Nagios Support Forum

I'm working on integrating XI with an existing authentication/authorization infrastructure that uses OpenAM, which is in turn backed by an Active Directory server. Is it possible to integrate OpenAM authentication with XI? I've been able to integrate an OpenAM adapter with the local HTTPD server, so it successfully intercepts requests and forces you to log in to OpenAM first. Nagios has no knowledge of this process though, so it still presents its own independent login page, backed by the accounts provisioned inside of Nagios. I'd like to get it to behave as an SSO if possible, but may have to fall back on just straight Active Directory integration, without OpenAM involved.

Are either of the following possible?
- Tying a Nagios user to an OpenAM authenticated user and suppressing the Nagios login page
- Authenticating against an Active Directory server without having provisioned that user first inside of Nagios

My install information:
Nagios XI version: 2014R2.6
Linux Distro: RHEL 6.5 x64
OpenAM version: 11

Thanks!

Have you looked over the following article? https://www.itefix.net/content/nagios-s ... -directory

I don't believe we have SSO support built in at the moment - the following AD integration and LDAP components may help:
Active Directory Integration
LDAP Integration

Are either of the following possible?

Tying a Nagios user to an OpenAM authenticated user and suppressing the Nagios login page

I am not sure. I don't think we've experienced a successful OpenAM integration with XI - but that's not to say that it cannot be done. I would use the above guides as a reference point. XI users would be the primary concern - it's likely they'd have to be added manually.

Authenticating against an Active Directory server without having provisioned that user first inside of Nagios

If this is possible, I am not aware of it.

Thanks! I've tried the AD and LDAP components and had some mixed success. I was able to get the AD component to work (without protocol security) after manually provisioning each AD username inside of Nagios, so I'm going to attempt to get it working over TLS.

For the LDAP component, is there the same requirement that the users must be pre-provisioned in Nagios? (It seems like it would work the same way as the AD component, but I just wanted to check.)
I haven't been able to get the LDAP binding working yet, but we probably won't go down that path if it's functionally identical to the AD component in terms of how the users are stored and authenticated.

jay,

Have you made any progress regarding this integration?

For the LDAP component, is there the same requirement that the users must be pre-provisioned in Nagios?

I believe the answer is yes. I've posed this question to a developer, and am waiting for an official response - but to my knowledge the functionality here is very similar to that of AD.

EDIT: I have word from the developer that the above is accurate. In Nagios XI 5, AD users will be able to be imported - but I have no timeline on when that functionality might be released.

I've tried a few other things with the OpenAM adapter, but the best I could get was to protect the entire /nagiosxi context path with the OpenAM login, and then either auto-login to Nagios with a preset user, or make the user explicitly log in again with a local Nagios account. Unfortunately, we can't use the combination of OpenAM+Autologin since we'll need to support users with different levels of authorization inside Nagios, e.g. 'read-only' and 'admin'.

Given the restriction on pre-provisioning the user accounts for both LDAP and AD, we're going to go with just a completely standalone set of users for the time being. So, we can't really get away from having to pre-provision each user, but it does avoid the issue of presenting multiple login pages, and having user accounts with two (potentially) different valid passwords (one from AD, one from Nagios). Thanks again for the info!

No problem jay, thanks for the detailed information - I'm sure it'll help someone in the future. I'll lock this thread for now - feel free to open another if you have further questions!