4

I have Nagios installed with traditional configuration files. I have created some contact groups and assigned them to hosts.

For web UI I'm using check_mk. And here's the question:

Check_mk supports showing hosts/services based on contact group membership. But I can't use the Nagios contact groups in check_mk. (Result should be that if person XYZ is logged in, he see only hosts and services assigned to him.)

My users are in LDAP (I'm using check_mk login form, not apache authorisation).

I can't find any information about this in documentation so if someone have experience, please tell me how this works.

The problem is that I cannot let everybody be admin and receive all alerts...

I added the following after the two answers-suggestions came in:

I did those steps (please correct it if it doesn't make any sense :) ) I have extra one admin user which is not in LDAP to manage check_mk.

  1. I created users in nagios under DN ou=People,dc=company,dc=com (with uid attribute as ID, objectclass is posixAccount)
  2. I created 5 groups under DN ou=group,dc=company,dc=com (with cn as group ID, user members are under memberUid field, objectclass is posixGroup)

Groups:

  • cn=nagios (for all nagios users, contains users U1, U2, U3, U4)
  • cn=nagios_admins (for admin role, contains users U1, U2)
  • cn=nagios_users (for user role, contains user U3)
  • cn=nagios_guests (for guest role, contains user U4)
  • cn=testgroup (my contactgroup, contains user U1)

  • In nagios text configs I added contactgroup named "testgroup":

    define contactgroup{
     contactgroup_name   testgroup
     alias               LDAP test contactgroup
     members             user1
}

define contact{
     contact_name                    user1                   ; Short
     use                             generic-contact         ;
     alias                           Nagios Admin            ; Full
     email                           test@company.com        ;
}

4) I assigned testgroup to several hosts with services in nagios text configs (works fine for nagios email alerts)

5) I created contactgroup in WATO named testgroup

6) I restarted check_mk (check_mk -R)

7) I updated user LDAP settings in CHECK_MK:

LDAP User Settings:

User Base DN: dc=company,dc=com
Search Scope: search whole subtree
Search Filter: (objectclass=posixAccount)
Filter Group: cn=nagios,ou=group,dc=company,dc=com
User-ID Attribute: uid

That looks working fine, users from

cn=nagios,ou=group,dc=company,dc=com can authentificate well.

LDAP Group Settings:

Group Base DN: ou=group,dc=company,dc=com
Search scope: whole subtree
Search filter:
(&(objectclass=posixGroup)(|(cn=nagios)(cn=nagios_admins)(cn=nagios_users)(cn=testgroup)(cn=nagios_guests)))
Member Attribute: memberUid

LDAP Attribute Sync Plugins:

Alias: LDAP attribute to sync: cn
Contactgroup Membership: checked
Roles:
     Normal monitoring user: cn=nagios_users,ou=group,dc=company,dc=com
     Administrator: cn=nagios_admins,ou=group,dc=company,dc=com
     Guest user: cn=nagios_guests,ou=group,dc=company,dc=com

Handle nested group memberships: unchecked

8) After saving & test I can see this output:

connection     Success     Connection established. The connection settings seem to be ok.
User Base-DN     Success     The User Base DN could be found.
Count Users     Success     Found 4 users for synchronization.
Group Base-DN     Success     The Group Base DN could be found.
Count Groups     Success     Found 5 groups for synchronization.
Sync-Plugin: Roles     Success     Found all 3 groups.

9) when I log into check_mk as user U1, I'm not able to see hosts and services assigned in nagios to contactgroup testgroup :-(

I'm able to authorize myself but there is no rule politics to be applied. When I open (as administrator) a WATO users, I can see all 4 users, but all four are "normal monitoring users" and when I click on edit button I can't add them contactgroup and change role (which I don't want, it should be read from LDAP). But in user table there is no contactgroup or notifications assigned (Contact groups: none, Notifications: not a contact).

Please take a look on it, I'm starting to be desperate :)

Skiaddict
  • 116
  • 1
  • 10
  • Puzzled about one thing: Why are you doing 4) and 5) and not just 5) – Florian Heigl Sep 02 '14 at 17:28
  • We need to do 4). because that's our old nagios configuration... all contact groups are defined for hosts in txt configs... Can't we inherit this config from the old nagios configs? – Skiaddict Sep 03 '14 at 08:13

2 Answers2

1

As a starting point:

If you define the nagios groups from within WATO, it'll be possible to assign everything via the GUI.

In the documentation for LDAP the key line is probably this one:

"The user is added to all contactgroups where the user is member of a group in LDAP whichs CN is exactly matching the name of the contactgroup." (you have to also enable that feature, but what I want to point at is the group matching)

So, if you have a LDAP group unix-admins you should also define a contact group "unix-admins" via WATO. That can then be assigned a certain WATO folder or specific services as the/a contact to notify.

Florian Heigl
  • 1,440
  • 12
  • 19
0

In check_mk Multisite every user which isn't explicit defined as an admin or guest has the role "user" assigned. And by default this role only shows hosts and services the user is a nagios contact for.

See Authorization in Check_MK Multisite

As a default, all users with a valid HTTP authentication have the role user ... Normal users only see and can act on objects they are a contact in Nagios for.

My setup was OMD with check_mk included, so i didn't manually edited the nagios config. But afaik it should work for your setup as well. If not, ask your question in the Monitoring-Portal.org forum in the check_mk/livestatus section. A lot of check_mk developers are active over there.

jam
  • 88
  • 6