env) /usr/sbin/httpd2-prefork -V Server version: Apache/2.2.10 (Linux/SUSE) Server built: Dec 3 2008 10:04:51 Server's Module Magic Number: 20051115:18 Server loaded: APR 1.3.3, APR-Util 1.3.4 Compiled using: APR 1.3.3, APR-Util 1.3.4 Architecture: 32-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/srv/www" -D SUEXEC_BIN="/usr/sbin/suexec2" -D DEFAULT_PIDLOG="/var/run/httpd2.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="/var/run/accept.lock" -D DEFAULT_ERRORLOG="/var/log/apache2/error_log" -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types" -D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf" (Active Directory) to authenticate Nagios web interface users On 1/27/11 5:18 AM, "Tevfik Karagulle" <<a href="tevfik.karagulle@gmail.com">tevfik.karagulle@gmail.com</a> <<a href="http://tevfik.karagulle@gmail.com">http://tevfik.karagulle@gmail.com</a>> > wrote: <blockquote> I ran an AD-query script periodically. The script could map Nagios contact groups to AD-groups, getting AD-users of those groups and create corresponding Nagios contacts. On Thu, Jan 27, 2011 at 7:55 AM, Bryan Berry <<a href="bryan.berry@gmail.com">bryan.berry@gmail.com</a> <<a href="http://bryan.berry@gmail.com">http://bryan.berry@gmail.com</a>> > wrote: <blockquote>thanks Jan and Tevfik. I will have to experiment w/ your solutions How does Nagios application know about the individual accounts? Do you have to create them separately and then mod_cas or mod_krb passes thru the credentials to Active Directory for verification? On Wed, Jan 26, 2011 at 10:43 AM, Tevfik Karagulle <<a href="tevfik.karagulle@gmail.com">tevfik.karagulle@gmail.com</a> <<a href="http://tevfik.karagulle@gmail.com">http://tevfik.karagulle@gmail.com</a>> > wrote: <blockquote>The link below can be helpful if If you look for single sign-on integration with Active Directory: <a href="http://www.itefix.no/i2/node/11683">http://www.itefix.no/i2/node/11683</a> (Nagios single sign-on authentication with Active Directory) That recipe is successfully implemented on a Nagios implementation two years ago. Tev On Wed, Jan 26, 2011 at 10:17 AM, <<a href="jan.grant@bristol.ac.uk">jan.grant@bristol.ac.uk</a> <<a href="http://jan.grant@bristol.ac.uk">http://jan.grant@bristol.ac.uk</a>> > wrote: <blockquote>On Wed, 26 Jan 2011, Bryan Berry wrote: > Anybody using CAS for SSO authentication ( > <a href="https://wiki.jasig.org/display/CASC/phpCAS">https://wiki.jasig.org/display/CASC/phpCAS</a>) into Nagios? I would love to > know if there is an existing solutions for this. haven't managed to find > anything regarding this on google yet We just slapped it behind mod_cas (or whatever it's called); seems to work, although you'll need an alternative route if you want unauthenticated access too, since there's no "opt-out" with that, unless you construct a cunning config that lets the front page through unauthenticated. -- jan grant, ISYS, University of Bristol. <a href="http://www.bris.ac.uk/">http://www.bris.ac.uk/</a> Tel +44 (0)117 3317661 <a href="http://ioctl.org/jan/">http://ioctl.org/jan/</a> They modified their trousers secretly. ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! <a href="http://p.sf.net/sfu/arcsight-sfd2d">http://p.sf.net/sfu/arcsight-sfd2d</a> _______________________________________________ Nagios-users mailing list <a href="Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a> <<a href="http://Nagios-users@lists.sourceforge.net">http://Nagios-users@lists.sourceforge.net</a>> <a href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null </blockquote> ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! <a href="http://p.sf.net/sfu/arcsight-sfd2d">http://p.sf.net/sfu/arcsight-sfd2d</a> _______________________________________________ Nagios-users mailing list <a href="Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a> <<a href="http://Nagios-users@lists.sourceforge.net">http://Nagios-users@lists.sourceforge.net</a>> <a href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null </blockquote> ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! <a href="http://p.sf.net/sfu/arcsight-sfd2d">http://p.sf.net/sfu/arcsight-sfd2d</a> _______________________________________________ Nagios-users mailing list <a href="Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a> <<a href="http://Nagios-users@lists.sourceforge.net">http://Nagios-users@lists.sourceforge.net</a>> <a href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null </blockquote> </blockquote> Joe </blockquote></blockquote> Joe -- Joe Beck | IT-Open Systems Engineer | urban outfitters inc. 5000 South Broad Street | Phila., PA 19112 | 215.454.7737 | <a href="jbeck@urbn.com">jbeck@urbn.com</a> </body> </html>