Autentica LDAP Nagios
LDAP authentication in Nagios 3.2.3 on CentOS 5.5 Enabling LDAP authentication in Nagios has been one of those things that I've been putting off for a while. It took me three hours to finally get it, but it is working - thank god. I'd like to share with you the configuration changes that made LDAP authentication work in Nagios 3.2.3 on a CentOS 5.5 install.
1. Make sure that Nagios and Apache are installed correctly.
2. The following module should exist in your /etc/httpd/httpd.conf file:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
If not, install the package with the following command: yum install mod_authz_ldap.i386
3. Next, change the /etc/openldap/ldap.conf file. Add the following line:
REFERRALS off
4. Edit the /etc/httpd/conf.d/nagios.conf file and tailor it to your LDAP environment. Here's a sanitized version of my configuration:
ScriptAlias /nagios/cgi-bin "/usr/lib/nagios/cgi"
<Directory "/usr/lib/nagios/cgi">
- SSLRequireSSL
Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthBasicProvider ldap AuthType Basic AuthName "LDAP Authentication" AuthLDAPURL "ldap://test.domain.edu:389/OU=Specific,OU=Branch,OU=School,DC=test,DC=edu?sAMAccountName?one?(objectClass=user)" NONE AuthLDAPBindDN "CN=NagiosUser,OU=School,DC=test,DC=edu" AuthLDAPBindPassword "mypassword" require valid-user
</Directory>
Alias /nagios "/usr/share/nagios"
<Directory "/usr/share/nagios">
Options None AllowOverride None Order allow,deny Allow from all AuthBasicProvider ldap AuthType Basic AuthName "LDAP Authentication" AuthLDAPURL "ldap://test.domain.edu:389/OU=Specific,OU=Branch,OU=School,DC=test,DC=edu?sAMAccountName?one?(objectClass=user)" NONE AuthLDAPBindDN "CN=NagiosUser,OU=School,DC=test,DC=edu" AuthLDAPBindPassword "mypassword" require ldap-attribute objectClass=user
</Directory>
5. The final piece is changing the cgi.cfg file. You'll receive CGI authentication errors if you do not take this step. Here's the changes that I made to fix that issue:
These are the original directives that I commented out:
grep "#" /etc/nagios/cgi.cfg | grep -i "nagiosadmin"
- authorized_for_system_information=nagiosadmin
- authorized_for_configuration_information=nagiosadmin
- authorized_for_system_commands=nagiosadmin
- authorized_for_all_services=nagiosadmin
- authorized_for_all_hosts=nagiosadmin
- authorized_for_all_service_commands=nagiosadmin
- authorized_for_all_host_commands=nagiosadmin
Replace all of the "nagiosadmin" entries with "*". This will give all LDAP authenticated users access to Nagios's functionality.
grep "*" /etc/nagios/cgi.cfg | grep -v "#" authorized_for_system_information=* authorized_for_configuration_information=* authorized_for_system_commands=* authorized_for_all_services=* authorized_for_all_hosts=* authorized_for_all_service_commands=* authorized_for_all_host_commands=*
Finally,
/etc/init.d/httpd restart; /etc/init.d/nagios restart
Log into Nagios via LDAP and enjoy!