LDAP auth plugin

[symm2112]

I recently upgraded my NagiosXI install to the latest stable version so that I could install the LDAP Auth plugin, provided by Nagios. As this isn't a monitoring plugin, is there somewhere else that it needs to be installed to?

I'm running current stable and have it installed in the libexec folder but can't seem to find anywhere to configure the ldap server to point to nor any instructions to configure the module.

Am I missing something or can someone give me instructions to configure this?

Thank you.

[tonyyarusso]

First, a little bit about the terminology XI uses for things:

"Plugin" = a script or binary for performing a service check, like check_ping
"Wizard" = An extending package that provides an easy click-through way of setting up some sort of service to be monitored.
"Component" = An add-on package that provides additional functionality in the XI code that is not a Wizard.

The LDAP Auth feature is a component. As such, you will find instructions for how to install it on http://exchange.nagios.org/directory/Ad ... ts/details, and additional components you can try on http://exchange.nagios.org/directory/Addons/Components.

[symm2112]

Thank you. I agree that was an error. I thought I found it as a plugin so I was trying to install as such.

When you pointed me to that directory, I also found an active directory component as well. What are the fundamental differences between the two? also, if we would like to auth across a trusted to another domain, is one of those possible to accomplish this?

Thank you.

[tonyyarusso]

I also found an active directory component as well. What are the fundamental differences between the two?

Fundamentally, they use different PHP libraries underneath, one that's aimed at being generically for LDAP (and was tested with OpenLDAP), and one specific to Active Directory. In theory AD is supposed to conform to LDAP specs, but it seems like it's not always there, especially on some older versions of Windows, so you might have more luck with the AD-specific one if you're using AD and the generic LDAP one doesn't work. Both have had only limited testing on somewhat contrived setups, since we don't run LDAP or AD for our normal infrastructure, so please let us know what works & what doesn't for you.

also, if we would like to auth across a trusted to another domain, is one of those possible to accomplish this?

Honestly, I have no idea. I only tested with a single domain, single domain controller, so trust delegations, forests, and the like haven't been looked into at all yet (and I only have a limited understanding of how they work). I'd say give it a shot and if it doesn't have the feature you're looking for, try to explain in detail what it should do and I'll see if I can figure out how to add it sometime.

[symm2112]

Thanks for the response Tony.

Any documentation to setting this up? I've got it configured, pointed it to my AD, including my Base DN, my account suffix, and my domain controllers but yet I have no idea how to search for users.

Do my users need to auth once in order for them to get into the user db for nagios or should it query my AD and automatically pull all of my users in? I just need to know at what point I can interact with those users. For instance, if I wanted to give them permissions to view a hostgroup, they obviously need to be aware to NagiosXI.

[symm2112]

I just checked my error_log and can see that whenever It's activated, I see "Undefined variable: port on line 252. This happens whether I turn on SSL or not.

[tonyyarusso]

I believe the only thing this offers at this time is to pass a username and password combination off to LDAP for checking. You'll need to create the user in XI first. In the future we may add better actual integration capabilities.