Active directory integration with Nagios using LDAP and assign different permission to users in Nagios
To integrate Active directory for user Authentication for nagios front end we required to make changes in httpd.conf and cgi.cfg file before that we required one normal user in active directory to access and bind with windows active directory. ldap module for apache by default it installed and enabled.
Suppose:-
- we have windows Active Directory domain domainname.com.
- we have created on normal user in active directory as nagios with password P@55w0rd and password set as never expire.
- we want to give three different user sandeep , atul and ramesh at Pune organization unit in active directory with different levels of permission like full access to all host, services, command , limited access to only services and command,and read only access.
Integrate Active directory with ldap module in apache for nagios:-
check if ldap module in installed and enabled in apache by cat command
# cat /etc/httpd/conf/httpd.conf | grep ldap
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
(If you see result as above then in enabled. and if not see anything then may be ldap modue not installed in your system)
write the directive in httpd.conf file to active directory configuration information.
# vi /etc/httpd/conf/httpd.conf
<Directory />
Options FollowSymLinks
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Active Directory Login"
AuthLDAPURL "ldap://192.168.100.1:3268/dc=domainname,dc=com?sAMAccountName?sub" NONE
AuthLDAPBindDN "nagios@domainname.com"
AuthLDAPBindPassword "P@55w0rd"
require ldap-user "CN=Atul Chaudhari,OU=Pune,DC=domainname,DC=com"
require ldap-user "CN=Sandeep Kapadane,OU=Pune,DC=domainname,DC=com"
require ldap-user "CN=Ramesh Jadhav,OU=Pune,DC=domainname,DC=com"
</Directory>
Now restart nagios and httpd conft for changes take effect.
# service nagios restart
# service httpd restart
Now try to access nagios in your browser when it ask for authentication give Active directory user credential that you just mention in httpd.conf file. it will allow you login into nagios but you don't have permission to see any host or service or configuration information. as shown in screenshot
for that you have to make some changes in cgi.cfg file for user permission.
(note that user name are case sensitive for permission for eg you have to use same case that are given in this file for authenticating other wise it not show you any host, services or command )
there are diffrent set of permission in cgi file as :-
- SYSTEM/PROCESS INFORMATION ACCESS.
- CONFIGURATION INFORMATION ACCESS.
- SYSTEM/PROCESS COMMAND ACCESS.
- GLOBAL HOST/SERVICE VIEW ACCESS.
- GLOBAL HOST/SERVICE COMMAND ACCESS.
- READ-ONLY USERS
Set Permission to users:-
# vi /etc/nagios/cgi.cfg
# SYSTEM/PROCESS COMMAND ACCESS
authorized_for_system_commands=nagiosadmin,sandeepk
# GLOBAL HOST/SERVICE VIEW ACCESS
authorized_for_all_services=nagiosadmin,sandeepk,atulc,rameshj
authorized_for_all_hosts=nagiosadmin,sandeepk,atulc,rameshj
# GLOBAL HOST/SERVICE COMMAND ACCESS
authorized_for_all_service_commands=nagiosadmin,sandeepk,atulc
authorized_for_all_host_commands=nagiosadmin,sandeepk
# READ-ONLY USERS
authorized_for_read_only=rameshj
Now restart nagios and httpd conft for changes take effect.
# service nagios restart
# service httpd restart
Now as per cgi configuration file different user get different set for permission in nagios front end.
to use both local file and LDAP for authintication you have to use AuthBasicProvider ldap file
ReplyDeleteThank you
ReplyDeletehow do you do this on Nagios3
ReplyDelete