September 27, 2011 Leave a comment
Just a short update on the OMD ldap authentification topic: I finally fixed the configuration. I don´t know why it was giving me such a hard time – it´s actually pretty easy.
The file /omd/sites/SITENAME/etc/apache/conf.d/auth.conf is responsible for the authentification handling.
# insert your SITENAME
# a valid user, wither from ldap or the local user file is need in order to get access
AuthName “OMD Monitoring Site”
AuthBasicProvider ldap file
# be aware of setting the right order here. If a username is in both sources, the login will only work with the password from the first source
# has to fit your company´s DC settings
# Defines the user in the Active Directory which has rights to browse the user database – has to fit your company´s settings
# the password of the user defined in AuthLDAPBindDN
# path to the local user file
REMEMBER: All paths are based on OMD 0.48, blue lines indicates comments made for better understanding.
With this configuration you have:
1) A fully working Active Directory authentication for you OMD Site
2) A fallback authentication based on the local user file, if the LDAP server is down or not reachable.
If you still feel like this configuration is too unsecure, you have the chance to limit the authentication with require directives: http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html#requiredirectives
For me it seems useful to configure a local user that has the right to see all hostgroups. This is done as following:
1) Enter htpasswd2 /omd/sites/SITENAME/etc/htpasswd username password in the command line.
2) Edit /omd/sites/SITENAME/etc/check_mk/multisite.mk and add the created user in admin_users.
Now the user has access to view all hostgroups and services.