Nagios and Centrify Active Directory - authorization

[staceygong]

Hi,

I am setting up a Nagios server on Red Hat Linux 6.7 using nagios-3.5.1-1.el6.x86_64 rpm.
I would like to use Centrify Active Directory for Nagios authentication and authorization.
I found two articles about this:
https://rravikumar.wordpress.com/2015/0 ... ntication/
https://exchange.nagios.org/components/ ... 9&cf_id=29

It is easy to configure authentication. I updated my nagios apache2.conf as:

AuthName "Nagios"
AuthType CENTRIFYDC
EnableBasicAuth true
Require user valid-user

Now I can log in to http://my-nagios-server/nagios with Centrify username and password.

However, I can't get authorization to work correctly.

I tried to add the admin user (userA) from Centrify AD in /etc/nagios/cgi.cfg file:

authorized_for_system_information=nagiosadmin,userA@DomainName
authorized_for_configuration_information=nagiosadmin,userA@DomainName
authorized_for_system_commands=nagiosadmin,userA@DomainName
authorized_for_all_services=nagiosadmin,userA@DomainName
authorized_for_all_hosts=nagiosadmin,userA@DomainName
authorized_for_all_service_commands=nagiosadmin,userA@DomainName
authorized_for_all_host_commands=nagiosadmin,userA@DomainName

But when I log in as userA, I can't browse any host/hostgroup/service/servicegroup, complaining no permissions....

I have to change the username specified in cgi.cfg to * to make it work:

authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*

But now all the users get the same authorization! Everyone can see everything...

What do I miss? Any advise? Thanks a lot!

Thanks,
Stacey

[staceygong]

Hi,

I figured it out myself

In /etc/nagios/cgi.cfg, before I used lower case for DomainName. For example:

authorized_for_system_information=nagiosadmin,[email protected]

When I check on the “Tactical Overview” page, I found it says "Logged in as [email protected]"

After I modified all configuration files to use UPPER CASE, authorization now works fine as expected.

So here comes another question:

Any way I can tell Nagios all my users are from EXAMPLE.COM and don't need to specify all my contacts with EXAMPLE.COM suffix?

I would assume it is something in the apach2.conf? My apach2.conf now looks like:

AuthName "Nagios"
AuthType CENTRIFYDC
EnableBasicAuth true
Require user valid-user

I have an example of LDAP configuration:

AuthLDAPBindDN "uid=myldap,ou=people,dc=dept1,dc=example,dc=com"
Require ldap-group cn=support,ou=Group,dc=dept1,dc=example,dc=com

I guess I need to do the same thing for Centrify AD? But not sure about the actual format....will test....hope anyone has done it before and give me some advice....

Thanks,
Stacey

[rkennedy]

Ah, this will matter depending on what is looking for the cAsE sEnSiTiViTy.

Because of how Core handles authentication and lining up, I don't think there is going to be a way around this. I'll break down what is happening on the backend here -

- LDAP user logs in with [email protected] which is passed directly to your LDAP server, whom approves / denies accordingly.
- The user [email protected] is then authenticated through basic auth. The session is locked to [email protected] due to LDAP.
- Permissions on Nagios reflect the same session username, so [email protected]

You might be able to alter this in a way, but nothing that I know of off the top of my head. If I was to guess, it would be appending the @EXAMPLE.COM suffix somewhere in the original login request.

[staceygong]

Hi,

Thank you for the reply. It helps me understand more about Nagios...

I figured it out. I added this line to /etc/nagios/apach2.conf:

IdentityType samAccountName

The samAccountName in my Centrify authentication displays just the username without EXAMPLE.COM.

Now when I login to nagios, it shows me as "Logged in as userA".

Thanks,
Stacey

[rkennedy]

No problem. Awesome to see you were able to work with what I gave you!

Are we good to mark this thread as resolved?

[staceygong]

Yes, you can mark this issue as resolved. Thanks!

[dwhitfield]

Glad to hear it is resolved. I am going to lock the thread. Please feel free to post again if you have you another issue. Thank you for using the Nagios forums!