The usual IT babble
Posts tagged Active Directory
Active Directory authentification for Samba on SLES11
Oct 21st
I recently “redesigned” the PXE-installation server, which comes with a Samba service to easily move files on/off the box. The old one had the restriction, you need to create local user accounts. Since I also did an distribution upgrade, I wanted to try the integration of SLES11 into Active Directory.
And as it turns out, it really is simple. Just follow the steps outlined in the handbook.
- Open the Windows Domain Membership module, yast samba-client (or yast, then Network Services -> Windows Domain Membership) and enter your Domain information
- Open the Samba Server Module, yast samba-server (or yast, then Network Services -> Samba Server) and also enter your Domain information
Just make sure, you also check the box labeled Also Use SMB Information for Linux Authentication, otherwise it won’t work — don’t ask me why …
Nagios3 with Active Directory authorization on SLES10
Jul 14th
Well, it seems to be getting a “trend” for me, to integrate stuff into our Active Directory. Now that I know why, and how easy that is, I expect to add more stuff. The good thing about the integration is, that you only need to maintain a single source for authorization.
The bad thing about that is, that stuff becomes dependant on the Active Directory (we do have four domain controllers, so that should be fine).
Now, here’s the ssl-(only) apache2 configuration file for my vhost:
<VirtualHost *:80> ## mod_core DocumentRoot "/usr/share/nagios" ServerName nagios.barfoo.org ServerAlias nagios3.barfoo.org ServerAdmin nagiosadmin@barfoo.org ## mod_rewrite RewriteEngine On RewriteRule ^/(.*) https://nagios.barfoo.org/$1 [L,R] </VirtualHost> <VirtualHost *:443> ## mod_core DocumentRoot "/usr/share/nagios" ServerName nagios.barfoo.org ServerAdmin nagiosadmin@barfoo.org ScriptAlias /nagios/cgi-bin /usr/lib/nagios/cgi Alias /nagios /usr/share/nagios Alias /pnp /usr/share/nagios/html/pnp4nagios <DirectoryMatch "/usr/(share/nagios|lib/nagios/cgi)"> AllowOverride None Order deny,allow Deny from all Allow from 10.0.0. Options None # Authorization AuthType Basic AuthName "Nagios Barfoo" # The authentification provider is mod_ldap AuthBasicProvider ldap # mod_ldap is our *only* authentification provider for this! AuthzLDAPAuthoritative on # Redirect the userfile requests to /dev/null AuthUserFile /dev/null # AD requires an authentication DN to access any records AuthLDAPBindDN "BARFOO\\ldap_nagios" AuthLDAPBindPassword "somethingrandom" # The URL to search in AuthLDAPURL "ldap://dc0.barfoo.org dc1.barfoo.org dc2.barfoo.org dc3.barfoo.org/OU=Users,dc=barfoo,dc=org?sAMAccountName?sub?(objectClass=*)" # Search the group membership in the specified group, otherwise it's gonna # get searched at the binding DN's location AuthLDAPGroupAttributeIsDN on Require ldap-group CN=gr_nagios,OU=Groups,DC=barfoo,DC=org </DirectoryMatch> ## mod_log ErrorLog /var/log/apache2/nagios.barfoo.org.error_log TransferLog /var/log/apache2/nagios.barfoo.org.access_log CustomLog /var/log/apache2/nagios.barfoo.org.ssl_request_log ssl_combined ## mod_ssl SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/nagios.barfoo.org.crt SSLCertificateKeyFile /etc/apache2/ssl.key/nagios.barfoo.org.key <Files ~ "\.(cgi|shtml|phtml|php3|php?)$"> SSLOptions +StdEnvVars </Files> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>
As you can see, AuthLDAPUrl holds the four LDAP servers separated by spaces (that’s what the Apache2 documentation says about that), and that actually works.
The only additional thing I had to change from the nagios part is in /etc/nagios/cgi.cfg to allow everyone to issue system commands. Also, if you ever stumble upon extranous chars in the check_nrpe output, update to a newer NRPE version, that fixed it for me (that is on the receiver side – as in the box running the NRPE agent).