2

Possible Duplicate:
nagios - Web interface: authentication through kerberos OK, what about authorization on cgi.cfg?

I want to grant users access to the nagios 3 core frontend by using an active directory group ("NagiosWebfrontend" in the code below). The login works fine like this:

AuthType Basic
AuthName "Nagios Access"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://ip-address:389/OU=user-ou,DC=domain,DC=tld?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN CN=LDAP-USER,OU=some-ou,DC=domain,DC=tld
AuthLDAPBindPassword the_pass
Require ldap-group CN=NagiosWebfrontend,OU=some-ou,DC=domain,DC=tld

Unfortunately, every nagios page just shows "It appears as though you do not have permission to view information for any of the services you requested...". I got the hint, that I am missing a contact in nagios configuration which is equal to my login, but creating one with the same name as the domain user had no effect on this issue. However, it would be great to find a solution without manually editing nagios.conf for every new user, so the admins could grant access to nagios by just putting the user to "NagiosWebfrontend" group. What would be the best way to solve it?

Community
  • 1
Eleven-Two
  • 71
  • 2
  • 5

2 Answers2

2

To solve this, I made puppet generate cgi.cfg and stick in the list of usernames based on an ldap query it does. Nagios iteself doesn't support this.

Dennis Kaarsemaker
  • 18,793
  • 2
  • 43
  • 69
0

There might not be a way to grant (ldap-)group based permissions, but editing cgi.cfg and modifying the following (for example, there are different permissions) has worked fine for me:

authorized_for_system_commands=*

I have replaced the standard nagios login (nagiosadmin) by an asterisks which is okay for my situation so as all nagios admins (there are only few) have all permissions.

Eleven-Two
  • 71
  • 2
  • 5