Nagios Support Forum

Hi
I'm using Nagios Core 4.3.4
Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built: Oct 3 2017 09:37:04

I enable LDAP authentication using LDAP GROUP to validate access
I put in /etc/httpd/conf.d/nagios.conf
...
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group cn=ggUtentiDire3532,OU=XXXX,OU=XXXX,OU=XXXX,DC=sedi,DC=group
....

so I enable the user belong to ggUtentiDire3532 to get in nagios web interface
In the cgi.cfg I configured
authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*

In this way all users inside the AD group ggUtentiDire3532 are enable to get in Nagios see and operate on all host and services

I need to know , how a single user (ie A0001) present in the AD group ggUtentiDire3532 can See and operate on a limited
group of servers

Someone could help me ?
regards
Emilio

Since you have created that contact and set the .cgi permissions.

You would just need to set that user to the specific hosts/services that you only want them to be able to view.

But right now, you have him authorized to view all hosts/services. Using something like this as an example: This way, he could only view the host "Some Server".

This is for XI, but the same concepts apply to Core.
https://assets.nagios.com/downloads/nag ... 1521646370

Hi Kiang

Followed your instruction
in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

in Server.cfg
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contacts GS01068
}

I created contact GS01068

LDAP authenticate my user to get in nagios web interface but I see all server

I'm using Nagios core 4.3.4

Thanks
Emilio

Hi Kiang

your suggestion WORKS when I DON'T USE LDAP authentication

so , if put in
/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user

I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword

and apply you suggestion , so the user GS01068 can see only one host (where I put contacts GS01068)

When I use LDAP authentication your suggestion doesn't work

Do you have any other tests to do ?

thanks for all your help

Emilio

Sorry,

What I meant, was that currently you have it set that every user can view all hosts and services: Try changing to let's say only the nagiosadmin can view all hosts/services: Let me know if that works.

Kyang

Your solution works ONLY if you use Basic authentication
I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

/etc/httpd/conf.d/nagios.conf
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user

I add the user GS01068 into /etc/nagios/passwd
htpasswd -b /etc/nagios/passwd GS01068 mypassword

The user GS01068 can see only one host (where I put contacts GS01068)

So when I have above config all work as you have described

BUT If I activate LDAP authentication , I set in /etc/httpd/conf.d/nagios.conf
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Authentication"
AuthLDAPURL ldap://ldap-sedi.sedi-direzioni.group:389/DC=XXXXX,DC=XXXX?sAMAccountName?sub?(objectClass=person)
AuthLDAPBindDN "CN=GS01068 FRINI EMILIO,OU=Utenti,OU=XXXXX,OU=XXXXX,OU=XXXXXXXX,DC=sedi-direzioni,DC=group"
AuthLDAPBindPassword "XXXXXX"
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member

your solution doesn't work

thanks
Emilio

Here is a guide on the Internet
https://wellsie.net/p/380/

As pointed out before, this is wrong That is for assigning access to ALL people.

Individual access comes from adding the username used to login to a contact in the configuration and assigning that contact to a host/service.

You CANNOT assign privileges based on LDAP groups, that functionality does not exist

I agree to you but I can use almost 2 types of authentication
LDAP and passwd files

In both case I set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

When I use passwd files authentication I can show to user1 a host where the host contacts is user1

When I use LDAP authentication I CAN NOT show to user1 a host where the hosy contacts is user1
but user1 see all hosts

So , seems that solution to show to user a limited number of hosts work ONLY with passwd file authentication
and not with LDAP authentication

My question is : DOES IT IS A BUG ?

Is there a documentation about this limitation (or features) ?

thanks
Emilio

emi65 wrote:but user1 see all hosts

This is because with this setting you are saying ALL users can see ALL hosts

emi65 wrote:

Code: Select all

authorized_for_all_services=*
authorized_for_all_hosts=*

Change it to this Then only a user nagiosadmin can see ALL hosts, everyone else will need to be assigned to a contact that is assigned to their host

Hi Scott

NO user1 doesn't see all host when I use passwd nagios/apache authentication

So if I set in passwd file the user1

in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

and I set in the host1.cfg contact user1

.... the user1 see only the host1

I hope to explain better the situation

you can reproduce this case

thanks
Emilio