Nagios Core - Apache -LDAP configurations

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Nagios Core - Apache -LDAP configurations

Postby Mahantesh » Mon Dec 03, 2018 2:29 am

What is wrong with the parameters in this nagios.conf file ? It does not accept the AD user credentials in the web login prompt.
All same LDAP parameters if used in a separate php-ldap module, in the same setup, it authenticates. But Nagios rejects and keeps prompting login window. httpd.conf has the required .so modules loaded. Tried adding removing these parameters in different combinations(as I'm unsure of what is must and what is not), none of the combinations gets it right

Using CenOS 7, Nagios Core 4.4

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-l ... ectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
SetEnv TZ "UTC"
</IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-l ... ectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
</IfVersion>
</Directory>
Mahantesh
 
Posts: 5
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Postby ssax » Mon Dec 03, 2018 5:48 pm

Here is what worked for me:

Code: Select all
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
# Last Modified: 11-26-2005
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file.  Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios Core"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
AuthLDAPBindPassword "Password"
AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "contoso Authentication"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
   Require valid-user
   Require all denied
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
#  SSLRequireSSL
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios Core"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
AuthLDAPBindPassword "Password"
AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "contoso Authentication"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
   Require valid-user
   Require all denied
</Directory>
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
ssax
Dreams In Code
 
Posts: 3451
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Postby Mahantesh » Tue Dec 04, 2018 7:06 am

Thanks. used exact file. didn't help.

1. Why are there question marks in AuthLDAPURL

?sAMAccountName?sub?

is sAMAccountName to be replaced with AD user name ?
I tried changing it to ?AD_user_name?sub?
no change in response

and what are "sub?" & (objectClass=*)"NONE ?


2. AuthLDAPBindPassword and AuthName must be in between double quotes ?

3. Are there any settings required in config files other than nagios.conf ?
Mahantesh
 
Posts: 5
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Postby ssax » Wed Dec 05, 2018 5:16 pm

1. sAMAccountName is what it's matching your entered active directory credentials username against on the remote side, it's the attribute it will search for, please see here for more information:

https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl

2. You should be able to use single quotes OR double-quotes OR no quotes at all (as long as there are no spaces in the values).

3. No other settings required but make sure you have mod_ldap installed:

Code: Select all
yum install mod_ldap


Then after setting up the nagios.conf file, restart HTTPD:

Code: Select all
service httpd restart


Once that setup, please run this tail command (and leave it running):

Code: Select all
tail -F /var/log/httpd/error_log /var/log/httpd/ssl_error_log


Then try to login with your AD credentials and post any output you get.
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
ssax
Dreams In Code
 
Posts: 3451
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Postby Mahantesh » Thu Dec 06, 2018 2:22 am

I have been checking the logs (please see pasted below), it says password mismatch which is a 'lie'. If fact, just now checked in the event viewer logs of LDAP server (Win 2012), I see requests reaching there. It shows IP address of my nagios host and my AD user name who requested LDAP authentication. But on Nagios web console it keeps prompting Sign-in prompt

[Thu Dec 06 07:01:02.976791 2018] [auth_basic:error] [pid 3464] [client 10.10.10.10:62787] AH01617: user john: authentication failure for "/nagios/": Password Mismatch

[Thu Dec 06 07:10:08.531368 2018] [auth_basic:error] [pid 3503] [client 10.10.10.10:62908] AH01617: user john: authentication failure for "/nagios/": Password Mismatch


Even use_authentication=0 or 1 in cgi.cfg has no effect on the Sign-in prompt . am I missing something
Mahantesh
 
Posts: 5
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Postby ssax » Thu Dec 06, 2018 4:55 pm

Does this output anything?

Code: Select all
yum install openldap-clients
ldapsearch -x -D "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=administrator'
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
ssax
Dreams In Code
 
Posts: 3451
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Postby Mahantesh » Fri Dec 07, 2018 6:37 am

Yes, that gets everything

ldapsearch -x -D "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=connoj'

reworked on the nagios.conf parameters, this is what I have now:

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPBindPassword "AD_pw_of_john"
AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName=connoj?sub?(objectClass=*)"NONE
AuthType Basic
AuthName "connoj"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local
Require valid-user
#Require all denied
SetEnv TZ "UTC"
</Directory>

but Nagios web page keeps prompting Sign-in prompt
Mahantesh
 
Posts: 5
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Postby ssax » Fri Dec 07, 2018 5:14 pm

Try this one:

Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPBindPassword "AD_pw_of_john"
AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "connoj"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local
Require valid-user
#Require all denied
SetEnv TZ "UTC"
</Directory>


Just to make sure, you are restarting httpd after making the config changes, right?

Code: Select all
service httpd restart
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
ssax
Dreams In Code
 
Posts: 3451
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Postby Mahantesh » Tue Dec 11, 2018 5:29 am

Thanks, good job :)

sAMAccountName was the culprit.

1. 'Require ldap-group CN=johns_Group, OU=LAB,DC=test-lab,DC=abc,DC=local' <--- This exists or no, has no effect. john can login even if this line is removed. how to explain

2. If I want to give access to 5 AD users, how can I add them in nagios.conf ? In cgi.cfg , I know I can add multiple usernames separated by commas, or use asterisk for anyone

3. I have use_authentication set to 0 in cgi.cfg, yet using LDAP authentication! Is this variable applicable only for local authentication which uses nagiosadmin and password ? Looks like it is ignored in my LDAP - AD authentication
Mahantesh
 
Posts: 5
Joined: Mon Dec 03, 2018 12:27 am


Return to Nagios Core

Who is online

Users browsing this forum: Bing [Bot] and 27 guests