Writing a Nagios Component for authentication

[disrael]

I have been looking at the AD, LDAP, and a couple other components and it looks like they are stucutured very similarly. Right now I am trying to figure out the required sudo code for an authentication module that we need to write.

Our current systems have an authentication module that intergrates w/ Apache and IIS. When a user hits the web server, the webserver communicates with the policy servers to see if the site is protected. If the page is protected, then it redirects the user to a policy server, where they enter their username/password before being redirected back to the webserver (if their credentials are accepted). Right now if we do a normal security intergration and protect all of Nagios, then our users will be asked to login via our security system, then redirect them to the Nagios Login page.

The next step from here is writing the module. I am a bit rusty in PHP, though I am guessing I would use existing Nagios components as a guide and the XI_Component_Development.pdf to make one for our security system. I am guessing the big thing that our code would do is the following:

(sudo code)
-------------------

Note: This would be inside the authentication function in the component.

//pulls the user http header that would be set by our security application
$username = grab_request_var('SM_USER');

//Sets the security user to the Nagios XI user header
$_SESSION["username"]=$username;

//Sends the user on their way to access he application
$cbargs["login_ok"]=1;
return;
-----------------------

While the authentication is handled by our seperate security system, I am looking at writing this component to bridge Nagios Authorizatation to our Security Authentication.

I am hoping this would really be the only logic I would have to add to the component, in addition the minimum required component stuff. Please let me know if I am in the right ball park. Again thanks for the great help!

-Doron

[mguthrie]

I would start by taking the LDAP component as a starting template and just modifying the callback function to do what you need. Nagios XI will run through any of the registered authentication callbacks in order to complete the login process.

If you get on the coding you can post what you've got and we'll see if we can point you in the right direction.

[disrael]

Code: Select all

<?php
// S3 Authentication Component
//
//  
// $Id: s3auth.inc.php 197 2012-07-31 16:34:55Z disrael $

//include the helper file
require_once(dirname(__FILE__).'/../componenthelper.inc.php');


// respect the name
$s3auth_component_name="s3auth";

// run the initialization function
s3auth_component_init();

////////////////////////////////////////////////////////////////////////
// COMPONENT INIT FUNCTIONS
////////////////////////////////////////////////////////////////////////

function s3auth_component_init(){
	global $s3auth_component_name;
	
	$versionok=s3auth_component_checkversion();
	
	$desc="";
	if(!$versionok)
		$desc="<br><b>Error: This component requires Nagios XI 2009R1.3G or later.</b>";

	$args=array(

		// need a name
		COMPONENT_NAME => $s3auth_component_name,
		
		// informative information
		COMPONENT_AUTHOR => "D. Israel",
		COMPONENT_DESCRIPTION => "Provides S3 authentication for Nagios XI. ".$desc,
		COMPONENT_TITLE => "S3 Authentication",
		// configuration function (optional)
		COMPONENT_CONFIGFUNCTION => "s3auth_component_config_func",
		);
		
	register_component($s3auth_component_name,$args);
	
	if($versionok){
		// configure authentication callback
		register_callback(CALLBACK_PROCESS_AUTH_INFO,'s3auth_component_check_authentication');
		}
	}
	

	
///////////////////////////////////////////////////////////////////////////////////////////
// VERSION CHECK FUNCTIONS
///////////////////////////////////////////////////////////////////////////////////////////

function s3auth_component_checkversion(){

	if(!function_exists('get_product_release'))
		return false;
	if(get_product_release()<124)
		return false;

	return true;
	}

///////////////////////////////////////////////////////////////////////////////////////////
// AUTHENTICATION FUNCTIONS
///////////////////////////////////////////////////////////////////////////////////////////

function s3auth_component_check_authentication($cbtype,&$cbargs){

	// get the credentials the user is passing to us
	$username=grab_request_var($cbargs["credentials"],"USERID");

	
	// credentials were correct!
		
	// notify caller of authentication success
	$cbargs["login_ok"]=1;
		
	$cbargs["debug_messages"][]="Sucessfully authenticated against S3!";
		
	return;
		
		


?>

This is what I have wrote so far, what do you think? I am on the write track? If I enable this and I have issues is there a way to disable it as I don't want to lock myself out of Nagios?

Thanks again!

[mguthrie]

Yes, you're on the right track, although currently your callback function will log in everyone who tries, regardless of username of password, so make sure you develop this on a test box

[disrael]

If I understand you correctly combined with my limited php experience, combined with my knowledge of siteminder. After the siteminder server authenticates the user they will get to the part where it will allow for XI to authorize the user to access the information or not. If the siteminder allows them to login and if the user exist in the XI user DB, then it will allow them access?

Also we are doing this on a test server first, before we move to production.

[scottwilkerson]

This should be correct.