Nagios3 with Active Directory authorization on SLES10

Well, it seems to be getting a “trend” for me, to integrate stuff into our Active Directory. Now that I know why, and how easy that is, I expect to add more stuff. The good thing about the integration is, that you only need to maintain a single source for authorization.

The bad thing about that is, that stuff becomes dependant on the Active Directory (we do have four domain controllers, so that should be fine).

Now, here’s the ssl-(only) apache2 configuration file for my vhost:



  ## mod_core
  DocumentRoot "/usr/share/nagios"

  ServerName nagios.barfoo.org
  ServerAlias nagios3.barfoo.org
  ServerAdmin nagiosadmin@barfoo.org

  ## mod_rewrite
  RewriteEngine On
  RewriteRule ^/(.*)         https://nagios.barfoo.org/$1 [L,R]





  ## mod_core
  DocumentRoot "/usr/share/nagios"

  ServerName nagios.barfoo.org
  ServerAdmin nagiosadmin@barfoo.org

  ScriptAlias /nagios/cgi-bin /usr/lib/nagios/cgi
  Alias /nagios /usr/share/nagios
  Alias /pnp /usr/share/nagios/html/pnp4nagios

  
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 10.0.0.
    Options None

    # Authorization
    AuthType Basic
    AuthName "Nagios Barfoo"

    # The authentification provider is mod_ldap
    AuthBasicProvider ldap

    # mod_ldap is our *only* authentification provider for this!
    AuthzLDAPAuthoritative on

    # Redirect the userfile requests to /dev/null
    AuthUserFile /dev/null

    # AD requires an authentication DN to access any records
    AuthLDAPBindDN "BARFOO\\ldap_nagios"
    AuthLDAPBindPassword "somethingrandom"

    # The URL to search in
    AuthLDAPURL "ldap://dc0.barfoo.org dc1.barfoo.org dc2.barfoo.org dc3.barfoo.org/OU=Users,dc=barfoo,dc=org?sAMAccountName?sub?(objectClass=*)"

    # Search the group membership in the specified group, otherwise it's gonna
    # get searched at the binding DN's location
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group CN=gr_nagios,OU=Groups,DC=barfoo,DC=org
  

  ## mod_log
  ErrorLog /var/log/apache2/nagios.barfoo.org.error_log
  TransferLog /var/log/apache2/nagios.barfoo.org.access_log
  CustomLog /var/log/apache2/nagios.barfoo.org.ssl_request_log   ssl_combined

  ## mod_ssl
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /etc/apache2/ssl.crt/nagios.barfoo.org.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/nagios.barfoo.org.key

  
    SSLOptions +StdEnvVars
  

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

As you can see, AuthLDAPUrl holds the four LDAP servers separated by spaces (that’s what the Apache2 documentation says about that), and that actually works.

The only additional thing I had to change from the nagios part is in /etc/nagios/cgi.cfg to allow everyone to issue system commands. Also, if you ever stumble upon extranous chars in the check_nrpe output, update to a newer NRPE version, that fixed it for me (that is on the receiver side – as in the box running the NRPE agent).

Active Directory, Nagios, SLES10, Work

Print article

This entry was posted by Christian on Monday, 14th July, 2008 at 19:32, and is filed under Life. Follow any responses to this post through RSS 2.0. Both comments and pings are currently closed.

Related Posts
Trackbacks (1)
Comments (0)

No comments yet.

Displaying Windows Architecture with bginfo

about 2 months ago - Comments Off

On all our servers in the basement, we do have bginfo installed, in order to quickly get certain information. Now as I was struggling with a big Service Pack roll out, I looked into making bginfo also display the OS architecture. But apparently it isn’t that easy … At least bginfo doesn’t provide it by

AutoYAST and custom swap partitioning

about 3 months ago - Comments Off

Well, we’ve been discussing our swap partitioning the last few days at work, and I finally got around to implementing it. Again, it proved to be kinda hard, basically because AutoYAST decides to do things differently. After trying different things, I came up with this: <rule> <memsize> <match>32767</match> <match_type>greater</match_type> </memsize> <result> <profile>system/swap/32G.xml</profile> <continue config:type="boolean">false</continue> <dont_merge

SLES10 not installing boot loader in MBR

about 3 months ago - Comments Off

Well, as I mentioned in my earlier post, I had some trouble during the week. I was having issues with SLES10 installations not finishing during the bootloader installation phase. After trying out different flavors (as in 10SP2 x64/x86, …), and not having any luck with this, I went searching on Google as a last effort

Reset Master Boot Record (MBR)

about 3 months ago - 1 comment

Since I’ve been playing with my AutoYAST setup for the last few days, working out the kinks (for example SLES10 not being able to install into the MBR), I needed a way to zap the MBR (as in remove grub to see whether or not the installation would install a new loader). So after quickly

VMware Consolidated Backup and TRANSPORT_MODE=”hotadd”

about 5 months ago - Comments Off

As the title says, I’ve been playing with vCB (inside a VM) and the TSM integration with newer (>6.0) clients for work. Result of all this work should be a feasibility study. We’re currently thinking about replacing our VMware server(s) with ESXi. But as most of you know, if you install ESXi, you simply can’t

VMware vSphere: Safely remove network controller

about 6 months ago - 1 comment

Well, it’s another day another fight. As we started migrating our VM’s from the old VMware ESX farms to the new environment, and upgraded the hardware suddenly the network devices were hot-plug-able, thus they did turn up in the “Safely Remove” dialog. I myself don’t have any trouble with that. The trouble I do have

VBscript: Query remote OS and SP info (continued)

about 6 months ago - Comments Off

After some more crunching on my VBscript, I think I finally have a working script that runs through a csv-list I point it to and walk onto each system (by ip-address only sadly) and query the os and the Service Pack that is installed. The CSV may look like this: Hostname;IP;Model;Description;OS;Service-Pack;BL;Priority epimetheus;10.0.0.2;VMware guest;File-Server hades;10.0.0.1;VMware guest;Core-Router

Converting TIVSM RPMs to deb

about 6 months ago - 1 comment

We received a preinstalled customer server the other day, for which we had declared “as-is” support only, since it is running Lucid Lynx. Now today, I started getting the TSM client to work. Was kinda weird, since at first dsmc was reporting something like this: # ./dsmc: no such file or directory After fiddling with

VBscript: Query remote OS and SP info

about 6 months ago - 1 comment

As I wrote on Thursday, I am battling with Windows Server 2003. Now I got a list out of our change management database, which sadly ain’t that accurate. So in order to get reliable information about the target systems (in order to do some accurate planning), I ended up writing a small vbscript which simply

Windows Server 2003 SP1, WSUS and Security Updates

about 6 months ago - 1 comment

Recently, we found some systems (sadly, customer systems) that weren’t getting any Security Updates anymore. Much more sadly, them is running Windows Server 2003, and as you know Security Updates are pretty important for Windows Systems. At the time of finding this, I had no clue as to why the were not getting any updates.

Comments are closed.

Categories
- Gentoo (38)
- Life (300)
Calendar
July 2008

S M T W T F S

« Jun Aug »

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31
Meta

July 2008
S	M	T	W	T	F	S
« Jun				Aug »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Nagios3 with Active Directory authorization on SLES10

No comments yet.

Categories

Calendar

Meta