Nagios Core - Apache -LDAP configurations

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Mahantesh
Posts: 8
Joined: Mon Dec 03, 2018 12:27 am

Nagios Core - Apache -LDAP configurations

Post by Mahantesh »

What is wrong with the parameters in this nagios.conf file ? It does not accept the AD user credentials in the web login prompt.
All same LDAP parameters if used in a separate php-ldap module, in the same setup, it authenticates. But Nagios rejects and keeps prompting login window. httpd.conf has the required .so modules loaded. Tried adding removing these parameters in different combinations(as I'm unsure of what is must and what is not), none of the combinations gets it right

Using CenOS 7, Nagios Core 4.4

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
SetEnv TZ "UTC"
</IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
# AllowOverride None
# Order allow,deny
# Allow from all
<IfVersion >= 2.3>
<RequireAll>
Require all granted
AuthLDAPGroupAttribute member
AuthName "AD_user_name"
AuthType basic
#AuthLDAPServer “10.10.10.10”
AuthLDAPBindDN "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPURL ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)
AuthLDAPGroupAttributeIsDN on
#AuthzLDAPAuthoritative off
#require group “User_group_in_DC”
AuthBasicProvider ldap
AuthLDAPBindPassword "AD_user_password"
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
Allow from all
Order deny,allow
Require valid-user
</IfVersion>
</Directory>
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Post by ssax »

Here is what worked for me:

Code: Select all

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
# Last Modified: 11-26-2005
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file.  Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
#  SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios Core"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# AuthzLDAPAuthoritative on
 AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
 AuthLDAPBindPassword "Password"
 AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
 AuthType Basic
 AuthName "contoso Authentication"
 AuthBasicProvider ldap
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPGroupAttribute member
 Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
   Require valid-user
   Require all denied
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
#  SSLRequireSSL
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
#   AuthName "Nagios Core"
#   AuthType Basic
#   AuthUserFile /usr/local/nagiosxi/etc/htpasswd.users
# AuthzLDAPAuthoritative on
 AuthLDAPBindDN "CN=Your User,CN=Users,DC=contoso,DC=local"
 AuthLDAPBindPassword "Password"
 AuthLDAPURL "ldap://192.168.X.X/CN=Users,DC=contoso,DC=local?sAMAccountName?sub?(objectClass=*)"
 AuthType Basic
 AuthName "contoso Authentication"
 AuthBasicProvider ldap
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPGroupAttribute member
 Require ldap-group CN=nagios_users,CN=Users,DC=contoso,DC=local
   Require valid-user
   Require all denied
</Directory>
Mahantesh
Posts: 8
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Post by Mahantesh »

Thanks. used exact file. didn't help.

1. Why are there question marks in AuthLDAPURL

?sAMAccountName?sub?

is sAMAccountName to be replaced with AD user name ?
I tried changing it to ?AD_user_name?sub?
no change in response

and what are "sub?" & (objectClass=*)"NONE ?


2. AuthLDAPBindPassword and AuthName must be in between double quotes ?

3. Are there any settings required in config files other than nagios.conf ?
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Post by ssax »

1. sAMAccountName is what it's matching your entered active directory credentials username against on the remote side, it's the attribute it will search for, please see here for more information:

https://httpd.apache.org/docs/2.4/mod/m ... uthldapurl

2. You should be able to use single quotes OR double-quotes OR no quotes at all (as long as there are no spaces in the values).

3. No other settings required but make sure you have mod_ldap installed:

Code: Select all

yum install mod_ldap
Then after setting up the nagios.conf file, restart HTTPD:

Code: Select all

service httpd restart
Once that setup, please run this tail command (and leave it running):

Code: Select all

tail -F /var/log/httpd/error_log /var/log/httpd/ssl_error_log
Then try to login with your AD credentials and post any output you get.
Mahantesh
Posts: 8
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Post by Mahantesh »

I have been checking the logs (please see pasted below), it says password mismatch which is a 'lie'. If fact, just now checked in the event viewer logs of LDAP server (Win 2012), I see requests reaching there. It shows IP address of my nagios host and my AD user name who requested LDAP authentication. But on Nagios web console it keeps prompting Sign-in prompt

[Thu Dec 06 07:01:02.976791 2018] [auth_basic:error] [pid 3464] [client 10.10.10.10:62787] AH01617: user john: authentication failure for "/nagios/": Password Mismatch

[Thu Dec 06 07:10:08.531368 2018] [auth_basic:error] [pid 3503] [client 10.10.10.10:62908] AH01617: user john: authentication failure for "/nagios/": Password Mismatch


Even use_authentication=0 or 1 in cgi.cfg has no effect on the Sign-in prompt . am I missing something
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Post by ssax »

Does this output anything?

Code: Select all

yum install openldap-clients
ldapsearch -x -D "CN=john\,connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=administrator'
Mahantesh
Posts: 8
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Post by Mahantesh »

Yes, that gets everything

ldapsearch -x -D "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local" -W -H ldap://10.10.10.10 -b "OU=LAB,DC=test-lab,DC=abc,DC=local" -s sub 'sAMAccountName=connoj'

reworked on the nagios.conf parameters, this is what I have now:

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPBindPassword "AD_pw_of_john"
AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName=connoj?sub?(objectClass=*)"NONE
AuthType Basic
AuthName "connoj"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local
Require valid-user
#Require all denied
SetEnv TZ "UTC"
</Directory>

but Nagios web page keeps prompting Sign-in prompt
ssax
Dreams In Code
Posts: 7682
Joined: Wed Feb 11, 2015 12:54 pm

Re: Nagios Core - Apache -LDAP configurations

Post by ssax »

Try this one:

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthLDAPBindDN "CN=john\, connor,OU=LAB,DC=test-lab,DC=abc,DC=local"
AuthLDAPBindPassword "AD_pw_of_john"
AuthLDAPURL "ldap://10.10.10.10:389/OU=LAB,DC=test-lab,DC=abc,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthType Basic
AuthName "connoj"
AuthBasicProvider ldap
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
Require ldap-group CN=johns_Group,OU=LAB,DC=test-lab,DC=abc,DC=local
Require valid-user
#Require all denied
SetEnv TZ "UTC"
</Directory>
Just to make sure, you are restarting httpd after making the config changes, right?

Code: Select all

service httpd restart
Mahantesh
Posts: 8
Joined: Mon Dec 03, 2018 12:27 am

Re: Nagios Core - Apache -LDAP configurations

Post by Mahantesh »

Thanks, good job :)

sAMAccountName was the culprit.

1. 'Require ldap-group CN=johns_Group, OU=LAB,DC=test-lab,DC=abc,DC=local' <--- This exists or no, has no effect. john can login even if this line is removed. how to explain

2. If I want to give access to 5 AD users, how can I add them in nagios.conf ? In cgi.cfg , I know I can add multiple usernames separated by commas, or use asterisk for anyone

3. I have use_authentication set to 0 in cgi.cfg, yet using LDAP authentication! Is this variable applicable only for local authentication which uses nagiosadmin and password ? Looks like it is ignored in my LDAP - AD authentication
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Core - Apache -LDAP configurations

Post by scottwilkerson »

I'm going to close this thread as the same question was asked in this thread
https://support.nagios.com/forum/viewto ... =7&t=51634
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked