Configuring OMD for LDAP (Domain) Authentication

In one of my first posts I mentioned, that one goal of my new Nagios installation is “a customizable interfaces which only shows information that the user really needs”. That insists that you have to have a user database holding the login information for all users. Managing this information decentralized is ineffective since nearly every business already has a centralized user management – for example a domain controller.

In this article I want to show how you can authenticate Nagios users with your domain controller. This is done by telling Apache to use the LDAP directory instead of the local .htaccess file.

Remember: This tutorial is based on pathnames used in OMD (Open Monitoring Distribution). If you have errors you should check if the pathnames are correct.

The first step is to load the needed apache modules for an LDAP authentication. In the path omd/sites/<sitename>/etc/apache/ you fill find the file apache.conf. Here you have to declare two additional modules:

LoadModule authnz_ldap_module /usr/lib64/apache2-prefork/mod_authnz_ldap.so
LoadModule ldap_module /usr/lib64/apache2-prefork/mod_ldap.so

(The pathes are based on a 64-bit SuSE-Linux Enterprise Server 11   configuration!) After a restart Apache is ready to do a LDAP authentication.

In the second step you have to tell the Apache webserver to use the new declared modules for authentication. The central configuration file for your Nagios site is at /omd/sites/<sitename>/etc/apache/conf.d/auth.conf.

The structure of the file is as following:

<Location "/<sitename>">
Options None 
AllowOverride 
AuthConfig 
Order allow,deny 
AuthName "Nagios Site Access" 
AuthType Basic AuthBasicProvider ldap 
AuthzLDAPAuthoritative on 
AuthLDAPURL ldap://<ldap server>:389/ou=User,ou=Company,ou=department, 
dc=Domain,dc=Domain?sAMAccountName?sub?(objectClass=*) 
AuthLDAPBindDN CN=testuser,CN=Users,DC=Domain,DC=Domain 
AuthLDAPBindPassword secretpassword 
require valid-user 
</Location> 

If you need more help regarding the variables you can take a look at the Apache Module Description.

As you can see, Apache needs a user which can read in the domain (declared in AuthLDAPBindDN). The user´s password is declared in the following row, which results in a mayor disadvantage: It is stored in clear-text, and therefore, it´s unsafe. This should be considered when applying this tutorial – in the future I will try to find a workaround on that. Another thing to fix in the future is the dependency-problem between the Nagios server and the domain controller: No one is able to login to nagios if the directory server is unavailable. Of course you can ssh the nagios server and delete the LDAP authentication from the auth.conf, but better would be if the authentication makes a fallback to the local .htaccess file. There I could define an emergency user which is allowed to view all hosts.

My goal for the future is:

–       Fallback authentication with .htaccessfile.

–       Somehow encrypt the password for the LDAPBindDN.

–       Encrypted transmission of the login informations from the Nagios server to the domain controller.

–       Limit login to certain domain user or groups.

Advertisements

About sitweak
Monitoring, Network, Firewall, Mobile Security. I´m totally into that stuff!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: