Nagios core with AD Integration

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
charangandra
Posts: 25
Joined: Tue Feb 13, 2018 6:23 am

Nagios core with AD Integration

Post by charangandra »

Hi,

I've integrated Nagios with AD and it is working. I can authenticate Nagios Web page using the AD account but unable to see any information. I believe this is down to my user is not configured to view host information /usr/local/nagios/etc/cgi.cfg.

I can view host and status information by updating below lines in cgi.cfg file,

authorized_for_all_services=nagiosadmin,test_user
authorized_for_all_hosts=nagiosadmin,test_user

But it is not possible to add all the user in this manner.

I've two groups in AD, admin and viewer. All the users in admin group should have euqalant access as nagiosadmin user and all the users in viewer group should only be able to view host and service information.

Is that possible? How can I add AD domain group details instead of individual users details in cfgi.cfg? Or is there any other configuration I need to make?

Any help is greatly appreciated.

Thanks,
Charan
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: Nagios core with AD Integration

Post by mcapra »

I think it would 100% depend on specifically how you did the AD/LDAP integration.
charangandra wrote:I've two groups in AD, admin and viewer. All the users in admin group should have euqalant access as nagiosadmin user and all the users in viewer group should only be able to view host and service information.
You could probably handle this translation in the AD/LDAP implementation within Apache/nginx. Here a reference implementation using mod_authnz_ldap:
https://galaxyproject.org/admin/config/ ... uthnz_ldap

Essentially, have 2 users defined under cgi.cfg which represent your AD groups. In your mod_authnz_ldap configuration, perform a rewrite and set the REMOTE_USER request header to either "admin" or "viewer" based on the AD group membership. This should get picked up by Nagios Core:
https://github.com/NagiosEnterprises/na ... auth.c#L64

Should work, but I haven't tested it. The way RabbitMQ handles LDAP group to vhost/policy/etc translation works in a *somewhat* similar way, though it's relying on things not specific to HTTP headers or CGI conventions.
charangandra wrote:But it is not possible to add all the user in this manner.
Oh, it's totally possible. A terrible idea, but totally possible ;)
Former Nagios employee
https://www.mcapra.com/
User avatar
tacolover101
Posts: 432
Joined: Mon Apr 10, 2017 11:55 am

Re: Nagios core with AD Integration

Post by tacolover101 »

lots of ways to accomplish this, that's what makes it fun.

in the case you didn't want to run the mod_authnz_ldap route, you could also run a reverse proxy with LDAP auth. then map groups / users to different basic auth creds this way.

heck, you could even write it into PHP and create your own mapping.

this is one of the values in which Nagios XI will provide you.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Nagios core with AD Integration

Post by cdienger »

As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
charangandra
Posts: 25
Joined: Tue Feb 13, 2018 6:23 am

Re: Nagios core with AD Integration

Post by charangandra »

Thanks for the message, I will try the above options.

Thanks,
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios core with AD Integration

Post by scottwilkerson »

charangandra wrote:Thanks for the message, I will try the above options.

Thanks,
Let us know if this does not work.
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked