Nagios LDAP Authentication

This post is in the category: Guides

Posts here are mostly step-by-step guides on how to replicate something I have set up in the past. Read over my About page to see how I show commands/output and read the disclaimer.

If there is an application I publish in an LDAP or Active Directory environment, I will implement LDAP authentication if that option is available – no sense is making users apply another user name / password sticky note to their monitor, right?

This guide assumes that you installed Nagios from source on a Debian machine. This should work with other setups, but note the possible differences in config file locations, etc.

Apache2 Configuration

Take a look at the Apache2 config file for the Nagios web interface.

[root]$ vim /etc/apache2/conf.d/nagios.conf

The first directory entry should look something like this.

<Directory "/usr/local/nagios/sbin">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   Order deny,allow
   Deny from all
   Allow from
     AuthName "Nagios Access"
     AuthType Basic
     AuthUserFile /usr/local/nagios/etc/htpasswd.users
     Require valid-user

Take a look at the last four lines, identified with the extra indent. Those lines prompt the HTTP authentication window. Comment those out and add these lines below:

Options FollowSymLinks
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Active Directory Login"
AuthLDAPURL "ldap://dc.example.loc:3268/dc=example,dc=loc?sAMAccountName?sub" NONE
AuthLDAPBindDN "exuser@example.loc"
AuthLDAPBindPassword expassword
require valid-user

Replace dc with the name of your domain controller, example.loc with your domain name, exuser with a user with directory access, and expassword with that user’s password.

These entries will need to be applied to both directories – /usr/local/nagios/sbin and /usr/local/nagios/share.

Once these changes are made, save the file and restart Apache.

[root]$ service apache2 restart

At this point, any active directory user can login. But, they have no permissions yet.

Nagios Permissions – Global

Take a look at the Nagios CGI config file.

[root]$ vim /usr/local/nagios/etc/cgi.cfg

I’m not going to document every authorization option here because the config file is well commented. The relevant entries start around line 100. If you want to keep it simple, add your network ID to any line that grants permissions to nagiosadmin (assuming you are on the default config). Separate multiple user names with commas.

Nagios Permissions – Some Hosts Only

If you are reading this, you are likely the administrator of this Nagios environment, and you will add your network ID to the global access entries described in the previous section. But what if you want users to only have access to specific hosts? If you want the application admins to stay away from your domain controller host entries, you can add permissions for specific hosts.

It’s as easy as creating them as a new contact.

Open up the contacts.cfg file. This file is usually located in /usr/local/nagios/etc/.

Any network account that will view the web interface will require an entry here. Even though they are listed as a “contact”, that does not mean they are required to receive notifications. Those can be adjusted or disabled entirely. Here would be an example – change accordingly.

define contact {
        contact_name                       andrew
        email                              andrew@example.loc
        alias                              Andrew Wells
        service_notification_period        24x7
        host_notification_period           24x7
        service_notification_options       w,u,c,r
        host_notification_options          d,r
        service_notification_commands      notify-service-by-email
        host_notification_commands         notify-host-by-email
        can_submit_commands                1

Now we map this contact to a host definition. This can be done one of two ways. Method #1 is to add the contact to the host definition.

define host {
        use                host-generic
        host_name          Some Server
        alias              Some Application Server Description
        contacts           nagiosadmin,andrew

This can get tedious if there are several contacts, especially if they can be grouped together. If that’s the case, we could use a contactgroup, that would look something like this.

define contactgroup {
        contactgroup_name   admins
        alias               Nagios Administrators
        members             andrew,john,chris

Then add the contact group to the host definition.

define host {
        use                 host-generic
        host_name           Some Server
        alias               Some Application Server Description
        contact_groups  admins

Once the desired config files are updated, run a check, and restart the services.

[root]$ /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
[root]$ service nagios restart

If you are still logged into Nagios using HTTP authentication, restart the browser to clear it out and then login with your network credentials.

This entry was posted in Guides and tagged on by .

About Andrew Wells

I have been developing on the LAMP stack since about 2006. I run Ubuntu XFCE on my desktop and have a history of managing Ubuntu and CentOS servers. I code web applications mostly in PHP but have experience with other languages as well. When I'm not working, I can be found working in my home lab or out snowboarding, hiking, camping, or biking depending on the season.

4 thoughts on “Nagios LDAP Authentication

  1. Amir

    Hi Andrew,

    Thanks for this great guide. Do you know how to configure nagios or appache to login in lower and upper case?

    Thanks& Best Regards,

  2. harish

    hello sir,

    i am configured nagios core but i want information about how to create contact groups in nagios core,
    i am already configured it but i wont get any alerts in my id please help me

    1. Dave

      I’ve created a Nagios group in LDAP and bound it like this:
      AuthLDAPURL ldap://dc.example.loc:389/OU=Utilisateurs,DC=example,DC=loc?sAMAccountName?sub?(memberOf=CN=Nagios,OU=Utilisateurs,DC=example,DC=loc)

      Adapt to your own environment
      Note I have created a separated OU for my users called ‘Utilisateurs’ in which I added user group Nagios


Leave a Reply

Your email address will not be published. Required fields are marked *