Apache LDAP login and Nagios LDAP

I had a problem with Nagios because I needed to set up LDAP access and I didn’t know how to do it. After googling for a while
I found out that the solution was to set up LDAP access for APACHE and do few configuration change in Nagios.
The first intersting reading is that one: https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3/html/Administration_Guide/sect-Nagios_Advanced_Configuration.html

All these things have been done in Centos 6 server.

Apache LDAP login

Basically I set up nagios apache file for ldap access. These rules are generic for apache config. in my case I apply them to nagios but you can use it for any apache services.

First of all we need to check if ldap module is enabled in apache configuration:

vim /etc/httpd/conf/httpd.conf
...
LoadModule ldap_module modules/mod_ldap.so 
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
...

Then add the following to nagios.conf apache file. In my example:

ldap server: 192.168.10.10
bind user: mybinduser
bind user password: mybindpassword
BaseDN:  OU=Accounts,DC=hostrich,DC=com

vim /etc/httpd/conf.d/nagios.conf
<Directory /yourpaht>
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthName "LDAP Authentication for Nagios Monitoring"
AuthLDAPURL "ldap://192.168.10.10:389/OU=Accounts,DC=hostrich,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=mybinduser,CN=MyUsers,DC=hostrich,DC=com"
AuthLDAPBindPassword “mybindpassword”
Require valid-user
</Directory>

Before being mad trying to find out why it is not working, remember to open port 389 in IPTABLES.

In case you have virtualhosts, you need to put the same ldap setup in virtualhosts file for nagios.

Nagios LDAP configuration

The only thing to do for Nagios is to set user permission in nagios cgi.cfg file

vim /etc/nagios/cgi.cfg
authorized_for_system_information=*
authorized_for_configuration_information=ldapuser1,ldapuser2
authorized_for_system_commands=ldapuser1,ldapuser2
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*

In this examples ldapuser1 and ldapuser2 are the only two users with administrator right, all other user can login Nagios as normal user.
Remember to restart Nagios and Apache before trying if it is working.

service nagios restart
service httpd restart

Hide bind user password

I don’t find a way to hide or encrypt bind user password in /etc/httpd/conf.d/nagios.conf
I have tried with the option

AuthLDAPBindPassword  exec:myfuinction

but It doesn’t seems to work.
So I used a wild solution;

chmod 600 /etc/httpd/conf.d/nagios.conf

So only root user can open the file, if anyone find a better solution, please leave a comment.

I hope it could help someone else, any comment or revision is appreciated.

Thanks

One Comment

  1. Richard Davis

    Thanks for sharing. You’ve no idea how much this has helped. I was almost ready to give up !!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.