Nagios authentication with Active Directory (AD) aligns with user management consolidation policies in most organizations. This post explains how to set up Nagios authentication with Active Directory while using Apache as the web server.
To achieve this, we use mod_authz_ldap, an Apache LDAP authorization module that authorizes users based on the results of an LDAP query.
Before configuring the authentication, you need to install the necessary modules and clients on your Nagios server.
First, install the Apache LDAP authorization module and the OpenLDAP client tools (useful for troubleshooting and testing connectivity).
# yum install mod_authz_ldap # yum install openldap-clients Ensure the module is properly loaded in your Apache configuration. Check the following file: /etc/httpd/conf.d/authz_ldap.conf
LoadModule authz_ldap_module modules/mod_authz_ldap.so Active Directory isn't exactly the "talk to strangers" type; it will not allow an LDAP client to operate against it anonymously. Therefore, a user DN and password with minimum permissions is required for "binding."
For example, you might use a service account like:
CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org
Note: The
CNattribute corresponds to the Display Name of the account in Active Directory.
ldapsearchIn this example, we want to enable access to all members of the Pythian group who also have membership in the Nagios Admins group. Use ldapsearch to verify you can see the group members:
# ldapsearch -x -LLL -D 'CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org' \ -W -H ldap://192.168.1.1 \ -b 'CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org' To find the specific details of a user account (e.g., jminto), run:
# ldapsearch -x -LLL -D 'CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org' \ -W -H ldap://192.168.1.1 \ -b 'CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org' \ -s sub "sAMAccountName=jminto" ldapsearch Switches| Switch | Description |
| -x | Use simple authentication instead of SASL. |
| -L(LL) | Displays results in LDIF format (varying levels of detail). |
| -D | The Distinguished Name (binddn) used to bind to the directory. |
| -W | Prompt for the password (safer than typing it in the command). |
| -H | Specify the URI of the LDAP server. |
| -b | Use this as the starting point (searchbase) for the search. |
| -s | Specify the scope: base, one, sub, or children. |
Now, integrate these LDAP parameters into your Nagios Apache configuration. Parameters in mod_authz_ldap are used to validate the user exactly as we did with ldapsearch.
Edit /etc/httpd/conf.d/nagios.conf to include the LDAP directives:
# /etc/httpd/conf.d/nagios.conf ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/" <Directory "/usr/lib64/nagios/cgi-bin/"> Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthName "Nagios Access" AuthType Basic AuthzLDAPMethod ldap AuthzLDAPServer "192.168.1.1" AuthzLDAPBindDN "CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org" AuthzLDAPBindPassword "typepasswordhere" AuthzLDAPUserKey sAMAccountName AuthzLDAPUserBase "CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org" AuthzLDAPUserScope subtree AuthzLDAPGroupKey cn AuthzLDAPMemberKey member AuthzLDAPSetGroupAuth ldapdn require group "Nagios Admins" </Directory> Alias /nagios "/usr/share/nagios/html" <Directory "/usr/share/nagios/html"> Options None AllowOverride None Order allow,deny Allow from all # ... [Repeat Auth Settings as above] ... require group "Nagios Admins" </Directory> In this configuration, mod_authz_ldap uses the provided credentials to search the Active Directory. It verifies both that the user exists and that they are a member of the required group (e.g., Nagios Admins).
Once the configuration is saved, restart Apache to apply the changes:
# service httpd restart Restarting Apache enables Active Directory-based authentication for your Nagios instance, effectively bridging your infrastructure monitoring with your corporate identity management.
Ready to optimize your Managed Services for the future?