Nagios Support Forum

Hi,

I am setting up a Nagios server on Red Hat Linux 6.7 using nagios-3.5.1-1.el6.x86_64 rpm.
I would like to use Centrify Active Directory for Nagios authentication and authorization.
I found two articles about this:
https://rravikumar.wordpress.com/2015/0 ... ntication/
https://exchange.nagios.org/components/ ... 9&cf_id=29

It is easy to configure authentication. I updated my nagios apache2.conf as:

AuthName "Nagios"
AuthType CENTRIFYDC
EnableBasicAuth true
Require user valid-user

Now I can log in to http://my-nagios-server/nagios with Centrify username and password.

However, I can't get authorization to work correctly.

I tried to add the admin user (userA) from Centrify AD in /etc/nagios/cgi.cfg file:

authorized_for_system_information=nagiosadmin,userA@DomainName
authorized_for_configuration_information=nagiosadmin,userA@DomainName
authorized_for_system_commands=nagiosadmin,userA@DomainName
authorized_for_all_services=nagiosadmin,userA@DomainName
authorized_for_all_hosts=nagiosadmin,userA@DomainName
authorized_for_all_service_commands=nagiosadmin,userA@DomainName
authorized_for_all_host_commands=nagiosadmin,userA@DomainName

But when I log in as userA, I can't browse any host/hostgroup/service/servicegroup, complaining no permissions....

I have to change the username specified in cgi.cfg to * to make it work:

authorized_for_system_information=*
authorized_for_configuration_information=*
authorized_for_system_commands=*
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_all_host_commands=*

But now all the users get the same authorization! Everyone can see everything...

What do I miss? Any advise? Thanks a lot!

Thanks,
Stacey

Hi,

I figured it out myself

In /etc/nagios/cgi.cfg, before I used lower case for DomainName. For example:

authorized_for_system_information=nagiosadmin,[email protected]

When I check on the “Tactical Overview” page, I found it says "Logged in as [email protected]"

After I modified all configuration files to use UPPER CASE, authorization now works fine as expected.

So here comes another question:

Any way I can tell Nagios all my users are from EXAMPLE.COM and don't need to specify all my contacts with EXAMPLE.COM suffix?

I would assume it is something in the apach2.conf? My apach2.conf now looks like:

AuthName "Nagios"
AuthType CENTRIFYDC
EnableBasicAuth true
Require user valid-user

I have an example of LDAP configuration:

AuthLDAPBindDN "uid=myldap,ou=people,dc=dept1,dc=example,dc=com"
Require ldap-group cn=support,ou=Group,dc=dept1,dc=example,dc=com

I guess I need to do the same thing for Centrify AD? But not sure about the actual format....will test....hope anyone has done it before and give me some advice....

Thanks,
Stacey

Ah, this will matter depending on what is looking for the cAsE sEnSiTiViTy.

Because of how Core handles authentication and lining up, I don't think there is going to be a way around this. I'll break down what is happening on the backend here -

- LDAP user logs in with [email protected] which is passed directly to your LDAP server, whom approves / denies accordingly.
- The user [email protected] is then authenticated through basic auth. The session is locked to [email protected] due to LDAP.
- Permissions on Nagios reflect the same session username, so [email protected]

You might be able to alter this in a way, but nothing that I know of off the top of my head. If I was to guess, it would be appending the @EXAMPLE.COM suffix somewhere in the original login request.

Hi,

Thank you for the reply. It helps me understand more about Nagios...

I figured it out. I added this line to /etc/nagios/apach2.conf:

IdentityType samAccountName

The samAccountName in my Centrify authentication displays just the username without EXAMPLE.COM.

Now when I login to nagios, it shows me as "Logged in as userA".

Thanks,
Stacey

No problem. Awesome to see you were able to work with what I gave you!

Are we good to mark this thread as resolved?

Yes, you can mark this issue as resolved. Thanks!

Glad to hear it is resolved. I am going to lock the thread. Please feel free to post again if you have you another issue. Thank you for using the Nagios forums!