Nagios core with AD Integration

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Nagios core with AD Integration

Postby charangandra » Wed Oct 03, 2018 6:08 am

Hi,

I've integrated Nagios with AD and it is working. I can authenticate Nagios Web page using the AD account but unable to see any information. I believe this is down to my user is not configured to view host information /usr/local/nagios/etc/cgi.cfg.

I can view host and status information by updating below lines in cgi.cfg file,

authorized_for_all_services=nagiosadmin,test_user
authorized_for_all_hosts=nagiosadmin,test_user

But it is not possible to add all the user in this manner.

I've two groups in AD, admin and viewer. All the users in admin group should have euqalant access as nagiosadmin user and all the users in viewer group should only be able to view host and service information.

Is that possible? How can I add AD domain group details instead of individual users details in cfgi.cfg? Or is there any other configuration I need to make?

Any help is greatly appreciated.

Thanks,
Charan
charangandra
 
Posts: 23
Joined: Tue Feb 13, 2018 6:23 am

Re: Nagios core with AD Integration

Postby mcapra » Wed Oct 03, 2018 1:36 pm

I think it would 100% depend on specifically how you did the AD/LDAP integration.

charangandra wrote:I've two groups in AD, admin and viewer. All the users in admin group should have euqalant access as nagiosadmin user and all the users in viewer group should only be able to view host and service information.

You could probably handle this translation in the AD/LDAP implementation within Apache/nginx. Here a reference implementation using mod_authnz_ldap:
https://galaxyproject.org/admin/config/ ... uthnz_ldap

Essentially, have 2 users defined under cgi.cfg which represent your AD groups. In your mod_authnz_ldap configuration, perform a rewrite and set the REMOTE_USER request header to either "admin" or "viewer" based on the AD group membership. This should get picked up by Nagios Core:
https://github.com/NagiosEnterprises/nagioscore/blob/345fd4e8257085ce7f3806ee4fb04008919f24e5/cgi/cgiauth.c#L64

Should work, but I haven't tested it. The way RabbitMQ handles LDAP group to vhost/policy/etc translation works in a *somewhat* similar way, though it's relying on things not specific to HTTP headers or CGI conventions.

charangandra wrote:But it is not possible to add all the user in this manner.

Oh, it's totally possible. A terrible idea, but totally possible ;)
Former Nagios employee
http://www.mcapra.com/
User avatar
mcapra
 
Posts: 3422
Joined: Thu May 05, 2016 3:54 pm

Re: Nagios core with AD Integration

Postby tacolover101 » Wed Oct 03, 2018 11:22 pm

lots of ways to accomplish this, that's what makes it fun.

in the case you didn't want to run the mod_authnz_ldap route, you could also run a reverse proxy with LDAP auth. then map groups / users to different basic auth creds this way.

heck, you could even write it into PHP and create your own mapping.

this is one of the values in which Nagios XI will provide you.
User avatar
tacolover101
 
Posts: 409
Joined: Mon Apr 10, 2017 11:55 am

Re: Nagios core with AD Integration

Postby cdienger » Thu Oct 04, 2018 1:27 pm

As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
cdienger
Support Tech
 
Posts: 1862
Joined: Tue Feb 07, 2017 11:26 am

Re: Nagios core with AD Integration

Postby charangandra » Tue Oct 09, 2018 5:05 am

Thanks for the message, I will try the above options.

Thanks,
charangandra
 
Posts: 23
Joined: Tue Feb 13, 2018 6:23 am

Re: Nagios core with AD Integration

Postby scottwilkerson » Tue Oct 09, 2018 7:25 am

charangandra wrote:Thanks for the message, I will try the above options.

Thanks,


Let us know if this does not work.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 12020
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises


Return to Nagios Core

Who is online

Users browsing this forum: No registered users and 11 guests