LDAP Authentication to web interface

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
amdjml
Posts: 6
Joined: Fri Aug 17, 2018 9:28 am

LDAP Authentication to web interface

Post by amdjml »

Hi All,

I am trying to configure apache2 on my ubuntu box to authenticate users via LDAP to the web interface on nagios core.

Server: Ubuntu 18.04 LTS
Nagios: Core 4.4.5
Apache2: v2.4.29

I have modified the "/etc/apache2/sites-enabled/nagios.conf" file as follows:

Code: Select all

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file.  Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
LDAPTrustedGlobalCert CA_BASE64 /etc/apache2/cert/ldap.pem

<Directory "/usr/local/nagios/sbin">
   #SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
#        Require host 127.0.0.1

         #AuthName "Nagios Access"
         #AuthType Basic
         #AuthUserFile /usr/local/nagios/etc/htpasswd.users
         #Require valid-user

         # LDAP Auth
         AuthLDAPBindDN "domain\ldap-account"
         AuthLDAPBindPassword "********"
         AuthName "Enter your Username and Password:"
         AuthType Basic
         AuthBasicProvider ldap
         AuthLDAPURL "ldaps://ldap.domain.com:636/CN=users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
         require valid-user
         satisfy any
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
#     Order deny,allow
#     Deny from all
#     Allow from 127.0.0.1

      #AuthName "Nagios Access"
      #AuthType Basic
      #AuthUserFile /usr/local/nagios/etc/htpasswd.users
      #Require valid-user

      # LDAP Auth
      AuthLDAPBindDN "domain\ldap-account"
      AuthLDAPBindPassword "*******"
      AuthName "Enter your Username and Password:"
      AuthType Basic
      AuthBasicProvider ldap
      AuthLDAPURL "ldaps://ldap.domain.com:636/CN=users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
      require valid-user
      satisfy any
   </IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   #SSLRequireSSL
   Options None
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
#        Require host 127.0.0.1

         #AuthName "Nagios Access"
         #AuthType Basic
         #AuthUserFile /usr/local/nagios/etc/htpasswd.users
         #Require valid-user

         # LDAP Auth
         AuthLDAPBindDN "domain\ldap-account"
         AuthLDAPBindPassword "******"
         AuthName "Enter your Username and Password:"
         AuthType Basic
         AuthBasicProvider ldap
         AuthLDAPURL "ldaps://ldap.domain.com:636/CN=users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
         require valid-user
         satisfy any
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
#     Order deny,allow
#     Deny from all
#     Allow from 127.0.0.1

      #AuthName "Nagios Access"
      #AuthType Basic
      #AuthUserFile /usr/local/nagios/etc/htpasswd.users
      #Require valid-user

      # LDAP Auth
      AuthLDAPBindDN "domain\ldap-account"
      AuthLDAPBindPassword "******"
      AuthName "Enter your Username and Password:"
      AuthType Basic
      AuthBasicProvider ldap
      AuthLDAPURL "ldaps://ldap.domain.com:636/CN=users,DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)"
      require valid-user
      satisfy any
   </IfVersion>
</Directory>
I also modified the "/etc/nagios/etc/cgi.cfg" file. I replaced every instance of "nagiosadmin" with an "*"

Code: Select all

authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*
Now, when I go to https://server.domain.com/nagios/, I am not being prompted for username/password. I see the web interface but I am unable to see any "Hosts" and "Services". I am getting the message below when I click on "Hosts" and/or "Services":
It appears as though you do not have permission to view information for any of the hosts you requested...

If you believe this is an error, check the HTTP server authentication requirements for accessing this CGI
and check the authorization options in your CGI configuration file.
In the error log of the apache2 server, I see the following message:

Code: Select all

[Thu Feb 27 13:11:46.233817 2020] [php7:notice] [pid 13789] [client 10.x.x.x:58123] PHP Notice:  Undefined index: REMOTE_USER in /usr/local/nagios/share/main.php on line 29, referer: https://server.domain.com/nagios/
I've been looking at this forum and other search results and none has helped me. I have confirmed that the ldap configuration in the apache conf file is accurate. Any help is appreciated.

TIA
Top
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: LDAP Authentication to web interface

Post by cdienger »

The 'satisfy any' options are allowing clients in without having them authenticate. Commenting these out and restarting Apache should d the trick.

https://httpd.apache.org/docs/2.4/mod/m ... ml#satisfy
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Top
Locked

Return to “Open Source Nagios Projects”