Nagios core 4.3.4 LDAP and authorization

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Hi
I'm using Nagios Core 4.3.4
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Oct 3 2017 09:37:04

I enable LDAP authentication using LDAP GROUP to validate access
I put in /etc/httpd/conf.d/nagios.conf
...
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=ggUtentiDire3532,OU=XXXX,OU=XXXX,OU=XXXX,DC=sedi,DC=group
....

so I enable the user belong to ggUtentiDire3532 to get in nagios web interface
In the cgi.cfg I configured
authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*

In this way all users inside the AD group ggUtentiDire3532 are enable to get in Nagios see and operate on all host and services

I need to know , how a single user (ie A0001) present in the AD group ggUtentiDire3532 can See and operate on a limited
group of servers

Someone could help me ?
regards
Emilio
kyang

Re: Nagios core 4.3.4 LDAP and authorization

Post by kyang »

Since you have created that contact and set the .cgi permissions.

You would just need to set that user to the specific hosts/services that you only want them to be able to view.

But right now, you have him authorized to view all hosts/services.

Code: Select all

authorized_for_all_services=*
authorized_for_all_hosts=*
Using something like this as an example:

Code: Select all

define host {
        use                 host-generic
        host_name           Some Server
        alias               Some Application Server Description
        address             192.168.52.5
        contacts            User
}
This way, he could only view the host "Some Server".

This is for XI, but the same concepts apply to Core.
https://assets.nagios.com/downloads/nag ... 1521646370
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Hi Kiang

Followed your instruction
in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

in Server.cfg
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contacts GS01068
}

I created contact GS01068

LDAP authenticate my user to get in nagios web interface but I see all server

I'm using Nagios core 4.3.4

Thanks
Emilio
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Hi Kiang

your suggestion WORKS when I DON'T USE LDAP authentication

so , if put in
/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user

I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword

and apply you suggestion , so the user GS01068 can see only one host (where I put contacts GS01068)

When I use LDAP authentication your suggestion doesn't work

Do you have any other tests to do ?

thanks for all your help

Emilio
kyang

Re: Nagios core 4.3.4 LDAP and authorization

Post by kyang »

Sorry,

What I meant, was that currently you have it set that every user can view all hosts and services:

Code: Select all

authorized_for_all_services=*
authorized_for_all_hosts=*
Try changing to let's say only the nagiosadmin can view all hosts/services:

Code: Select all

authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
Let me know if that works.
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Kyang

Your solution works ONLY if you use Basic authentication
I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user

I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword

The user GS01068 can see only one host (where I put contacts GS01068)

So when I have above config all work as you have described

BUT If I activate LDAP authentication , I set in /etc/httpd/conf.d/nagios.conf
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Authentication"
AuthLDAPURL ldap://ldap-sedi.sedi-direzioni.group:389/DC=XXXXX,DC=XXXX?sAMAccountName?sub?(objectClass=person)
AuthLDAPBindDN "CN=GS01068 FRINI EMILIO,OU=Utenti,OU=XXXXX,OU=XXXXX,OU=XXXXXXXX,DC=sedi-direzioni,DC=group"
AuthLDAPBindPassword "XXXXXX"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member

your solution doesn't work

thanks
Emilio
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios core 4.3.4 LDAP and authorization

Post by scottwilkerson »

Here is a guide on the Internet
https://wellsie.net/p/380/

As pointed out before, this is wrong

Code: Select all

authorized_for_all_services=*
authorized_for_all_hosts=*
That is for assigning access to ALL people.

Individual access comes from adding the username used to login to a contact in the configuration and assigning that contact to a host/service.

You CANNOT assign privileges based on LDAP groups, that functionality does not exist
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

I agree to you but I can use almost 2 types of authentication
LDAP and passwd files

In both case I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

When I use passwd files authentication I can show to user1 a host where the host contacts is user1

When I use LDAP authentication I CAN NOT show to user1 a host where the hosy contacts is user1
but user1 see all hosts

So , seems that solution to show to user a limited number of hosts work ONLY with passwd file authentication
and not with LDAP authentication

My question is : DOES IT IS A BUG ?

Is there a documentation about this limitation (or features) ?

thanks
Emilio
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios core 4.3.4 LDAP and authorization

Post by scottwilkerson »

emi65 wrote:but user1 see all hosts
This is because with this setting you are saying ALL users can see ALL hosts
emi65 wrote:

Code: Select all

authorized_for_all_services=*
authorized_for_all_hosts=*
Change it to this

Code: Select all

authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
Then only a user nagiosadmin can see ALL hosts, everyone else will need to be assigned to a contact that is assigned to their host
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Hi Scott

NO user1 doesn't see all host when I use passwd nagios/apache authentication

So if I set in passwd file the user1

in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

and I set in the host1.cfg contact user1

.... the user1 see only the host1

I hope to explain better the situation

you can reproduce this case

thanks
Emilio
Locked