Nagios authentication with active directory
Tags:
Technical Track
Nagios authentication with Active Directory aligns with user management consolidation policies in most organizations. This post explains how to setup Nagios authentication with Active Directory, while using Apache as web server.
mod_authz_ldap is an apache LDAP authorization module. This can be used to authorize a user based on an LDAP query. Install mod_authz_ldap.
# yum install mod_authz_ldap
Make sure that the module is loaded in apache:
/etc/httpd/conf.d/authz_ldap.confLoadModule authz_ldap_module modules/mod_authz_ldap.so
To query LDAP, ldapsearch can be used. Install following package:
# yum install openldap-clients
Active Directory will not allow an LDAP client to operate against it anonymously, therefore a user DN and password with minimum permission is required. For example: CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org The CN attribute corresponds to the "Display Name” of the account in Active Directory. ldapsearch can be used to query LDAP server. In this case Active Directory. In this example, we will look at how to enable access to all the members in 'Pythian' group who in turn have membership in 'Nagios Admins' group. To find the members of Pythian group, run following command:
# ldapsearch -x -LLL -D 'CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org' -W -H ldap://192.168.1.1 -b 'CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org' Enter LDAP Password: dn: CN=Pythian,OU=Internal Security Groups,DC=hq,DC=CORP,DC=abc,DC=org objectClass: top objectClass: group cn: pythian description: General Pythian group. member: CN=Joseph Minto,OU=Service Consultants,OU=Consultants,OU=User Accounts,DC=hq,DC=CORP,DC=abc,DC=org <--------------- member: CN=Test All,OU=Service Consultants,OU=Consultants,OU=User Accounts,DC=hq,DC=CORP,DC=abc,DC=org <--------------- distinguishedName: CN=pythian,OU=Internal Security Groups,DC=hq,DC=CORP,DC=abc,DC=org instanceType: 4 whenCreated: 20120720203444.0Z whenChanged: 20150611152516.0Z uSNCreated: 11258263 memberOf: CN=OA Admins,OU=Internal Security Groups,DC=hq,DC=CORP,DC=abc,DC=org uSNChanged: 128023795 name: pythian objectGUID:: XY68X44xZU6KQckM3gckcw== objectSid:: AQUAAAAAAAUVAAAAly2pALIyHF9ZQexpa+IAAA== sAMAccountName: pythian sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=CORP,DC=abc,DC=org dSCorePropagationData: 20140718174533.0Z dSCorePropagationData: 20121012140635.0Z dSCorePropagationData: 20120823115415.0Z dSCorePropagationData: 20120723133138.0Z dSCorePropagationData: 16010714223649.0Z
To find the details of a user account, following command can be used:
# ldapsearch -x -LLL -D 'CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org' -W -H ldap://192.168.1.1 -b 'CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org' -s sub "sAMAccountName=jminto" Enter LDAP Password: dn: CN=Joseph Minto,OU=Service Consultants,OU=Consultants,OU=User Accounts,DC= hq,DC=CORP,DC=abc,DC=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Joseph Minto sn: Minto c: US l: Arlington st: VA description: 09/30/15 - Consultant - Pythian postalCode: 22314 telephoneNumber: 1 866 - 798 - 4426 givenName: Joseph distinguishedName: CN=Joseph Minto,OU=Service Consultants,OU=Consultants,OU=User Accounts,DC=hq,DC=CORP,DC=abc,DC=org instanceType: 4 whenCreated: 20131203160403.0Z whenChanged: 20150811045216.0Z displayName: Joseph Minto uSNCreated: 62354283 info: sponsored by: sam@abc.org memberOf: CN=Pythian,OU=Internal Security Groups,DC=hq,DC=CORP,DC=abc,DC=org memberOf: CN=Nagios Admins,OU=Nagios Groups,OU=AppSecurityGroups,DC=hq,DC=CORP,DC=abc,DC=org <------------- uSNChanged: 137182483 co: United States name: Joseph Minto objectGUID:: uh9bC/ke6Uap0/dUk9gyLw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 840 badPasswordTime: 130360542953202075 lastLogoff: 0 lastLogon: 130844674893200195 scriptPath: callsl.bat logonHours:: //////////////////////////// pwdLastSet: 130305602432591455 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAly2pALIyHF9ZQexphO8AAA== adminCount: 1 accountExpires: 130881456000000000 logonCount: 116 sAMAccountName: jminto sAMAccountType: 805306368 userPrincipalName: jminto@hq.CORP.abc.org objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=CORP,DC=abc,DC=org dSCorePropagationData: 20150320162428.0Z dSCorePropagationData: 20140718174545.0Z dSCorePropagationData: 20131203161019.0Z dSCorePropagationData: 16010101181632.0Z lastLogonTimestamp: 130837423368430625 mail: jo@pythian.com
Following are the ldapsearch switches used above:
-x Use simple authentication instead of SASL. -L Search results are display in LDAP Data Interchange Format detailed in ldif(5). A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version. The default is to use an extended version of LDIF.-D binddn Use the Distinguished Name binddn to bind to the LDAP directory. For SASL binds, the server is expected to ignore this value.-W Prompt for simple authentication. This is used instead of specifying the password on the command line.-H ldapuri Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.-b searchbase Use searchbase as the starting point for the search instead of the default.-s {base|one|sub|children} Specify the scope of the search to be one of base, one, sub, or children to specify a base object, one-level, subtree, or children search. The default is sub. Note: children scope requires LDAPv3 subordinate feature extension.
In the nagios configuration in apache, parameters in mod_authz_ldap can be used to validate a user like we used in ldapsearch:
# cat /etc/httpd/conf.d/nagios.conf # SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER # Last Modified: 11-26-2005 # # This file contains examples of entries that need # to be incorporated into your Apache web server # configuration file. Customize the paths, etc. as # needed to fit your system.ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthName "Nagios Access" AuthType BasicAuthzLDAPMethod ldap AuthzLDAPServer "192.168.1.1" AuthzLDAPBindDN "CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org" AuthzLDAPBindPassword "typepasswordhere" AuthzLDAPUserKey sAMAccountName AuthzLDAPUserBase "CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org" AuthzLDAPUserScope subtree AuthzLDAPGroupKey cn AuthzLDAPMemberKey member AuthzLDAPSetGroupAuth ldapdn require group "Nagios Admins"Alias /nagios "/usr/share/nagios/html"Options None AllowOverride None Order allow,deny Allow from all AuthName "Nagios Access" AuthType BasicAuthzLDAPMethod ldap AuthzLDAPServer "192.168.1.1" AuthzLDAPBindDN "CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org" AuthzLDAPBindPassword "typepasswordhere" AuthzLDAPUserKey sAMAccountName AuthzLDAPUserBase "CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org" AuthzLDAPUserScope subtree AuthzLDAPGroupKey cn AuthzLDAPMemberKey member AuthzLDAPSetGroupAuth ldapdn require group "WUG Admins"
In the above configuration, mod_authz_ldap uses parameters like ldapserver, binddn, bindpassword, scope, searchbase etc to see if the supplied user credentials can be found in the Active Directory. It would also check to see if the user is a member of 'Nagios Admins' group. Restarting apache would start enable Active Directory based authentication for Nagios.
Discover more about our expertise in Infrastructure Management.
