Page 1 of 1

NCONF user authentication using AD

Posted: Wed Apr 30, 2014 17:21
by cheng hsu
Hello, everyone,

We started using Nconf 3.5 and Nagios 1.3 recently.
Everything works fine with default local accounts that we can login to Nagios web console as “nagiosadmin” and to Nconf as “admin”.

We, then, started migrating to AD for user authentication.
We configured Nagios for AD and it works fine that users defined in AD can all login to Nagios.
This is the <Directory> section in /etc/httpd/conf.d/nagios.conf:
(Note that line #18 AuthLDAPURL is doing subtree search for all user accounts)

11 <Directory /opt/nagios/sbin>
12 Options ExecCGI
13 AllowOverride None
14 Order allow,deny
15 Allow from all
16 AuthBasicProvider ldap
17 AuthzLDAPAuthoritative off
18 AuthLDAPURL "ldaps://,DC=nsrootdev,DC=net?sAMAccountName?sub"
19 AuthLDAPBindDN "CN=svc_nagios,CN=Users,DC=namdev,DC=nsrootdev,DC=net"
20 AuthLDAPBindPassword "secretpswd"
21 AuthName "Nagios Access"
22 AuthType Basic
23 Require valid-user
24 </Directory>
Since this works fine for Nagios, we then tried to do the same configuration for Nconf.
Here is the section for "ad_ldap" in authentication.php file:

55 ###
56 ### Auth by "ad_ldap"
57 ###
59 ### Active Directory
60 define('AD_LDAP_SERVER', "ldaps://");
61 define('AD_LDAP_PORT', "636");
62 define('AD_BASE_DN', "CN=<username>,CN=users,DC=namdev,DC=nsrootdev,DC=net");
63 define('AD_USER_REPLACEMENT', "<username>");
64 define('AD_GROUP_ATTRIBUTE', "memberof");
65 define('AD_USERNAME_ATTRIBUTE', "displayname");
67 # if AD_GROUP_DN ist the same for admin and user group:
68 define('AD_GROUP_DN', "CN=users,DC=namdev,DC=nsrootdev,DC=net");
69 define('AD_ADMIN_GROUP', "CN=nagiosadmingrp");
70 define('AD_USER_GROUP', "CN=sysadmingrp");

This configuration only allows user accounts defined at the AD_BASE_DN level to login to Nconf.
(We think it searches in AD with search scope being "base".)
We did a little research on AD and Nconf and we found something at this URL: ... on:ad_ldap

It said something about AD_LDAP_PORT.
---> "The LDAP port to connect to. This constant is ignored when using URL notation in the AD_LDAP_SERVER constant."
This sentence implies that AD_LDAP_SERVER constant can use URL notation, it that right?
With this in mind, we went on to modify line #60 to:
60 define('AD_LDAP_SERVER', "ldaps://,DC=nsrootdev,DC=net?sAMAccountName?sub");

Note this line #60 is the same line as line #18 in nagios.conf.
After we restared everyting, Nconf does not allow anyone to login.

So, how do we configure authentication.php so that Nconf would search all user accounts under AD_BASE_DN with search scope being "sub"?

There are AuthLDAPBindDN and AuthLDAPBindPassword defined in nagios.conf.
How come these are not defined in authentication.php? How does NCONF bind to an AD server?

Cheng Hsu
A new Nagios/Nconf administrator