Infra Ops Managed IT Services

Nagios authentication with active directory

Minto Joseph
by Minto Joseph
3 min read
Nov 4, 2015 12:00:00 AM

Nagios authentication with Active Directory (AD) aligns with user management consolidation policies in most organizations. This post explains how to set up Nagios authentication with Active Directory while using Apache as the web server.

To achieve this, we use mod_authz_ldap, an Apache LDAP authorization module that authorizes users based on the results of an LDAP query.

1. Prerequisites and Installation

Before configuring the authentication, you need to install the necessary modules and clients on your Nagios server.

Installing LDAP Modules

First, install the Apache LDAP authorization module and the OpenLDAP client tools (useful for troubleshooting and testing connectivity).

# yum install mod_authz_ldap # yum install openldap-clients

Verifying Apache Configuration

Ensure the module is properly loaded in your Apache configuration. Check the following file: /etc/httpd/conf.d/authz_ldap.conf

Apache 
LoadModule authz_ldap_module modules/mod_authz_ldap.so

2. Interacting with Active Directory via LDAP

Active Directory isn't exactly the "talk to strangers" type; it will not allow an LDAP client to operate against it anonymously. Therefore, a user DN and password with minimum permissions is required for "binding."

The Necessity of Bind Credentials

For example, you might use a service account like:

CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org

Note: The CN attribute corresponds to the Display Name of the account in Active Directory.

Testing Group Membership with ldapsearch

In this example, we want to enable access to all members of the Pythian group who also have membership in the Nagios Admins group. Use ldapsearch to verify you can see the group members:

# ldapsearch -x -LLL -D 'CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org' \ -W -H ldap://192.168.1.1 \ -b 'CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org'

Retrieving User Details

To find the specific details of a user account (e.g., jminto), run:

# ldapsearch -x -LLL -D 'CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org' \ -W -H ldap://192.168.1.1 \ -b 'CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org' \ -s sub "sAMAccountName=jminto"

Understanding ldapsearch Switches

Switch Description
-x Use simple authentication instead of SASL.
-L(LL) Displays results in LDIF format (varying levels of detail).
-D The Distinguished Name (binddn) used to bind to the directory.
-W Prompt for the password (safer than typing it in the command).
-H Specify the URI of the LDAP server.
-b Use this as the starting point (searchbase) for the search.
-s Specify the scope: base, one, sub, or children.

3. Configuring Apache for LDAP Authentication

Now, integrate these LDAP parameters into your Nagios Apache configuration. Parameters in mod_authz_ldap are used to validate the user exactly as we did with ldapsearch.

Updating the Nagios Configuration File

Edit /etc/httpd/conf.d/nagios.conf to include the LDAP directives:

# /etc/httpd/conf.d/nagios.conf  ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/" <Directory "/usr/lib64/nagios/cgi-bin/">    Options ExecCGI    AllowOverride None    Order allow,deny    Allow from all        AuthName "Nagios Access"    AuthType Basic    AuthzLDAPMethod ldap    AuthzLDAPServer "192.168.1.1"    AuthzLDAPBindDN "CN=Nagios User,CN=Users,DC=hq,DC=CORP,DC=abc,DC=org"    AuthzLDAPBindPassword "typepasswordhere"    AuthzLDAPUserKey sAMAccountName    AuthzLDAPUserBase "CN=Pythian,OU=Internal Groups,DC=hq,DC=CORP,DC=abc,DC=org"    AuthzLDAPUserScope subtree    AuthzLDAPGroupKey cn    AuthzLDAPMemberKey member    AuthzLDAPSetGroupAuth ldapdn    require group "Nagios Admins" </Directory>  Alias /nagios "/usr/share/nagios/html" <Directory "/usr/share/nagios/html">    Options None    AllowOverride None    Order allow,deny    Allow from all        # ... [Repeat Auth Settings as above] ...    require group "Nagios Admins" </Directory>

4. Finalizing the Setup

In this configuration, mod_authz_ldap uses the provided credentials to search the Active Directory. It verifies both that the user exists and that they are a member of the required group (e.g., Nagios Admins).

Once the configuration is saved, restart Apache to apply the changes:

# service httpd restart

Restarting Apache enables Active Directory-based authentication for your Nagios instance, effectively bridging your infrastructure monitoring with your corporate identity management.

Managed IT Consulting Services

Ready to optimize your Managed Services for the future?
On this page
Linux Patching and Oracle: Detect RPM conflicts before they happen
Oracle

Linux Patching and Oracle: Detect RPM conflicts before they happen

Nov 15, 2011 12:00:00 AM 9 min read
Installing OCI Command Line Utilities in Linux and Windows
Oracle

Installing OCI Command Line Utilities in Linux and Windows

May 20, 2020 12:00:00 AM 17 min read
Centralized authentication with Red Hat directory server for Linux systems
Infra Ops

Centralized authentication with Red Hat directory server for Linux systems

Mar 10, 2016 12:00:00 AM 12 min read

Ready to unlock value from your data?

With Pythian, you can accomplish your data transformation goals and more.

Speak with Pythian consultants now →

Follow Us     Pythian-LinkedIn   Pythian-Twitter   Pythian-FB

 

Pythian-logo-White

© 2026 All rights reserved.