Nagios core 4.3.4 LDAP and authorization

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios core 4.3.4 LDAP and authorization

Post by scottwilkerson »

Here is the official documentation
https://assets.nagios.com/downloads/nag ... iauth.html

https://assets.nagios.com/downloads/nag ... _all_hosts

I guess in that you are correct I do not see in the documentation the ability to wildcard with a * so this:

Code: Select all

authorized_for_all_services=*
authorized_for_all_hosts=*
Would for all practical purposed equal

Code: Select all

authorized_for_all_services=
authorized_for_all_hosts=
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Hi Scott

WITH LDAP authentication
if I set in cgi.cg
authorized_for_all_services=
authorized_for_all_hosts=

and I set in the host1.cfg contact user1

.... the user1 see only the host1
-------------------------------------------------------------------------------
WITH PASSWD authentication
if I set in cgi.cg
authorized_for_all_services=*
authorized_for_all_hosts=*

and I set in the host1.cfg contact user1

.... the user1 see only the host1
--------------------------------------------------------------

so behavior of cgi.cfg is different when I use LDAP then PASSWD
(the * (star) is interpreted in different way)

Is this a bug ?

Thank
Emilio
kyang

Re: Nagios core 4.3.4 LDAP and authorization

Post by kyang »

WITH LDAP authentication
if I set in cgi.cg
authorized_for_all_services=
authorized_for_all_hosts=

and I set in the host1.cfg contact user1

.... the user1 see only the host1
-------------------------------------------------------------------------------
WITH PASSWD authentication
if I set in cgi.cg
authorized_for_all_services=*
authorized_for_all_hosts=*

and I set in the host1.cfg contact user1

.... the user1 see only the host1
--------------------------------------------------------------
So either option allows user1 to view only host1?

I'll have to set up an LDAP server with Core to see if I'm seeing the same thing.
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Yes you are in rigth
In both case user1 see the host 1

but the difference is big because the behaviour of cgi.cfg is difference
WITH LDAP authentication
I have to set in cgi.cg
authorized_for_all_services=
authorized_for_all_hosts=

while WITH PASSWD authentication I have to set
authorized_for_all_services=*
authorized_for_all_hosts=*

This create another difference
WITH LDAP the user2 can NOT see any hosts
WITH PASSWD the user2 can see ALL hosts

The * (star) in cgi.cfg has a differente behaviour when I use LDAP then when I use PASSWD

I like to get this situation
Use LDAP
show one or limited number of hosts to user1
show ALL hosts for all other users (user1,user2,user3 ..... user999)
set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

Does it possible to get this behaviour ?

Regards
Emilio
kyang

Re: Nagios core 4.3.4 LDAP and authorization

Post by kyang »

Thanks for the explanation,

Please understand that I am currently trying this integration with Core when I have time.

I'll be using this information to see if I can recreate it on my end.
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

Hi Kyang

Many thanks for all your help

If you will find a solution , please , updates this 3rd

Thanks again
Emilio
kyang

Re: Nagios core 4.3.4 LDAP and authorization

Post by kyang »

Hello,

Could you attach your full /etc/httpd/conf.d/nagios.conf file?

Also, just to double check. You are logging in as an LDAP user & not a Core user?

Thanks!
emi65
Posts: 119
Joined: Fri Aug 17, 2012 3:41 am

Re: Nagios core 4.3.4 LDAP and authorization

Post by emi65 »

here the file

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/lib64/nagios/cgi-bin/"

<Directory "/usr/lib64/nagios/cgi-bin/">
   Options ExecCGI
   AllowOverride None
        Order allow,deny
        Allow from all
    AuthType Basic
    AuthBasicProvider ldap
    AuthName "LDAP Authentication"
    # AuthzLDAPAuthoritative off
    AuthLDAPURL ldap://ldap-sedi.sedi-direzioni.group:389/DC=sedi-direzioni,DC=group?sAMAccountName?sub?(objectClass=person)
    AuthLDAPBindDN "CN=GS01068 FRINI EMILIO,OU=Utenti,OU=XXXXXX,OU=XXXXXX,OU=DIREZIONEGS,DC=sedi-direzioni,DC=group"
    AuthLDAPBindPassword "XXXXX"
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    #Require valid-user
    Require ldap-group cn=ggUtentiDire3532,OU=DIRE3532,OU=DIRE3437,OU=DIREZIONEGS,DC=sedi-direzioni,DC=group
    Require ldap-group cn=ggUtentiDire8214,OU=DIRE8214,OU=DIRE3375,OU=DIREZIONEGS,DC=sedi-direzioni,DC=group
</Directory>

Alias /nagios "/usr/share/nagios/html"

<Directory "/usr/share/nagios/html">
   Options None
   AllowOverride None
        Order allow,deny
        Allow from all
    AuthType Basic
    AuthBasicProvider ldap
    AuthName "LDAP Authentication"
    # AuthzLDAPAuthoritative off
    AuthLDAPURL ldap://ldap-sedi.sedi-direzioni.group:389/DC=sedi-direzioni,DC=group?sAMAccountName?sub?(objectClass=person)
    AuthLDAPBindDN "CN=GS01068 FRINI EMILIO,OU=Utenti,OU=XXXXX,OU=XXXX,OU=DIREZIONEGS,DC=sedi-direzioni,DC=group"
    AuthLDAPBindPassword "XXXXXX"
    AuthLDAPGroupAttributeIsDN on
    AuthLDAPGroupAttribute member
    #Require valid-user
    Require ldap-group cn=ggUtentiDire3532,OU=DIRE3532,OU=DIRE3437,OU=DIREZIONEGS,DC=sedi-direzioni,DC=group
    Require ldap-group cn=ggUtentiDire8214,OU=DIRE8214,OU=DIRE3375,OU=DIREZIONEGS,DC=sedi-direzioni,DC=group
</Directory>
Last edited by scottwilkerson on Wed Jun 20, 2018 12:57 pm, edited 1 time in total.
Reason: wrap in code tags
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios core 4.3.4 LDAP and authorization

Post by scottwilkerson »

emi65 wrote:Yes you are in rigth
In both case user1 see the host 1

but the difference is big because the behaviour of cgi.cfg is difference
WITH LDAP authentication
I have to set in cgi.cg
authorized_for_all_services=
authorized_for_all_hosts=

while WITH PASSWD authentication I have to set
authorized_for_all_services=*
authorized_for_all_hosts=*

This create another difference
WITH LDAP the user2 can NOT see any hosts
WITH PASSWD the user2 can see ALL hosts

The * (star) in cgi.cfg has a differente behaviour when I use LDAP then when I use PASSWD

I like to get this situation
Use LDAP
show one or limited number of hosts to user1
show ALL hosts for all other users (user1,user2,user3 ..... user999)
set in cgi.cfg
authorized_for_all_services=*
authorized_for_all_hosts=*

Does it possible to get this behaviour ?

Regards
Emilio
I am not sure why the behavior would be different between using basic auth or LDAP, the username should be the same to the backend either way.

That said you can feel free to investigate it further and if you find the Nagios Core code needs patching, the developers of the free open source Nagios Core would welcome the contribution
https://github.com/NagiosEnterprises/nagioscore
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked