Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues


Friday, June 24, 2011

Nagios Authentication with LDAP using Apache Module mod_authnz_ldap

Nagios basic authentication mechanism is htpasswd. The password file is defined at /etc/httpd/conf.d/nagios.conf

AuthUserFile /usr/local/nagios/etc/htpasswd.users

I tried to authenticate users from the LDAP server to enable centralized user authentication.

Here I have used authnz_ldap_module in Apache to authenticate users for Nagios system.
My apache version Apache/2.2.14 (Unix) and Nagios 3.2.3

First of all we need to have the apache module build with apache. Check /etc/httpd/conf/httpd.conf for the following entry.
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

If your apache is not compiled with authnz_ldap_module, follow the link and enable authnz_ldap_mod support in apache. Normally, this module is available apache version 2.1 and later
http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html

Here are the parameters that I configured in /etc/httpd/conf.d/nagios.conf

SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access for LKNIC"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://[ldap_server_ip]:[lapd_port]/[Base_DN]?[searching_parameres i.e. uid etc]
Require valid-user


The entries in BOLD is related to the LDAP authentication. I have allowed all LDAP users to nagios system as I have configured 'Require valid-user' setting in the nagios.conf. User restrictions can be done referring http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#usingtls

By enabling SSLRequireSSL in the configuration I have set the HTTPS connection for nagios. With this settings nagios is accessible only with https://server.url/nagios

Even though I have enabled all LDAP users to visit the nagios system, the user levels are defined at the cgi.cfg at /usr/local/nagios/etc/
E.g.
authorized_for_system_commands= user1, user2, etc..
authorized_for_read_only=user3

Hope this will help you to configure central authentication for Nagios

Useful reference:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#usingtls
http://www.linux.com/archive/feature/120050

2 comments:

  1. great article thank you! Do you know how to allow local users to access along with LDAP authentication? In case the LDAP servers fails, I would still like to have access to nagios with a local account

    ReplyDelete
  2. Hi, is there any there any possiblity to configure Nagios or Appache to authenticate LDAP users in Nagios with lower and upper case user names?

    Thanks&Regards,
    Amir

    ReplyDelete