ldap authentication problem (solved)

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
frouvier
Posts: 4
Joined: Fri Nov 17, 2017 11:38 am

ldap authentication problem (solved)

Post by frouvier »

Hello,

I'm tying to migrate my old nagios server to a debian 9 / Nagios 4.3.4 server.
The only thing i can't use anymore is ldap authentication.
The apache auth seems to be working fine as i get access to web page with "Logged in as mysuser", but i can't get any info from status.cgi :
"It appears as though you do not have permission to view information for any of the services you requested..."

My apache configuration :

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
         AuthType Basic
         AuthName "Restricted access"
         AuthLDAPBindAuthoritative on
         AuthBasicProvider ldap
         AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPGroupAttribute memberUid
         AuthLDAPGroupAttributeIsDN off
         Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
      AuthType Basic
      AuthName "Restricted access"
      AuthLDAPBindAuthoritative on
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPGroupAttribute memberUid
      AuthLDAPGroupAttributeIsDN off
      Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
      Require valid-user
   </IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
         AuthType Basic
         AuthName "Restricted access"
         AuthLDAPBindAuthoritative on
         AuthBasicProvider ldap
         AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPGroupAttribute memberUid
         AuthLDAPGroupAttributeIsDN off
         Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
      AuthType Basic
      AuthName "Restricted access"
      AuthLDAPBindAuthoritative on
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPGroupAttribute memberUid
      AuthLDAPGroupAttributeIsDN off
      Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
      Require valid-user
   </IfVersion>
</Directory>
My cgi.cfg :

Code: Select all

(...)
use_authentication=1
use_ssl_authentication=0
default_user_name=myuser
authorized_for_system_information=myuser
authorized_for_configuration_information=myuser
authorized_for_system_commands=myuser
authorized_for_all_services=myuser
authorized_for_all_hosts=myuser
authorized_for_all_service_commands=myuser
authorized_for_all_host_commands=myuser
I tried setting all *authentication options with "*", i even tried to set "use_authentication=0" and still got nagios permissions problems.

Does anyone has an any idea ?
Last edited by frouvier on Tue Nov 21, 2017 9:10 am, edited 2 times in total.
dwasswa

Re: ldap authentication problem

Post by dwasswa »

Hi @frouvier,

Please run the following command...ll /usr/local/nagios/sbin (or wherever you have status.cgi located on debian) and post the output.

Example on centos:
check_cgi_permisions.PNG
frouvier
Posts: 4
Joined: Fri Nov 17, 2017 11:38 am

Re: ldap authentication problem

Post by frouvier »

Hello dwasswa,

Here is my cgi folder :

Code: Select all

# ls -l /usr/local/nagios/sbin
total 5300
-rwxrwxr-x 1 nagios nagios 345264 Aug 25 11:03 archivejson.cgi
-rwxrwxr-x 1 nagios nagios 310168 Aug 25 11:03 avail.cgi
-rwxrwxr-x 1 nagios nagios 304488 Aug 25 11:03 cmd.cgi
-rwxrwxr-x 1 nagios nagios 277320 Aug 25 11:03 config.cgi
-rwxrwxr-x 1 nagios nagios 322424 Aug 25 11:03 extinfo.cgi
-rwxrwxr-x 1 nagios nagios 269312 Aug 25 11:03 histogram.cgi
-rwxrwxr-x 1 nagios nagios 248696 Aug 25 11:03 history.cgi
-rwxrwxr-x 1 nagios nagios 248680 Aug 25 11:03 notifications.cgi
-rwxrwxr-x 1 nagios nagios 342960 Aug 25 11:03 objectjson.cgi
-rwxrwxr-x 1 nagios nagios 240456 Aug 25 11:03 outages.cgi
-rwxrwxr-x 1 nagios nagios 244568 Aug 25 11:03 showlog.cgi
-rwxrwxr-x 1 nagios nagios 322448 Aug 25 11:03 status.cgi
-rwxrwxr-x 1 nagios nagios 337008 Aug 25 11:03 statusjson.cgi
-rwxrwxr-x 1 nagios nagios 269376 Aug 25 11:03 statusmap.cgi
-rwxrwxr-x 1 nagios nagios 261008 Aug 25 11:03 statuswml.cgi
-rwxrwxr-x 1 nagios nagios 248696 Aug 25 11:03 statuswrl.cgi
-rwxrwxr-x 1 nagios nagios 269216 Aug 25 11:03 summary.cgi
-rwxrwxr-x 1 nagios nagios 261024 Aug 25 11:03 tac.cgi
-rwxrwxr-x 1 nagios nagios 277512 Aug 25 11:03 trends.cgi
Thank you for your help.
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: ldap authentication problem

Post by npolovenko »

@frouvier, Can you match /etc/openldap/ldap.conf file on your old Core system and the new one? Did you enable Ldap module in /etc/httpd/conf/httpd.conf? Also, taking a look at apache log files after you attempt to authenticate might help:

Code: Select all

cd /var/log/httpd/
tail *
Unfortunately, I don't have LDAP authentication on my Nagios servers so I'm unable to test your configuration. Just to throw an extra option, you could post on the Apache forums as this issue is directly related to their configurations.
Can you share a link to the tutorial you've used to set up core with ldap in a first place?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
frouvier
Posts: 4
Joined: Fri Nov 17, 2017 11:38 am

Re: ldap authentication problem

Post by frouvier »

Hello,

The ldap service is on an other server and has not changed.

The ldap module is installed and enabled on the nagios core.
Apache seems to be working fine as it lets me authenticate.
Apache connection log :

Code: Select all

2a03:9180:4:1:xxxx:xxxx:xxx:xxxx - frouvier [21/Nov/2017:09:24:56 +0100] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=summary HTTP/1.1" 200 1985 "https://nagios.exemple.com/nagios/cgi-bin/status.cgi?hostgroup=all&style=summary" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36"
On the top left corner i can see that i'm logged in as frouvier, so nagios seems to be receiving user name from apache.

But then still got from nagios : "It appears as though you do not have permission to view information for any of the services you requested..."

I couldn't find any information about what tutorial i used to set it up, it was a very long time ago (5-6 years).
frouvier
Posts: 4
Joined: Fri Nov 17, 2017 11:38 am

Re: ldap authentication problem [solved]

Post by frouvier »

So, finally i found that nagios was not reading the cgi.cfg file as i thought.
It was reading the one on "/usr/local/nagios/etc/" instead of "/etc/nagios/".
With the right config ldap auth is working.

thanks for your help.
npolovenko
Support Tech
Posts: 3457
Joined: Mon May 15, 2017 5:00 pm

Re: ldap authentication problem (solved)

Post by npolovenko »

@frouvier, I'm glad you figured that out! I will go ahead and lock this thread as resolved.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Locked