Using Two Authentication Servers LDAP and AD?

[disrael]

Where I work we have two types of authentication: LDAP(S3) and AD. As all the users are not in 1 DB, we need to be able to query both. I see there are two components in Nagios XI for authentication, LDAP and AD. My question is can we use both components in tandem?

Thanks in advance!

[mguthrie]

Honestly we've never tried. If the LDAP and AD components are both installed and enabled, the authentication would probably execute both callback functions, and if one of them returned true, it might work. I'd say give it a try and see if it works ; )

[disrael]

Thanks for the feedback. Just wondering when you said "we've", do you mean Nagios company or something/someone else?

[disrael]

One more question, does Nagios have a native ability to query one LDAP environment with it's appropriate LDAP query and if it fails can it automatically fail over to send a different query to a different set of LDAP servers?

[scottwilkerson]

One more question, does Nagios have a native ability to query one LDAP environment with it's appropriate LDAP query and if it fails can it automatically fail over to send a different query to a different set of LDAP servers?

No, this is not implemented. You can feel free to add it as a feature request to our tracker
http://tracker.nagios.com/

[mguthrie]

Just wondering when you said "we've", do you mean Nagios company or something/someone else?

To my knowledge no one here has tried or tested using both authentication methods. The guy who wrote both of these components no longer works here, so we don't have him as a reference anymore.

One more question, does Nagios have a native ability to query one LDAP environment with it's appropriate LDAP query and if it fails can it automatically fail over to send a different query to a different set of LDAP servers?

Negative. Currently you just have to plug in the LDAP auth info for a single environment. The license for the component code allows you to modify as you need to for internal use, so you're welcome to customize to fit your needs.

[disrael]

Thanks for the feedback, I have one more question regarding authentication. We have a module called Siteminder S3 that is owned by CA. We intergrate it with a lot of our applications on the Web serve level i.e. IIS or Apache. This module allows us to add authentication for application using a single source for users and passwords. As this application communicates with S3 with header response variables in LDAP, would there be any difficulty to try to impliment this with LDAP module or even with out it?

Thanks again!

[scottwilkerson]

It may be possible although I am not familiar with it. If it can be called with PHP I would believe it would be possible. The LDAP component is written in PHP, you can dowload the zip off the exchange and use it as a guide if you try to create your own component.

http://exchange.nagios.org/directory/Ad ... nt/details

http://assets.nagios.com/downloads/nagi ... opment.pdf

[disrael]

I am taking a look at the script and that pdf you suggested. Does LDAP and AD suppose to handle both authorization and authentication or does Nagios handel the authorization, while LDAP/AD handles just the authentication? From what I am seeing it looks like the script is handeling only authentication. At the same time I see no comparison between the correct user name and password, I am wondering if that is handel at Nagios XI after the scripts are done with the authenticating portion. i.e. the script checks to see if the user has been properly authenticated, if they have it then sends them the Nagios XI portion to see if the been properly authorized to access this page, etc? Another way of saying is the component makes sure you are who you say you are, while Nagios is the one who will let you in?

[scottwilkerson]

Just authentication.

Authorization is handled inside of XI, so the username must match the username of an XI user to be able to see anything.