Nagios LDAP Authentication [SOLVED]

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
blevans
Posts: 13
Joined: Mon Mar 23, 2015 3:40 pm

Nagios LDAP Authentication [SOLVED]

Post by blevans »

I am trying to enable LDAPS authentication for my Nagios web GUI (https://localhost/nagios) against Active Directory. I've set this up with LDAP before without much trouble, but LDAPS is a headache. I think my cert is valid since Event Viewer in Active Directory shows what I believe is a successful credential validation. In my browser, after entering username and pwd for AD, it spins for a while and ends up at an Internal Server Error page. None of my logs give me anything useful.

Here's what I've done so far:

1: nagios.conf - Modified for LDAPS (see below attached file)

2: ldap.conf - Added the following lines:

Code: Select all

        HOST "hostname"
        PORT 636
        TLS_CACERT /etc/httpd/conf.d/rootcert.pem
        TLS_REQCERT never
(FYI, rootcert.pem was created by taking the cert issued by the root CA and converting to pem format):

Code: Select all

        openssl x509 -inform der -in rootcert.cer -out rootcert.pem
Here is my nagios.conf. Stuff in [brackets] are edited to not include my real info:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

    <Directory "/usr/local/nagios/sbin">
    SSLRequireSSL
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN off
    AuthName "Active Directory Login 1"
    AuthLDAPURL "ldaps://[myActiveDirServerName]:636/DC=[dc1],DC=[dc2],DC=[dc3],DC=[dc4]?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "CN=nagiosadmin,OU=[ou1],OU=[ou2],OU=[ou3],DC=[dc1],DC=[dc2],DC=[dc3],dc=[dc4]"
    AuthLDAPBindPassword [passwd]
    Require valid-user
    </Directory>

    Alias /nagios "/usr/local/nagios/share"

    <Directory "/usr/local/nagios/share">
    SSLRequireSSL
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN off
    AuthName "Active Directory Login 2"
    AuthLDAPURL "ldaps://[myActiveDirServerName]:636/DC=[dc1],DC=[dc2],DC=[dc3],DC=[dc4]?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "CN=nagiosadmin,OU=[ou1],OU=[ou2],OU=[ou3],DC=[dc1],DC=[dc2],DC=[dc3],dc=[dc4]"
    AuthLDAPBindPassword [passwd]
    Require valid-user
    </Directory>
Any help you could provide would be greatly appreciated!
Last edited by dwhitfield on Mon Jan 09, 2017 10:33 am, edited 2 times in total.
Reason: marking with green check mark
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Nagios LDAP Authentication

Post by dwhitfield »

I don't want to sound like we're pushing you away, but have you asked at the Apache forums? We're not really experts in Apache here and I'm certain they would have more knowledge of things like this.
blevans
Posts: 13
Joined: Mon Mar 23, 2015 3:40 pm

Re: Nagios LDAP Authentication

Post by blevans »

I have not tried the Apache forums yet.
Will do now. Thanks for the advice.
I'll update this thread as I get any new info.
blevans
Posts: 13
Joined: Mon Mar 23, 2015 3:40 pm

Re: Nagios LDAP Authentication

Post by blevans »

I switched the port from 636 to 3269, which supposedly is just as secure (uses SSL encryption).
Problem is solved.
Derived the fix from the Apache forums, so big thanks to @dwhitfield!
dwhitfield
Former Nagios Staff
Posts: 4583
Joined: Wed Sep 21, 2016 10:29 am
Location: NoLo, Minneapolis, MN
Contact:

Re: Nagios LDAP Authentication

Post by dwhitfield »

blevans wrote:Derived the fix from the Apache forums, so big thanks to @dwhitfield!
You're welcome and thanks so much for posting the fix here. I'm sure it will be a great help for others looking for this info! I'm going to go ahead and lock the thread.
Locked