nagios - Web interface: authentication through kerberos OK, what about authorization on cgi.cfg?

Question

I have successfully installed nagios, and it provides authentication through apache2 which contacts a kerberos authentication server to authenticate users.

Now, users are authenticated, but they don't have any authorization as authorization is configured on cgi.cfg and I don't want to configure all my users one by one manually, or give all rights to each authenticated user.

I would like to know if groups can be set on the cgi.cfg file (such as nagios_reader, with right to watch web interface, host and services status, and nagios_writer, with the ability to run external commands) instead of on the user, and if these groups can be extracted from LDAP.

Answer 1

I would like to know if groups can be set on cgi.cfg file

I'm afraid that the answer is no. Nagios hasn't supported this feature yet. The value of authorized_ options must be a comma-delimited list of names of authenticated users. But if, as you said, "these groups can be extracted from a LDAP", so you can add every members in a group with a little shell script.

Nagios has the authorized_for_read_only option to configure a list of usernames that have read-only rights in the CGIs. Assuming that the nagios_reader.ldif contains:

# nagios_reader, it, domain.com
dn: cn=nagios_reader,ou=it,dc=domain,dc=com
cn: nagios_reader
member: cn=foo,ou=it,dc=domain,dc=com
member: cn=bar,ou=it,dc=domain,dc=com
objectClass: groupOfNames
objectClass: top

You can configure all the members of this group as a value of authorized_for_read_only variable by using:

$ ldapsearch -x -W -D "cn=manager,dc=domain,dc=com" "cn=nagios_reader" | \
    awk -F"=|," '/member: / { print $2 }' | \
    while read u; do sed -i "/^authorized_for_read_only/s/$/,$u/" cgi.cfg; done