Nagios authentication with Active Directory

Many Nagios users have access to Active Directory as the main directory service provider. Therefore, it's a tempting idea to make an integration between those two systems for more simplified and centralized administration. The recipe below has been implemented successfully on a Fedora 6 system with Apache 2:

 

  • Make sure that Apache has the following modules enabled (/etc/httpd.conf):
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

They should be enabled by default.

  • Create an ordinary user in Active Directory for ldap lookup and a group for access regulation if you don't have already
  • Update <Directory /> directive in /etc/httpd.conf:
<Directory />
Options FollowSymLinks
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Active Directory Login"
AuthLDAPURL "ldap://dc1.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE
AuthLDAPBindDN "lookup-user-DN or lookupuser@your.domain"
AuthLDAPBindPassword lookup-user-password
require ldap-group group-DN without quotes
</Directory>

 

Tips:

  1. You may experiment with port 389 if the port 3268 (Global Catalog) doesn't work for you.
  2. You can replace require ldap-group .... directive with require valid-user if you want to give access to all authenticated users.
  3. You may introduce faul tolerance by specifying multiple ldap providers:
AuthLDAPURL "ldap://dc1.domain.com:3268 dc2.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE

The idea can be extended further for automatic generation of Nagios contacts by using group membership in AD (A recipe about this subject will be published later).

 

Links:

 An excellent article about Apache and subversion authentication with Active Directory

Apache Module mod_authnz_ldap documentation