Nagios authentication with Active Directory
Submitted by itefix on Wed, 06/08/2008 - 15:42
Many Nagios users have access to Active Directory as the main directory service provider. Therefore, it's a tempting idea to make an integration between those two systems for more simplified and centralized administration. The recipe below has been implemented successfully on a Fedora 6 system with Apache 2:
- Make sure that Apache has the following modules enabled (/etc/httpd.conf):
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
They should be enabled by default.
- Create an ordinary user in Active Directory for ldap lookup and a group for access regulation if you don't have already
- Update <Directory /> directive in /etc/httpd.conf:
<Directory />
Options FollowSymLinks
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Active Directory Login"
AuthLDAPURL "ldap://dc1.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE
AuthLDAPBindDN "lookup-user-DN or lookupuser@your.domain"
AuthLDAPBindPassword lookup-user-password
require ldap-group group-DN without quotes
</Directory>
Tips:
- You may experiment with port 389 if the port 3268 (Global Catalog) doesn't work for you.
- You can replace require ldap-group .... directive with require valid-user if you want to give access to all authenticated users.
- You may introduce faul tolerance by specifying multiple ldap providers:
AuthLDAPURL "ldap://dc1.domain.com:3268 dc2.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE
The idea can be extended further for automatic generation of Nagios contacts by using group membership in AD (A recipe about this subject will be published later).
Links:
An excellent article about Apache and subversion authentication with Active Directory
Release news
-
2023-03-21
-
2023-03-20
-
2023-03-20
-
2023-03-10
-
2023-03-09
-
2023-03-04
-
2023-03-02
-
2023-02-28
-
2023-03-07