Hi,
I'm using Kerberos Auth with Nagios to pass my Windows username/password though for authentication. This is working pretty well now.
I add a user to Nagios with their contact name as username@DOMAIN, and when they go to the Nagios site, it shows up, "Logged in as user@DOMAIN". Great! Now this user is added to the Admins contact group. In the cgi.cfg file, I added the admins group to all the CGI permissions, and I can access *most* all areas of the Nagios site.
However, I am having issues accessing Process Info (config.cgi) and Configuration (config.cgi). If I add my user@DOMAIN directly to the appropriate lines in cgi.conf, I can access these areas just fine.
So why is it that some areas allow using group membership for CGI access, while these two do not?
I don't want to have to manually go in and edit my CGI access permissions every time I add a new user to the system, it just doesn't seem smart.
Any ideas on what might be causing this or a workaround? Thank you.
Max
CGI Access Permission Issues
Re: CGI Access Permission Issues
That's because it's probably not working at all: http://nagios.sourceforge.net/docs/3_0/cgiauth.html
The relevant part of the text is the default permissions section for an authenticated contact user, you can't actually use a contact group as a valid reference in the cgi.conf.
So to answer your question as to how to manage these permissions, back when I was using Core I wrote a script that synchronizes an AD group with the cgi.conf. Otherwise you are a bit stuck with managing them manually I am afraid. You will also find that under your current methodology that if you were to create a host that didn't belong to the Nagiosadmins group that your admins would not be able to see it in the GUI (which... may or may not be desirable).
The relevant part of the text is the default permissions section for an authenticated contact user, you can't actually use a contact group as a valid reference in the cgi.conf.
So to answer your question as to how to manage these permissions, back when I was using Core I wrote a script that synchronizes an AD group with the cgi.conf. Otherwise you are a bit stuck with managing them manually I am afraid. You will also find that under your current methodology that if you were to create a host that didn't belong to the Nagiosadmins group that your admins would not be able to see it in the GUI (which... may or may not be desirable).