Nagios Authenticating and Importing Users with AD and LDAP simplify user management of large infrastructures and standardize credentials.
Here, at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Nagios related tasks.
In this context, we shall look into how to integrate Nagios Log Server with Active Directory (AD) or Lightweight Directory Access Protocol (LDAP).
Nagios Log Server is a clustered application, it consists of one or more instances of Nagios Log Server. However, it does not matter which instance a user connects to when logging into the web interface.
With this in mind, each instance of Nagios Log Server will need to be able to communicate with the AD or LDAP servers when authenticating user credentials.
Before we go ahead, do the following:
i. Nagios Log Server installation.
ii. A separate Microsoft Windows-based AD infrastructure that is accessible to the Nagios Log Server machine.
iii. A separate LDAP infrastructure (like OpenLDAP) that is accessible to the Nagios Log Server machine.
Generally, the DNS settings for each of our Nagios Log Server instances use DNS servers that are:
i. Domain Controllers (DC) in an AD domain, or,
ii. Capable of resolving the DNS entries used to contact the LDAP server(s)
If we are having issues we can edit the resolv.conf file to use a DNS server within the AD infrastructure as the primary name server.
a. Edit the resolv.conf file in a text editor:
vi /etc/resolv.conf
b. Before all other lines starting with nameserver, enter the following:
nameserver [IP address of DNS server]
Caching options in PHP may prevent changes to the resolv.conf from taking effect and require restarting the Apache service.
If we do edit the file, we will need to restart the Apache webserver:
RHEL 6|CentOS 6|Oracle Linux 6
# service httpd restart
RHEL 7|CentOS 7|Oracle Linux 7
# systemctl restart httpd.service
Ubuntu 14
# service apache2 restart
Debian|Ubuntu 16/18
# systemctl restart apache2.service
Be aware that the /etc/resolv.conf file can be automatically overwritten by the networking stack in RHEL/CentOS.
Moving ahead let us focus on the steps followed by our Support Engineers.
Configuring The Authentication Servers
First, we must configure the Authentication Server(s) that Nagios Log Server will use. Navigate to Admin > Management > LDAP/AD Integration.
To add an Authentication Server, click the Add Server button. There are different options for Active Directory and LDAP.
i. Active Directory
We need to provide the following details:
Server Type: Active Directory
Enabled: Checked
Server Name: Provide a name to associate with this authentication method.
Base DN: An LDAP formatted string where the users are located.
Example: DC=BOX293,DC=local
Account Suffix: An @your-domain.suffix (the part of the full user identification after the username).
Example @BOX293.local
Domain Controllers: A comma-separated list of DC servers that Nagios Log Server can use to authenticate against. This can be a combination of IP addresses, short names, and fully qualified domain names.
Example: dc01.box293.local,dc02.box293.local
Encryption Method: Select the security method (or not) to use. Here we will choose None.
Once complete, we click the Create Server button.
ii. LDAP
We need to provide the following details:
Server Type: LDAP
Enabled: Checked
Server Name: Provide a name to associate with this authentication method.
Base DN: An LDAP formatted string where the users are located.
Example: dc=box293,dc=local
LDAP Host: The LDAP server that Nagios Log Server can use to authenticate against. This can be an IP address, short name, or fully qualified domain name
Example: ldap01.box293.local
LDAP Port: The TCP network port used to communicate with the LDAP server.
Example: 389
Encryption Method: Select the security method (or not) to use. Here we will choose None.
Once complete, we click the Create Server button.
Importing Users
The next step is to import users from Active Directory or LDAP. Once done, Nagios Log Server will query the DCs or LDAP server each time the user logs in to validate credentials.
The following steps are the same for Active Directory or LDAP:
1. Navigate to Admin > Management > User Management and click the Add Users from LDAP/AD button.
2. Then select the authentication server(s) we defined and provide credentials to connect to the server(s).
3. The account credentials we provide here are only to authenticate against AD / LDAP to retrieve the directory contents.
4. Then we click Next.
5. Once we authenticate successfully, we will have the node of our directory tree.
6. We select the Users node.
7. When we have chosen all the users to import, click the Add Selected Users button.
8. On the next screen, we have a list of the users we are going to import and a summary of how they are going to import.
9. Then we define the required fields for every user.
10. Click the Create Users button to continue. The user accounts will now import into Nagios Log Server.
11. Once done, we will return to the User Management screen.
This completes importing users into Nagios Log Server from AD/LDAP.
If we already have Nagios Log Server users, we can easily link these local accounts to Active Directory accounts.
i. Navigate to Admin > Management > User Management.
ii. Then click the Edit link for the user we want to update, the settings are on the External Authentication tab:
Auth Type: Active Directory
AD Server: Select the authentication server(s) you previously defined
AD Username: Type the username for this user as it is configured in Active Directory
Example: jane.doe
iii. Now, click on the Save User button to save the changes.
Once done, the existing Nagios Log Server user will be able to login using their Active Directory credentials.
If we already have Nagios Log Server users, we can easily link these local accounts to LDAP accounts.
i. Navigate to Admin > Management > User Management.
ii. Click the Edit link for the user we want to update, the settings are on the External Authentication tab:
Auth Type: LDAP
LDAP Server: Select the authentication server you previously defined
Users Full DN: Type the full distinguished name (DN) for this user as it is defined in LDAP
Example: uid=ibmimediasmith,ou=People,dc=box293,dc=local
iii. Finally, click the Save User button to save the changes.
Once done, the existing Nagios Log Server user will be able to login using their LDAP credentials.
LDAP Account Requirements:
The following details demonstrate the object classes and attributes that need to exist for an LDAP user. If these attributes do not exist it is likely that they will not appear in the list of users when performing an import from the LDAP server.
dn: uid=ibmimediasmith,ou=People,dc=box293,dc=local
givenName: ibmimedia
sn: Smith
cn: ibmimedia Smith
uidNumber: 10004
gidNumber: 10004
mail: ibmimediasmith@box293.local
homeDirectory: /home/ibmimediasmith
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
This article will guide you on how to integrate #Nagios Log Server with Active Directory or #LDAP to allow user authentication and validation with the Nagios Log Server interface.
Currently by default LDAP traffic (without SSL/TLS) is unsigned and unencrypted making it vulnerable to man-in-the-middle attacks and eavesdropping. After the patch or the windows update would be applied, LDAPS must be enabled with Active Directory.
To Set up Active Directory Authentication using LDAP:
1. Enter the LDAP "Server" and "Port" attributes on the Server Overview tab of the LDAP Users page.
2. Enter the proper base for the Active Directory in the "Base DN" attribute.
3. Set the Search Scope.
4. Enter the Username Attribute.
5. Enter the Search Filter.
6. Verify that the settings are correct by clicking the Verify button.