Many Nagios users have access to Active Directory as the main directory service provider. Therefore, it's a tempting idea to make an integration between those two systems for more simplified and centralized administration. The recipe below has been implemented successfully on a Fedora 6 system with Apache 2:
- Make sure that Apache has the following modules enabled (/etc/httpd.conf):
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
They should be enabled by default.
- Create an ordinary user in Active Directory for ldap lookup and a group for access regulation if you don't have already
- Update <Directory /> directive in /etc/httpd.conf:
AuthName "Active Directory Login"
AuthLDAPURL "ldap://dc1.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE
AuthLDAPBindDN "lookup-user-DN or email@example.com"
require ldap-group group-DN without quotes
- You may experiment with port 389 if the port 3268 (Global Catalog) doesn't work for you.
- You can replace require ldap-group .... directive with require valid-user if you want to give access to all authenticated users.
- You may introduce faul tolerance by specifying multiple ldap providers:
AuthLDAPURL "ldap://dc1.domain.com:3268 dc2.domain.com:3268/dc=your,dc=domain?sAMAccountName?sub" NONE
The idea can be extended further for automatic generation of Nagios contacts by using group membership in AD (A recipe about this subject will be published later).
An excellent article about Apache and subversion authentication with Active Directory
Apache Module mod_authnz_ldap documentation