Page 1 of 1

Nagios Core - Apache -LDAP configurations

Posted: Mon Dec 03, 2018 2:29 am
by Mahantesh
What is wrong with the parameters in this nagios.conf file ? It does not accept the AD user credentials in the web login prompt.
All same LDAP parameters if used in a separate php-ldap module, in the same setup, it authenticates. But Nagios rejects and keeps prompting login window. httpd.conf has the required .so modules loaded. Tried adding removing these parameters in different combinations(as I'm unsure of what is must and what is not), none of the combinations gets it right

Using CenOS 7, Nagios Core 4.4

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
SetEnv TZ "UTC"
</IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
</IfVersion>
</Directory>

Re: Nagios Core - Apache -LDAP configurations

Posted: Mon Dec 03, 2018 5:48 pm
by ssax
Here is what worked for me:

Code: Select all

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
# Last Modified: 11-26-2005
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file.  Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios Core"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# AuthzLDAPAuthoritative on
 AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
 AuthLDAPBindPassword "Password"
 AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
 AuthType Basic
 AuthName "contoso Authentication"
 AuthBasicProvider ldap
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPGroupAttribute member
 Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
   Require valid-user
   Require all denied
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
#  SSLRequireSSL
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios Core"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# AuthzLDAPAuthoritative on
 AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
 AuthLDAPBindPassword "Password"
 AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
 AuthType Basic
 AuthName "contoso Authentication"
 AuthBasicProvider ldap
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPGroupAttribute member
 Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
   Require valid-user
   Require all denied
</Directory>

Re: Nagios Core - Apache -LDAP configurations

Posted: Tue Dec 04, 2018 7:06 am
by Mahantesh
Thanks. used exact file. didn't help.

1. Why are there question marks in AuthLDAPURL

?sAMAccountName?sub?

is sAMAccountName to be replaced with AD user name ?
I tried changing it to ?AD_user_name?sub?
no change in response

and what are "sub?" & (objectClass=*)"NONE ?


2. AuthLDAPBindPassword and AuthName must be in between double quotes ?

3. Are there any settings required in config files other than nagios.conf ?

Re: Nagios Core - Apache -LDAP configurations

Posted: Wed Dec 05, 2018 5:16 pm
by ssax
1. sAMAccountName is what it's matching your entered active directory credentials username against on the remote side, it's the attribute it will search for, please see here for more information:

https://httpd.apache.org/docs/2.4/mod/m ... uthldapurl

2. You should be able to use single quotes OR double-quotes OR no quotes at all (as long as there are no spaces in the values).

3. No other settings required but make sure you have mod_ldap installed:

Code: Select all

yum install mod_ldap
Then after setting up the nagios.conf file, restart HTTPD:

Code: Select all

service httpd restart
Once that setup, please run this tail command (and leave it running):

Code: Select all

tail -F /var/log/httpd/error_log /var/log/httpd/ssl_error_log
Then try to login with your AD credentials and post any output you get.

Re: Nagios Core - Apache -LDAP configurations

Posted: Thu Dec 06, 2018 2:22 am
by Mahantesh
I have been checking the logs (please see pasted below), it says password mismatch which is a 'lie'. If fact, just now checked in the event viewer logs of LDAP server (Win 2012), I see requests reaching there. It shows IP address of my nagios host and my AD user name who requested LDAP authentication. But on Nagios web console it keeps prompting Sign-in prompt

[Thu Dec 06 07:01:02.976791 2018] [auth_basic:error] [pid 3464] [client 10.10.10.10:62787] AH01617: user john: authentication failure for "/nagios/": Password Mismatch

[Thu Dec 06 07:10:08.531368 2018] [auth_basic:error] [pid 3503] [client 10.10.10.10:62908] AH01617: user john: authentication failure for "/nagios/": Password Mismatch


Even use_authentication=0 or 1 in cgi.cfg has no effect on the Sign-in prompt . am I missing something

Re: Nagios Core - Apache -LDAP configurations

Posted: Thu Dec 06, 2018 4:55 pm
by ssax
Does this output anything?

Code: Select all

yum install openldap-clients
ldapsearch -x -D "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=administrator'

Re: Nagios Core - Apache -LDAP configurations

Posted: Fri Dec 07, 2018 6:37 am
by Mahantesh
Yes, that gets everything

ldapsearch -x -D "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=connoj'

reworked on the nagios.conf parameters, this is what I have now:

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPBindPassword "AD_pw_of_john"
AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName=connoj?sub?(objectClass=*)"NONE
AuthType Basic
AuthName "connoj"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local
Require valid-user
#Require all denied
SetEnv TZ "UTC"
</Directory>

but Nagios web page keeps prompting Sign-in prompt

Re: Nagios Core - Apache -LDAP configurations

Posted: Fri Dec 07, 2018 5:14 pm
by ssax
Try this one:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPBindPassword "AD_pw_of_john"
AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "connoj"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local
Require valid-user
#Require all denied
SetEnv TZ "UTC"
</Directory>
Just to make sure, you are restarting httpd after making the config changes, right?

Code: Select all

service httpd restart

Re: Nagios Core - Apache -LDAP configurations

Posted: Tue Dec 11, 2018 5:29 am
by Mahantesh
Thanks, good job :)

sAMAccountName was the culprit.

1. 'Require ldap-group CN=johns_Group, OU=LAB,DC=test-lab,DC=abc,DC=local' <--- This exists or no, has no effect. john can login even if this line is removed. how to explain

2. If I want to give access to 5 AD users, how can I add them in nagios.conf ? In cgi.cfg , I know I can add multiple usernames separated by commas, or use asterisk for anyone

3. I have use_authentication set to 0 in cgi.cfg, yet using LDAP authentication! Is this variable applicable only for local authentication which uses nagiosadmin and password ? Looks like it is ignored in my LDAP - AD authentication

Re: Nagios Core - Apache -LDAP configurations

Posted: Fri Dec 14, 2018 2:38 pm
by scottwilkerson
I'm going to close this thread as the same question was asked in this thread
https://support.nagios.com/forum/viewto ... =7&t=51634