Page 1 of 1
Nagios Core and Likewise Authentication
Posted: Mon Mar 12, 2012 11:34 am
by mjf1977
Greetings all,
Was wondering if you could help me with an issue. I am running Nagios on a RHEL server and we have Likewise as a way to bridge to our Active Directory accounts for logging in. I would like to be able to implement this feature into Nagios. I have searched all over the net and I am not finding it. Either I am just not getting what has been stated on this posts or it doesn't work for me. Anything you can provide would be of some help. Surely I am not the only one who has tried this.
Thanks,
Re: Nagios Core and Likewise Authentication
Posted: Mon Mar 12, 2012 5:32 pm
by jsmurphy
In my old Nagios core install I accomplished this by using the apache LDAP authentication mechanism and built an import script to populate users into cgi.cfg based on AD group membership. I don't know enough about likewise to offer any help as to how you might use this as an authentication mechanism.
If you want to know more about exactly what I did I can see if I can dig it out for you?
Re: Nagios Core and Likewise Authentication
Posted: Mon Mar 12, 2012 6:48 pm
by mjf1977
If you don't mind, that might be a good idea. Unfortunately the Likewise folks are sort of stumped to. They sent me some info and I tried it and it did not work. THe other problem is that my boss has me constantly putting this on the back burner. So when I get a lull I can turn my attention to it. It may take me a while to get back to it. So far I like Nagios and I know in my office many others are very interested in using it as well. Much appreciated for the response!
Re: Nagios Core and Likewise Authentication
Posted: Tue Mar 13, 2012 7:13 pm
by jsmurphy
Below is the apache config I used to provide Authentication via AD:
Code: Select all
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthName "Nagios Access"
AuthType Basic
AuthzLDAPAuthoritative Off #Prevent LDAP from endlessly retrying
AuthLDAPBindDN "CN=user,OU=infolder,DC=domain,DC=com" #DN for authentication user used to look up accounts (this account should have read only)
AuthLDAPBindPassword password #Password for above user
AuthLDAPURL ldaps://domain-controller/OU=where-users-are,DC=domain,DC=com?sAMAccountName?sub #The base OU to search for users NOTE: you MAY NOT be able bind to the directory root to search for users when using AD as the directory... this is a rarely encountered but known issue.
Require valid-user
</Directory>
Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthBasicProvider ldap
AuthName "Nagios Access"
AuthType Basic
AuthzLDAPAuthoritative Off
AuthLDAPBindDN "CN=user,OU=infolder,DC=domain,DC=com"
AuthLDAPBindPassword password
AuthLDAPURL ldaps://domain-controller/OU=where-users-are,DC=domain,DC=com?sAMAccountName?sub
Require valid-user
</Directory>
If you want all users to have the same level of access then just set all the authorization parameters in cgi.cfg to * (except read_only), otherwise if you need users with different levels of auth then keep reading.
I can't find the exact script I used for the sync between AD and cgi.cfg but if you are familiar with perl I can at least give you the gist of how I did it, I've attached the real code of the AD lookup (from another similar script) and then the pseudo code for updating the config:
Code: Select all
#!/usr/bin/perl -w
use strict;
use warnings;
use Net::LDAP;
my $adGroup = "ADGroup"
my $adUser = "CN=binduser,OU=directory,DC=domain,DC=com";
my $adPassword = "password";
my $adDomain = "domain.com";
my $adSearchBase = "DC=domain,DC=com";
my $adConnection = Net::LDAP->new($adDomain) or die "$@";
$adConnection->bind($adUser,password => $adPassword);
my $adQueryResults = $adConnection->search( base => $adSearchBase, scope => 'sub', filter => "(sAMAccountName=$adGroup)"
foreach my $adGroupMemberDN ($adQueryResults->entry->get_value('member')) {
my $adUserQueryResults = $adConnection->search( base => $adSearchBase, scope => 'sub', filter => "(distinguishedName=$adGroupMemberDN)");
my $adUserEntry = $adUserQueryResults->entry;
my $userName = $adUserEntry->get_value('sAMAccountName');
}
#
# PSEUDO CODE FROM HERE
#
Open cfi.cfg;
foreach $line (@filecontents) {
if $line begins with "access_level" AND user is member of AD group with access level AND user does not exist in string add user to string
push $line to @newArray
}
Write @newArray to cgi.cfg
Hopefully this helps!
Re: Nagios Core and Likewise Authentication
Posted: Tue Mar 13, 2012 7:24 pm
by mjf1977
I'll give it a shot sometime. IF I have any questions, I will post them back or hopefully post that it was a success. I appreciate your help.