Nagios authentication with Active Directory

Many Nagios users have access to Active Directory as the main directory service provider. Therefore, it's a tempting idea to make an integration between those two systems for more simplified and centralized administration. The recipe below has been implemented successfully on a Fedora 6 system with Apache 2:

• Make sure that Apache has the following modules enabled (/etc/httpd.conf):

LoadModule ldap_module modules/mod_ldap.so

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

They should be enabled by default.

• Create an ordinary user in Active Directory for ldap lookup and a group for access regulation if you don't have already
• Update <Directory /> directive in /etc/httpd.conf:

<Directory />

Options FollowSymLinks

AllowOverride None

AuthBasicProvider ldap

AuthType Basic

AuthzLDAPAuthoritative off

AuthName "Active Directory Login"

AuthLDAPURL "ldap://dc1.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE

AuthLDAPBindDN "lookup-user-DN or lookupuser@your.domain"

AuthLDAPBindPassword lookup-user-password

require ldap-group group-DN without quotes

</Directory>

Tips:

1. You may experiment with port 389 if the port 3268 (Global Catalog) doesn't work for you.
2. You can replace require ldap-group .... directive with require valid-user if you want to give access to all authenticated users.
3. You may introduce faul tolerance by specifying multiple ldap providers:

AuthLDAPURL "ldap://dc1.domain.com:3268 dc2.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE

The idea can be extended further for automatic generation of Nagios contacts by using group membership in AD (A recipe about this subject will be published later).

Links:

 An excellent article about Apache and subversion authentication with Active Directory

Apache Module mod_authnz_ldap documentation