Posts here are mostly step-by-step guides on how to replicate something I have set up in the past. Read over my About page to see how I show commands/output and read the disclaimer.
If there is an application I publish in an LDAP or Active Directory environment, I will implement LDAP authentication if that option is available – no sense is making users apply another user name / password sticky note to their monitor, right?
This guide assumes that you installed Nagios from source on a Debian machine. This should work with other setups, but note the possible differences in config file locations, etc.
Apache2 Configuration
Take a look at the Apache2 config file for the Nagios web interface.
[root]$ vim /etc/apache2/conf.d/nagios.conf
The first directory entry should look something like this.
<Directory "/usr/local/nagios/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
Order deny,allow
Deny from all
Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user
</Directory>
Take a look at the last four lines, identified with the extra indent. Those lines prompt the HTTP authentication window. Comment those out and add these lines below:
Options FollowSymLinks AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Active Directory Login" AuthLDAPURL "ldap://dc.example.loc:3268/dc=example,dc=loc?sAMAccountName?sub" NONE AuthLDAPBindDN "exuser@example.loc" AuthLDAPBindPassword expassword require valid-user
Replace dc with the name of your domain controller, example.loc with your domain name, exuser with a user with directory access, and expassword with that user’s password.
These entries will need to be applied to both directories – /usr/local/nagios/sbin and /usr/local/nagios/share.
Once these changes are made, save the file and restart Apache.
[root]$ service apache2 restart
At this point, any active directory user can login. But, they have no permissions yet.
Nagios Permissions – Global
Take a look at the Nagios CGI config file.
[root]$ vim /usr/local/nagios/etc/cgi.cfg
I’m not going to document every authorization option here because the config file is well commented. The relevant entries start around line 100. If you want to keep it simple, add your network ID to any line that grants permissions to nagiosadmin (assuming you are on the default config). Separate multiple user names with commas.
Nagios Permissions – Some Hosts Only
If you are reading this, you are likely the administrator of this Nagios environment, and you will add your network ID to the global access entries described in the previous section. But what if you want users to only have access to specific hosts? If you want the application admins to stay away from your domain controller host entries, you can add permissions for specific hosts.
It’s as easy as creating them as a new contact.
Open up the contacts.cfg file. This file is usually located in /usr/local/nagios/etc/.
Any network account that will view the web interface will require an entry here. Even though they are listed as a “contact”, that does not mean they are required to receive notifications. Those can be adjusted or disabled entirely. Here would be an example – change accordingly.
define contact {
contact_name andrew
email andrew@example.loc
alias Andrew Wells
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,r
service_notification_commands notify-service-by-email
host_notification_commands notify-host-by-email
can_submit_commands 1
}
Now we map this contact to a host definition. This can be done one of two ways. Method #1 is to add the contact to the host definition.
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contacts nagiosadmin,andrew
}
This can get tedious if there are several contacts, especially if they can be grouped together. If that’s the case, we could use a contactgroup, that would look something like this.
define contactgroup {
contactgroup_name admins
alias Nagios Administrators
members andrew,john,chris
}
Then add the contact group to the host definition.
define host {
use host-generic
host_name Some Server
alias Some Application Server Description
address 192.168.52.5
contact_groups admins
}
Once the desired config files are updated, run a check, and restart the services.
[root]$ /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg [root]$ service nagios restart
If you are still logged into Nagios using HTTP authentication, restart the browser to clear it out and then login with your network credentials.
Hi Andrew,
Thanks for this great guide. Do you know how to configure nagios or appache to login in lower and upper case?
Thanks& Best Regards,
Amir
Is it possible to use Active Directory group for contact definition?
Thanks.
hello sir,
i am configured nagios core but i want information about how to create contact groups in nagios core,
i am already configured it but i wont get any alerts in my id please help me
Hi
I’ve created a Nagios group in LDAP and bound it like this:
AuthLDAPURL ldap://dc.example.loc:389/OU=Utilisateurs,DC=example,DC=loc?sAMAccountName?sub?(memberOf=CN=Nagios,OU=Utilisateurs,DC=example,DC=loc)
Adapt to your own environment
Note I have created a separated OU for my users called ‘Utilisateurs’ in which I added user group Nagios