Nagios Core - Apache -LDAP configurations

by Mahantesh » Mon Dec 03, 2018 2:29 am

What is wrong with the parameters in this nagios.conf file ? It does not accept the AD user credentials in the web login prompt.
All same LDAP parameters if used in a separate php-ldap module, in the same setup, it authenticates. But Nagios rejects and keeps prompting login window. httpd.conf has the required .so modules loaded. Tried adding removing these parameters in different combinations(as I'm unsure of what is must and what is not), none of the combinations gets it right

Using CenOS 7, Nagios Core 4.4

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-l ... ectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
SetEnv TZ "UTC"
</IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-l ... ectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
</IfVersion>
</Directory>

by ssax » Mon Dec 03, 2018 5:48 pm

Here is what worked for me:

Code: Select all: # SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER # Last Modified: 11-26-2005 # # This file contains examples of entries that need # to be incorporated into your Apache web server # configuration file. Customize the paths, etc. as # needed to fit your system. ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin" <Directory "/usr/local/nagios/sbin"> # SSLRequireSSL Options ExecCGI AllowOverride None Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 # AuthName "Nagios Core" # AuthType Basic # AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users # AuthzLDAPAuthoritative on AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local" AuthLDAPBindPassword "Password" AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)" AuthType Basic AuthName "contoso Authentication" AuthBasicProvider ldap AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local Require valid-user Require all denied </Directory> Alias /nagios "/usr/local/nagios/share" <Directory "/usr/local/nagios/share"> # SSLRequireSSL Options None AllowOverride None Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 # AuthName "Nagios Core" # AuthType Basic # AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users # AuthzLDAPAuthoritative on AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local" AuthLDAPBindPassword "Password" AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)" AuthType Basic AuthName "contoso Authentication" AuthBasicProvider ldap AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local Require valid-user Require all denied </Directory>

by Mahantesh » Tue Dec 04, 2018 7:06 am

Thanks. used exact file. didn't help.

1. Why are there question marks in AuthLDAPURL

?sAMAccountName?sub?

is sAMAccountName to be replaced with AD user name ?
I tried changing it to ?AD_user_name?sub?
no change in response

and what are "sub?" & (objectClass=*)"NONE ?

2. AuthLDAPBindPassword and AuthName must be in between double quotes ?

3. Are there any settings required in config files other than nagios.conf ?

by ssax » Wed Dec 05, 2018 5:16 pm

1. sAMAccountName is what it's matching your entered active directory credentials username against on the remote side, it's the attribute it will search for, please see here for more information:

https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#authldapurl

2. You should be able to use single quotes OR double-quotes OR no quotes at all (as long as there are no spaces in the values).

3. No other settings required but make sure you have mod_ldap installed:

Code: Select all: yum install mod_ldap

Then after setting up the nagios.conf file, restart HTTPD:

Code: Select all: service httpd restart

Once that setup, please run this tail command (and leave it running):

Code: Select all: tail -F /var/log/httpd/error_log /var/log/httpd/ssl_error_log

Then try to login with your AD credentials and post any output you get.

by Mahantesh » Thu Dec 06, 2018 2:22 am

I have been checking the logs (please see pasted below), it says password mismatch which is a 'lie'. If fact, just now checked in the event viewer logs of LDAP server (Win 2012), I see requests reaching there. It shows IP address of my nagios host and my AD user name who requested LDAP authentication. But on Nagios web console it keeps prompting Sign-in prompt

[Thu Dec 06 07:01:02.976791 2018] [auth_basic:error] [pid 3464] [client 10.10.10.10:62787] AH01617: user john: authentication failure for "/nagios/": Password Mismatch

[Thu Dec 06 07:10:08.531368 2018] [auth_basic:error] [pid 3503] [client 10.10.10.10:62908] AH01617: user john: authentication failure for "/nagios/": Password Mismatch

Even use_authentication=0 or 1 in cgi.cfg has no effect on the Sign-in prompt . am I missing something

by ssax » Thu Dec 06, 2018 4:55 pm

Does this output anything?

Code: Select all: yum install openldap-clients ldapsearch -x -D "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=administrator'

by Mahantesh » Fri Dec 07, 2018 6:37 am

Yes, that gets everything

ldapsearch -x -D "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=connoj'

reworked on the nagios.conf parameters, this is what I have now:

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPBindPassword "AD_pw_of_john"
AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName=connoj?sub?(objectClass=*)"NONE
AuthType Basic
AuthName "connoj"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local
Require valid-user
#Require all denied
SetEnv TZ "UTC"
</Directory>

but Nagios web page keeps prompting Sign-in prompt

by ssax » Fri Dec 07, 2018 5:14 pm

Try this one:

Code: Select all: ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin" <Directory "/usr/local/nagios/sbin"> Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local" AuthLDAPBindPassword "AD_pw_of_john" AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)" AuthType Basic AuthName "connoj" AuthBasicProvider ldap AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local Require valid-user #Require all denied SetEnv TZ "UTC" </Directory>

Just to make sure, you are restarting httpd after making the config changes, right?

Code: Select all: service httpd restart

by Mahantesh » Tue Dec 11, 2018 5:29 am

Thanks, good job

sAMAccountName was the culprit.

1. 'Require ldap-group CN=johns_Group, OU=LAB,DC=test-lab,DC=abc,DC=local' <--- This exists or no, has no effect. john can login even if this line is removed. how to explain

2. If I want to give access to 5 AD users, how can I add them in nagios.conf ? In cgi.cfg , I know I can add multiple usernames separated by commas, or use asterisk for anyone

3. I have use_authentication set to 0 in cgi.cfg, yet using LDAP authentication! Is this variable applicable only for local authentication which uses nagiosadmin and password ? Looks like it is ignored in my LDAP - AD authentication

Nagios Core - Apache -LDAP configurations

Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Re: Nagios Core - Apache -LDAP configurations

Who is online