Nagios core 4.3.4 LDAP and authorization
Nagios core 4.3.4 LDAP and authorization
Hi
I'm using Nagios Core 4.3.4
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Oct 3 2017 09:37:04
I enable LDAP authentication using LDAP GROUP to validate access
I put in /etc/httpd/conf.d/nagios.conf
...
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=ggUtentiDire3532,OU=XXXX,OU=XXXX,OU=XXXX,DC=sedi,DC=group
....
so I enable the user belong to ggUtentiDire3532 to get in nagios web interface
In the cgi.cfg I configured
authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*
In this way all users inside the AD group ggUtentiDire3532 are enable to get in Nagios see and operate on all host and services
I need to know , how a single user (ie A0001) present in the AD group ggUtentiDire3532 can See and operate on a limited
group of servers
Someone could help me ?
regards
Emilio
I'm using Nagios Core 4.3.4
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Oct 3 2017 09:37:04
I enable LDAP authentication using LDAP GROUP to validate access
I put in /etc/httpd/conf.d/nagios.conf
...
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=ggUtentiDire3532,OU=XXXX,OU=XXXX,OU=XXXX,DC=sedi,DC=group
....
so I enable the user belong to ggUtentiDire3532 to get in nagios web interface
In the cgi.cfg I configured
authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*
In this way all users inside the AD group ggUtentiDire3532 are enable to get in Nagios see and operate on all host and services
I need to know , how a single user (ie A0001) present in the AD group ggUtentiDire3532 can See and operate on a limited
group of servers
Someone could help me ?
regards
Emilio
Re: Nagios core 4.3.4 LDAP and authorization
Since you have created that contact and set the .cgi permissions.
You would just need to set that user to the specific hosts/services that you only want them to be able to view.
But right now, you have him authorized to view all hosts/services.
Using something like this as an example:
This way, he could only view the host "Some Server".
This is for XI, but the same concepts apply to Core.
https://assets.nagios.com/downloads/nag ... 1521646370
You would just need to set that user to the specific hosts/services that you only want them to be able to view.
But right now, you have him authorized to view all hosts/services.
Code: Select all
authorized_for_all_services=*
authorized_for_all_hosts=*
Code: Select all
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contacts User
}
This is for XI, but the same concepts apply to Core.
https://assets.nagios.com/downloads/nag ... 1521646370
Re: Nagios core 4.3.4 LDAP and authorization
Hi Kiang
Followed your instruction
in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
in Server.cfg
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contacts GS01068
}
I created contact GS01068
LDAP authenticate my user to get in nagios web interface but I see all server
I'm using Nagios core 4.3.4
Thanks
Emilio
Followed your instruction
in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
in Server.cfg
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contacts GS01068
}
I created contact GS01068
LDAP authenticate my user to get in nagios web interface but I see all server
I'm using Nagios core 4.3.4
Thanks
Emilio
Re: Nagios core 4.3.4 LDAP and authorization
Hi Kiang
your suggestion WORKS when I DON'T USE LDAP authentication
so , if put in
/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword
and apply you suggestion , so the user GS01068 can see only one host (where I put contacts GS01068)
When I use LDAP authentication your suggestion doesn't work
Do you have any other tests to do ?
thanks for all your help
Emilio
your suggestion WORKS when I DON'T USE LDAP authentication
so , if put in
/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword
and apply you suggestion , so the user GS01068 can see only one host (where I put contacts GS01068)
When I use LDAP authentication your suggestion doesn't work
Do you have any other tests to do ?
thanks for all your help
Emilio
Re: Nagios core 4.3.4 LDAP and authorization
Sorry,
What I meant, was that currently you have it set that every user can view all hosts and services:
Try changing to let's say only the nagiosadmin can view all hosts/services:
Let me know if that works.
What I meant, was that currently you have it set that every user can view all hosts and services:
Code: Select all
authorized_for_all_services=*
authorized_for_all_hosts=*
Code: Select all
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
Re: Nagios core 4.3.4 LDAP and authorization
Kyang
Your solution works ONLY if you use Basic authentication
I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword
The user GS01068 can see only one host (where I put contacts GS01068)
So when I have above config all work as you have described
BUT If I activate LDAP authentication , I set in /etc/httpd/conf.d/nagios.conf
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Authentication"
AuthLDAPURL ldap://ldap-sedi.sedi-direzioni.group:389/DC=XXXXX,DC=XXXX?sAMAccountName?sub?(objectClass=person)
AuthLDAPBindDN "CN=GS01068 FRINI EMILIO,OU=Utenti,OU=XXXXX,OU=XXXXX,OU=XXXXXXXX,DC=sedi-direzioni,DC=group"
AuthLDAPBindPassword "XXXXXX"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
your solution doesn't work
thanks
Emilio
Your solution works ONLY if you use Basic authentication
I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword
The user GS01068 can see only one host (where I put contacts GS01068)
So when I have above config all work as you have described
BUT If I activate LDAP authentication , I set in /etc/httpd/conf.d/nagios.conf
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Authentication"
AuthLDAPURL ldap://ldap-sedi.sedi-direzioni.group:389/DC=XXXXX,DC=XXXX?sAMAccountName?sub?(objectClass=person)
AuthLDAPBindDN "CN=GS01068 FRINI EMILIO,OU=Utenti,OU=XXXXX,OU=XXXXX,OU=XXXXXXXX,DC=sedi-direzioni,DC=group"
AuthLDAPBindPassword "XXXXXX"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
your solution doesn't work
thanks
Emilio
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Nagios core 4.3.4 LDAP and authorization
Here is a guide on the Internet
https://wellsie.net/p/380/
As pointed out before, this is wrong
That is for assigning access to ALL people.
Individual access comes from adding the username used to login to a contact in the configuration and assigning that contact to a host/service.
You CANNOT assign privileges based on LDAP groups, that functionality does not exist
https://wellsie.net/p/380/
As pointed out before, this is wrong
Code: Select all
authorized_for_all_services=*
authorized_for_all_hosts=*
Individual access comes from adding the username used to login to a contact in the configuration and assigning that contact to a host/service.
You CANNOT assign privileges based on LDAP groups, that functionality does not exist
Re: Nagios core 4.3.4 LDAP and authorization
I agree to you but I can use almost 2 types of authentication
LDAP and passwd files
In both case I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
When I use passwd files authentication I can show to user1 a host where the host contacts is user1
When I use LDAP authentication I CAN NOT show to user1 a host where the hosy contacts is user1
but user1 see all hosts
So , seems that solution to show to user a limited number of hosts work ONLY with passwd file authentication
and not with LDAP authentication
My question is : DOES IT IS A BUG ?
Is there a documentation about this limitation (or features) ?
thanks
Emilio
LDAP and passwd files
In both case I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
When I use passwd files authentication I can show to user1 a host where the host contacts is user1
When I use LDAP authentication I CAN NOT show to user1 a host where the hosy contacts is user1
but user1 see all hosts
So , seems that solution to show to user a limited number of hosts work ONLY with passwd file authentication
and not with LDAP authentication
My question is : DOES IT IS A BUG ?
Is there a documentation about this limitation (or features) ?
thanks
Emilio
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Nagios core 4.3.4 LDAP and authorization
This is because with this setting you are saying ALL users can see ALL hostsemi65 wrote:but user1 see all hosts
Change it to thisemi65 wrote:Code: Select all
authorized_for_all_services=* authorized_for_all_hosts=*
Code: Select all
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
Re: Nagios core 4.3.4 LDAP and authorization
Hi Scott
NO user1 doesn't see all host when I use passwd nagios/apache authentication
So if I set in passwd file the user1
in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
and I set in the host1.cfg contact user1
.... the user1 see only the host1
I hope to explain better the situation
you can reproduce this case
thanks
Emilio
NO user1 doesn't see all host when I use passwd nagios/apache authentication
So if I set in passwd file the user1
in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*
and I set in the host1.cfg contact user1
.... the user1 see only the host1
I hope to explain better the situation
you can reproduce this case
thanks
Emilio