Nagios core 4.3.4 LDAP and authorization

Engage with the community of users including those using the open source solutions.
Includes Nagios Core, Plugins, and NCPA

Nagios core 4.3.4 LDAP and authorization

Postby emi65 » Fri Jun 08, 2018 8:52 am

Hi
I'm using Nagios Core 4.3.4
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Oct 3 2017 09:37:04

I enable LDAP authentication using LDAP GROUP to validate access
I put in /etc/httpd/conf.d/nagios.conf
...
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=ggUtentiDire3532,OU=XXXX,OU=XXXX,OU=XXXX,DC=sedi,DC=group
....

so I enable the user belong to ggUtentiDire3532 to get in nagios web interface
In the cgi.cfg I configured
authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*

In this way all users inside the AD group ggUtentiDire3532 are enable to get in Nagios see and operate on all host and services

I need to know , how a single user (ie A0001) present in the AD group ggUtentiDire3532 can See and operate on a limited
group of servers

Someone could help me ?
regards
Emilio
emi65
 
Posts: 109
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Postby kyang » Fri Jun 08, 2018 2:52 pm

Since you have created that contact and set the .cgi permissions.

You would just need to set that user to the specific hosts/services that you only want them to be able to view.

But right now, you have him authorized to view all hosts/services.
Code: Select all
authorized_for_all_services=*
authorized_for_all_hosts=*


Using something like this as an example:
Code: Select all
define host {
        use                 host-generic
        host_name           Some Server
        alias               Some Application Server Description
        address             192.168.52.5
        contacts            User
}


This way, he could only view the host "Some Server".

This is for XI, but the same concepts apply to Core.
https://assets.nagios.com/downloads/nag ... 1521646370
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
kyang
Support Tech
 
Posts: 1792
Joined: Tue Jul 25, 2017 3:35 pm

Re: Nagios core 4.3.4 LDAP and authorization

Postby emi65 » Mon Jun 11, 2018 8:11 am

Hi Kiang

Followed your instruction
in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

in Server.cfg
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contacts GS01068
}

I created contact GS01068

LDAP authenticate my user to get in nagios web interface but I see all server

I'm using Nagios core 4.3.4

Thanks
Emilio
emi65
 
Posts: 109
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Postby emi65 » Mon Jun 11, 2018 8:48 am

Hi Kiang

your suggestion WORKS when I DON'T USE LDAP authentication

so , if put in
/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user

I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword

and apply you suggestion , so the user GS01068 can see only one host (where I put contacts GS01068)

When I use LDAP authentication your suggestion doesn't work

Do you have any other tests to do ?

thanks for all your help

Emilio
emi65
 
Posts: 109
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Postby kyang » Mon Jun 11, 2018 12:03 pm

Sorry,

What I meant, was that currently you have it set that every user can view all hosts and services:
Code: Select all
authorized_for_all_services=*
authorized_for_all_hosts=*


Try changing to let's say only the nagiosadmin can view all hosts/services:
Code: Select all
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin


Let me know if that works.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
kyang
Support Tech
 
Posts: 1792
Joined: Tue Jul 25, 2017 3:35 pm

Re: Nagios core 4.3.4 LDAP and authorization

Postby emi65 » Tue Jun 12, 2018 1:56 am

Kyang

Your solution works ONLY if you use Basic authentication
I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user

I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword

The user GS01068 can see only one host (where I put contacts GS01068)

So when I have above config all work as you have described

BUT If I activate LDAP authentication , I set in /etc/httpd/conf.d/nagios.conf
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Authentication"
AuthLDAPURL ldap://ldap-sedi.sedi-direzioni.group:3 ... ass=person)
AuthLDAPBindDN "CN=GS01068 FRINI EMILIO,OU=Utenti,OU=XXXXX,OU=XXXXX,OU=XXXXXXXX,DC=sedi-direzioni,DC=group"
AuthLDAPBindPassword "XXXXXX"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member

your solution doesn't work

thanks
Emilio
emi65
 
Posts: 109
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Postby scottwilkerson » Wed Jun 13, 2018 8:57 am

Here is a guide on the Internet
https://wellsie.net/p/380/

As pointed out before, this is wrong
Code: Select all
authorized_for_all_services=*
authorized_for_all_hosts=*


That is for assigning access to ALL people.

Individual access comes from adding the username used to login to a contact in the configuration and assigning that contact to a host/service.

You CANNOT assign privileges based on LDAP groups, that functionality does not exist
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 18623
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: Nagios core 4.3.4 LDAP and authorization

Postby emi65 » Wed Jun 13, 2018 9:17 am

I agree to you but I can use almost 2 types of authentication
LDAP and passwd files

In both case I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

When I use passwd files authentication I can show to user1 a host where the host contacts is user1

When I use LDAP authentication I CAN NOT show to user1 a host where the hosy contacts is user1
but user1 see all hosts

So , seems that solution to show to user a limited number of hosts work ONLY with passwd file authentication
and not with LDAP authentication

My question is : DOES IT IS A BUG ?

Is there a documentation about this limitation (or features) ?

thanks
Emilio
emi65
 
Posts: 109
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Postby scottwilkerson » Wed Jun 13, 2018 9:21 am

emi65 wrote:but user1 see all hosts


This is because with this setting you are saying ALL users can see ALL hosts
emi65 wrote:
Code: Select all
authorized_for_all_services=*
authorized_for_all_hosts=*


Change it to this
Code: Select all
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin


Then only a user nagiosadmin can see ALL hosts, everyone else will need to be assigned to a contact that is assigned to their host
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 18623
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: Nagios core 4.3.4 LDAP and authorization

Postby emi65 » Wed Jun 13, 2018 9:35 am

Hi Scott

NO user1 doesn't see all host when I use passwd nagios/apache authentication

So if I set in passwd file the user1

in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

and I set in the host1.cfg contact user1

.... the user1 see only the host1

I hope to explain better the situation

you can reproduce this case

thanks
Emilio
emi65
 
Posts: 109
Joined: Fri Aug 17, 2012 3:41 am

Next

Return to Community Support

Who is online

Users browsing this forum: studybayws and 48 guests