Configuring OMD for LDAP (Domain) Authentication UPDATE

Just a short update on the OMD ldap authentification topic: I finally fixed the configuration. I don´t know why it was giving me such a hard time – it´s actually pretty easy.

The file /omd/sites/SITENAME/etc/apache/conf.d/auth.conf is responsible for the authentification handling.

<Location “/SITENAME”>
# insert your SITENAME

Require valid-user
# a valid user, wither from ldap or the local user file is need in order to get access

AuthType Basic
AuthName “OMD Monitoring Site”
AuthBasicProvider ldap file
# be aware of setting the right order here. If a username is in both sources, the login will only work with the password from the first source

AuthzLDAPAuthoritative off
AuthLDAPURL “ldap://<ldapserver>:389/ou=XXX,dc=XXX,dc=XXX?sAMAccountName?sub?(objectClass=user)”
# has to fit your company´s DC settings

AuthLDAPBindDN cn=USER,ou=XXX,ou=XXX,dc=XXX,dc=XXX
# Defines the user in the Active Directory which has rights to browse the user database – has to fit your company´s settings

AuthLDAPBindPassword <password>
# the password of the user defined in AuthLDAPBindDN

AuthUserFile /omd/sites/SITENAME/etc/htpasswd
# path to the local user file

</Location>

REMEMBER: All paths are based on OMD 0.48, blue lines indicates comments made for better understanding.

With this configuration you have:

1)    A fully working Active Directory authentication for you OMD Site

2)    A fallback authentication based on the local user file, if the LDAP server is down or not reachable.

If you still feel like this configuration is too unsecure, you have the chance to limit the authentication with require directives: http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#requiredirectives

For me it seems useful to configure a local user that has the right to see all hostgroups. This is done as following:

1)    Enter htpasswd2 /omd/sites/SITENAME/etc/htpasswd username password in the command line.

2)    Edit /omd/sites/SITENAME/etc/check_mk/multisite.mk and add the created user in admin_users.

Now the user has access to view all hostgroups and services.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: