Nagios Support Forum

Posted: **Fri Nov 17, 2017 12:01 pm**

Hello,

I'm tying to migrate my old nagios server to a debian 9 / Nagios 4.3.4 server.
The only thing i can't use anymore is ldap authentication.
The apache auth seems to be working fine as i get access to web page with "Logged in as mysuser", but i can't get any info from status.cgi :
"It appears as though you do not have permission to view information for any of the services you requested..."

My apache configuration :

Code: Select all

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
         AuthType Basic
         AuthName "Restricted access"
         AuthLDAPBindAuthoritative on
         AuthBasicProvider ldap
         AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPGroupAttribute memberUid
         AuthLDAPGroupAttributeIsDN off
         Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
      AuthType Basic
      AuthName "Restricted access"
      AuthLDAPBindAuthoritative on
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPGroupAttribute memberUid
      AuthLDAPGroupAttributeIsDN off
      Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
      Require valid-user
   </IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"

<Directory "/usr/local/nagios/share">
   Options None
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
         AuthType Basic
         AuthName "Restricted access"
         AuthLDAPBindAuthoritative on
         AuthBasicProvider ldap
         AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
         AuthLDAPGroupAttribute memberUid
         AuthLDAPGroupAttributeIsDN off
         Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
      Allow from all
      AuthType Basic
      AuthName "Restricted access"
      AuthLDAPBindAuthoritative on
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ldap.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPUrl ldap://ldap-backup.mydomain.net/ou=utilisateurs,dc=mydomain,dc=net
      AuthLDAPGroupAttribute memberUid
      AuthLDAPGroupAttributeIsDN off
      Require ldap-group cn=supervision,ou=groupes,dc=mydomain,dc=net
      Require valid-user
   </IfVersion>
</Directory>

My cgi.cfg :

Code: Select all

(...)
use_authentication=1
use_ssl_authentication=0
default_user_name=myuser
authorized_for_system_information=myuser
authorized_for_configuration_information=myuser
authorized_for_system_commands=myuser
authorized_for_all_services=myuser
authorized_for_all_hosts=myuser
authorized_for_all_service_commands=myuser
authorized_for_all_host_commands=myuser

I tried setting all *authentication options with "*", i even tried to set "use_authentication=0" and still got nagios permissions problems.

Does anyone has an any idea ?

Posted: **Fri Nov 17, 2017 4:21 pm**

Hi @frouvier,

Please run the following command...ll /usr/local/nagios/sbin (or wherever you have status.cgi located on debian) and post the output.

Example on centos:

Posted: **Mon Nov 20, 2017 11:01 am**

Hello dwasswa,

Here is my cgi folder :

Code: Select all

# ls -l /usr/local/nagios/sbin
total 5300
-rwxrwxr-x 1 nagios nagios 345264 Aug 25 11:03 archivejson.cgi
-rwxrwxr-x 1 nagios nagios 310168 Aug 25 11:03 avail.cgi
-rwxrwxr-x 1 nagios nagios 304488 Aug 25 11:03 cmd.cgi
-rwxrwxr-x 1 nagios nagios 277320 Aug 25 11:03 config.cgi
-rwxrwxr-x 1 nagios nagios 322424 Aug 25 11:03 extinfo.cgi
-rwxrwxr-x 1 nagios nagios 269312 Aug 25 11:03 histogram.cgi
-rwxrwxr-x 1 nagios nagios 248696 Aug 25 11:03 history.cgi
-rwxrwxr-x 1 nagios nagios 248680 Aug 25 11:03 notifications.cgi
-rwxrwxr-x 1 nagios nagios 342960 Aug 25 11:03 objectjson.cgi
-rwxrwxr-x 1 nagios nagios 240456 Aug 25 11:03 outages.cgi
-rwxrwxr-x 1 nagios nagios 244568 Aug 25 11:03 showlog.cgi
-rwxrwxr-x 1 nagios nagios 322448 Aug 25 11:03 status.cgi
-rwxrwxr-x 1 nagios nagios 337008 Aug 25 11:03 statusjson.cgi
-rwxrwxr-x 1 nagios nagios 269376 Aug 25 11:03 statusmap.cgi
-rwxrwxr-x 1 nagios nagios 261008 Aug 25 11:03 statuswml.cgi
-rwxrwxr-x 1 nagios nagios 248696 Aug 25 11:03 statuswrl.cgi
-rwxrwxr-x 1 nagios nagios 269216 Aug 25 11:03 summary.cgi
-rwxrwxr-x 1 nagios nagios 261024 Aug 25 11:03 tac.cgi
-rwxrwxr-x 1 nagios nagios 277512 Aug 25 11:03 trends.cgi

Thank you for your help.

Posted: **Mon Nov 20, 2017 5:25 pm**

@frouvier, Can you match /etc/openldap/ldap.conf file on your old Core system and the new one? Did you enable Ldap module in /etc/httpd/conf/httpd.conf? Also, taking a look at apache log files after you attempt to authenticate might help:

Code: Select all

cd /var/log/httpd/
tail *

Unfortunately, I don't have LDAP authentication on my Nagios servers so I'm unable to test your configuration. Just to throw an extra option, you could post on the Apache forums as this issue is directly related to their configurations.
Can you share a link to the tutorial you've used to set up core with ldap in a first place?

Posted: **Tue Nov 21, 2017 3:42 am**

Hello,

The ldap service is on an other server and has not changed.

The ldap module is installed and enabled on the nagios core.
Apache seems to be working fine as it lets me authenticate.
Apache connection log :

Code: Select all

2a03:9180:4:1:xxxx:xxxx:xxx:xxxx - frouvier [21/Nov/2017:09:24:56 +0100] "GET /nagios/cgi-bin/status.cgi?hostgroup=all&style=summary HTTP/1.1" 200 1985 "https://nagios.exemple.com/nagios/cgi-bin/status.cgi?hostgroup=all&style=summary" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36"

On the top left corner i can see that i'm logged in as frouvier, so nagios seems to be receiving user name from apache.

But then still got from nagios : "It appears as though you do not have permission to view information for any of the services you requested..."

I couldn't find any information about what tutorial i used to set it up, it was a very long time ago (5-6 years).

Posted: **Tue Nov 21, 2017 9:09 am**

So, finally i found that nagios was not reading the cgi.cfg file as i thought.
It was reading the one on "/usr/local/nagios/etc/" instead of "/etc/nagios/".
With the right config ldap auth is working.

thanks for your help.

Posted: **Tue Nov 21, 2017 11:27 am**

@frouvier, I'm glad you figured that out! I will go ahead and lock this thread as resolved.

Nagios Support Forum

ldap authentication problem (solved)

ldap authentication problem (solved)

Re: ldap authentication problem

Re: ldap authentication problem

Re: ldap authentication problem

Re: ldap authentication problem

Re: ldap authentication problem [solved]

Re: ldap authentication problem (solved)