Nagios LDAP integration

[tdekoning93]

I have been fiddling around with Nagios LDAP integration for quite a while now. While we do have Nagios XI, importing users is not an option because this is not manageable in an enterprise organisation. Because of this reason was trying to get apache <--> active directory to work. I have tried a lot of different configurations but always end up with "Invalid username or password.".

Logging for Nagios and Apache doesn't tell me anything going wrong. My current nagios.conf is below. Any help on how I can troubleshoot this and get to a working state would be much appreciated. With an ldapsearch query I'm able to retrieve the right information, so its not the LDAP query or any firewalling in between.

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
  Options ExecCGI
  AllowOverride None
  Order allow,deny
  Allow from all

  AuthName "Nagios Access"
  AuthType Basic
  Require valid-user

  AuthLDAPURL "ldap://192.168.X.X:389/DC=domain,DC=local?sAMAccountName?sub"
  AuthLDAPBindDN "CN=LDAP Nagios,OU=Service Accounts,OU=Some OU,OU=Some OU,OU=Organization,DC=domain,DC=local"
  AuthLDAPBindPassword "Password"

  AuthBasicProvider file ldap
  AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
  Options ExecCGI
  AllowOverride None
  Order allow,deny
  Allow from all

  AuthName "Nagios Access"
  AuthType Basic
  Require valid-user

  AuthLDAPURL "ldap://192.168.X.X:389/DC=domain,DC=local?sAMAccountName?sub"
  AuthLDAPBindDN "CN=LDAP Nagios,OU=Service Accounts,OU=Some OU,OU=Some OU,OU=Organization,DC=domain,DC=local"
  AuthLDAPBindPassword "stack-TEJnga"
 
  AuthBasicProvider file ldap
  AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
</Directory>

[ssax]

Here is what worked for me:

Code: Select all

    ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

    <Directory "/usr/local/nagios/sbin">
    #  SSLRequireSSL
        Options ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all
    #  Order deny,allow
    #  Deny from all
    #  Allow from 127.0.0.1
    #   AuthName "Nagios Core"
    #   AuthType Basic
    #   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
    # AuthzLDAPAuthoritative on
    AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
    AuthLDAPBindPassword "Password"
    AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
    AuthType Basic
    AuthName "contoso Authentication"
    AuthBasicProvider ldap
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
        Require valid-user
        Require all denied
    </Directory>

    Alias /nagios "/usr/local/nagios/share"

    <Directory "/usr/local/nagios/share">
    #  SSLRequireSSL
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
    #  Order deny,allow
    #  Deny from all
    #  Allow from 127.0.0.1
    #   AuthName "Nagios Core"
    #   AuthType Basic
    #   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
    # AuthzLDAPAuthoritative on
    AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
    AuthLDAPBindPassword "Password"
    AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
    AuthType Basic
    AuthName "contoso Authentication"
    AuthBasicProvider ldap
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
        Require valid-user
        Require all denied
    </Directory>

1. sAMAccountName is what it's matching your entered active directory credentials username against on the remote side, it's the attribute it will search for, please see here for more information:

https://httpd.apache.org/docs/2.4/mod/m ... uthldapurl

2. You should be able to use single quotes OR double-quotes OR no quotes at all (as long as there are no spaces in the values).

3. No other settings required but make sure you have mod_ldap installed:

Code: Select all

yum install mod_ldap

Then after setting up the nagios.conf file, restart HTTPD:

Code: Select all

service httpd restart

Once that setup, please run this tail command (and leave it running):

Code: Select all

tail -F /var/log/httpd/error_log /var/log/httpd/ssl_error_log

Then try to login with your AD credentials and post any output you get.

[omalik]

Hi,

I am dealing with similar problem, but my nagios server is running on ubuntu and I dont have /var/log/httpd/ folder, but /var/log/apache2/. This wont be a problem but I dont have any /var/log/apache2/ssl_error_log file. The /var/log/apache2/error.log I have.

Thanks.

[tdekoning93]

Thanks for the reply! I've followed everything you said and still got "Invalid username or password.". Nothing is sent to the logs during this. The only thing I get on a HTTPD restart is the output below. I have actually no clue where its going wrong. LDAP query's work fine with the information provided from the same server.

Code: Select all

[root@nlam01-vpnag01 conf.d]# tail -F /var/log/httpd/error_log /var/log/httpd/ssl_error_log
==> /var/log/httpd/error_log <==
[Tue Jan 22 03:27:01.692024 2019] [mpm_prefork:notice] [pid 28047] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured -- resuming normal operations
[Tue Jan 22 03:27:01.692047 2019] [core:notice] [pid 28047] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Tue Jan 22 09:45:49.367808 2019] [mpm_prefork:notice] [pid 28047] AH00170: caught SIGWINCH, shutting down gracefully
[Tue Jan 22 09:45:50.475824 2019] [core:notice] [pid 7923] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Tue Jan 22 09:45:50.477039 2019] [suexec:notice] [pid 7923] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jan 22 09:45:50.515314 2019] [auth_digest:notice] [pid 7923] AH01757: generating secret for digest authentication ...
[Tue Jan 22 09:45:50.516404 2019] [lbmethod_heartbeat:notice] [pid 7923] AH02282: No slotmem from mod_heartmonitor
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/gd.so' - libjpeg.so.62: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Jan 22 09:45:50.561425 2019] [mpm_prefork:notice] [pid 7923] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 configured -- resuming normal operations
[Tue Jan 22 09:45:50.561459 2019] [core:notice] [pid 7923] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

==> /var/log/httpd/ssl_error_log <==

[tdekoning93]

Hello! Posted a topic before in General Support but might as well put it here. Setting up a new Nagios environment and before we used the Import functionality for authentication. Now this has been quite bothersome to manage new employees joining and old people leaving. I have been trying in the meanwhile to use the LDAP / Apache integration, but couldn't get this to work (for more information see link below).

How would I go about setting this up properly so I don't have to manage users in the future anymore?

https://support.nagios.com/forum/viewto ... =7&t=52085

[ssax]

PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/gd.so'

Try this:

Code: Select all

yum install php-gd
service httpd restart

SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0

Is SELinux impacting it?

Code: Select all

getenforce
sestatus

You can try disabling it temporarily:

Code: Select all

setenforce 0

Please run these commands and send me the resulting /tmp/HTTPDFILES.zip file:

Code: Select all

zip -r /tmp/HTTPDFILES.zip /etc/httpd/conf/httpd.conf /etc/httpd/conf.d/

[ssax]

Hi,

I am dealing with similar problem, but my nagios server is running on ubuntu and I dont have /var/log/httpd/ folder, but /var/log/apache2/. This wont be a problem but I dont have any /var/log/apache2/ssl_error_log file. The /var/log/apache2/error.log I have.

Thanks.

@omalik, please create a new separate forum post for your issue so that we can work it without confusion.

Thank you

[tdekoning93]

@ssax thank you for sticking with me on this issue. Package php-gd-5.4.16-46.el7.x86_64 already installed and latest version. To resolve the warning did install libjpeg-turbo which resolved the message. SELINUX was already set to permissive, but I completely disabled it to make things easier. This didn't resolve the issue either. Files can be found in the link below:

[File received, link removed]

[ssax]

Please edit your /etc/httpd/conf.d/nagios.conf and change the top line from:
- Notice that "DC=cool,DC=blue" is lowercase

Code: Select all

AuthLDAPURL "ldap://192.168.68.2/DC=cool,DC=blue?sAMAccountName?sub?(objectClass=*)"

To this:
- Notice that "DC=COOL,DC=BLUE" is now uppercase

Code: Select all

AuthLDAPURL "ldap://192.168.68.2/DC=COOL,DC=BLUE?sAMAccountName?sub?(objectClass=*)"

Then restart the httpd service and try again:

Code: Select all

service httpd restart

While windows may not care about case sensitivity, Linux does, that may be why it's failing. If it isn't that then you should talk with your AD admins and have them setup a trace on the authentication/bind so you can see what is occurring.

[tdekoning93]

Hi ssax,

Sorry for the delay. I've checked in AD for any attempts on being reached, but in the event log I don't see anything passing by. Also enabled debug logging on Apache and the only thing that I see passing by when trying to login is:

Code: Select all

[Wed Feb 13 17:06:23.549102 2019] [authz_core:debug] [pid 18552] mod_authz_core.c(809): [client 192.168.249.1:54556] AH01626: authorization result of Require all granted: granted, referer: http://192.168.249.101/nagiosxi/login.php
[Wed Feb 13 17:06:23.549127 2019] [authz_core:debug] [pid 18552] mod_authz_core.c(809): [client 192.168.249.1:54556] AH01626: authorization result of <RequireAny>: granted, referer: http://192.168.249.101/nagiosxi/login.php

From my point of view it looks like the LDAP module is not even triggered by the login attempt on the nagiosxi page. Is there any way I can get in contact with support? The reason why we have an XI license is to get these kind of things working. Without this the solution overall is going to be a pain to maintain within a company with fluctuating users.

Probably this configuration will just not work with XI and I'm forced to use the native active directory import functionality which forces me to manually import and remove users on a weekly base (Yay manual work).

EDIT: Got the confirmation through a support ticket that Apache LDAP is not called by Nagios XI logins. Was a mistake from me to make the assumption that the authentication for Nagios XI and Nagios Core would work the same way and create this post in the wrong section.

Going to work with the REST api and Powershell to get the users I want in Active Directory and put those in Nagios XI.