Hi,
I've integrated Nagios with AD and it is working. I can authenticate Nagios Web page using the AD account but unable to see any information. I believe this is down to my user is not configured to view host information /usr/local/nagios/etc/cgi.cfg.
I can view host and status information by updating below lines in cgi.cfg file,
authorized_for_all_services=nagiosadmin,test_user
authorized_for_all_hosts=nagiosadmin,test_user
But it is not possible to add all the user in this manner.
I've two groups in AD, admin and viewer. All the users in admin group should have euqalant access as nagiosadmin user and all the users in viewer group should only be able to view host and service information.
Is that possible? How can I add AD domain group details instead of individual users details in cfgi.cfg? Or is there any other configuration I need to make?
Any help is greatly appreciated.
Thanks,
Charan
Nagios core with AD Integration
Re: Nagios core with AD Integration
I think it would 100% depend on specifically how you did the AD/LDAP integration.
https://galaxyproject.org/admin/config/ ... uthnz_ldap
Essentially, have 2 users defined under cgi.cfg which represent your AD groups. In your mod_authnz_ldap configuration, perform a rewrite and set the REMOTE_USER request header to either "admin" or "viewer" based on the AD group membership. This should get picked up by Nagios Core:
https://github.com/NagiosEnterprises/na ... auth.c#L64
Should work, but I haven't tested it. The way RabbitMQ handles LDAP group to vhost/policy/etc translation works in a *somewhat* similar way, though it's relying on things not specific to HTTP headers or CGI conventions.
You could probably handle this translation in the AD/LDAP implementation within Apache/nginx. Here a reference implementation using mod_authnz_ldap:charangandra wrote:I've two groups in AD, admin and viewer. All the users in admin group should have euqalant access as nagiosadmin user and all the users in viewer group should only be able to view host and service information.
https://galaxyproject.org/admin/config/ ... uthnz_ldap
Essentially, have 2 users defined under cgi.cfg which represent your AD groups. In your mod_authnz_ldap configuration, perform a rewrite and set the REMOTE_USER request header to either "admin" or "viewer" based on the AD group membership. This should get picked up by Nagios Core:
https://github.com/NagiosEnterprises/na ... auth.c#L64
Should work, but I haven't tested it. The way RabbitMQ handles LDAP group to vhost/policy/etc translation works in a *somewhat* similar way, though it's relying on things not specific to HTTP headers or CGI conventions.
Oh, it's totally possible. A terrible idea, but totally possiblecharangandra wrote:But it is not possible to add all the user in this manner.
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
- tacolover101
- Posts: 432
- Joined: Mon Apr 10, 2017 11:55 am
Re: Nagios core with AD Integration
lots of ways to accomplish this, that's what makes it fun.
in the case you didn't want to run the mod_authnz_ldap route, you could also run a reverse proxy with LDAP auth. then map groups / users to different basic auth creds this way.
heck, you could even write it into PHP and create your own mapping.
this is one of the values in which Nagios XI will provide you.
in the case you didn't want to run the mod_authnz_ldap route, you could also run a reverse proxy with LDAP auth. then map groups / users to different basic auth creds this way.
heck, you could even write it into PHP and create your own mapping.
this is one of the values in which Nagios XI will provide you.
Re: Nagios core with AD Integration
Thanks @mcpra & @tacolover101!
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 25
- Joined: Tue Feb 13, 2018 6:23 am
Re: Nagios core with AD Integration
Thanks for the message, I will try the above options.
Thanks,
Thanks,
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Nagios core with AD Integration
Let us know if this does not work.charangandra wrote:Thanks for the message, I will try the above options.
Thanks,