Presentation Pt1: User Permissions

I promised many weeks ago that I would begin distilling my Conference presentation down into small digestible posts and I am pleased to say that I ceased being lazy, so here is part 1!

This presentation was designed to be a guideline for new users on designing their configuration architecture and overcoming those first few small hurdles in turning Nagios into a viable business monitoring solution. Some of the architectural decisions are going to be suited more towards a single-business as opposed to a highly distributed environment such as a consultancy.

One of my favourite little known features about Nagios is the ability to use contact objects to delegate user permissions and before we jump into the bigger quandaries of design, it’s probably best that we can ensure we understand how to get the end user the information they need to do their job.

When a user logs in to Nagios; Nagios will see if there is an existing contact object that has the same name as the user… if that user hasn’t been assigned a special permission (such as view all hosts) then Nagios will only display the hosts to which that contact object has been assigned. That’s pretty neat huh?

Using this feature and groups you can effectively build your own role based access control (otherwise known as RBAC), but this on its own is not all that useful for a business of a reasonable size. I mean what if you have 100+ potential Nagios users? You don’t want to have to add them all into the htpasswd file… and you certainly don’t want to have to maintain that file!

Nagios uses Apache basic authentication (hence the htpasswd file)… which means it should accept any valid Apache authentication method. How about trying out the Apache LDAP module like so?

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
 SetEnv TZ "Australia/Melbourne"
 Options ExecCGI
 AllowOverride None
 Order allow,deny
 Allow from all
 AuthName "Nagios Core"
 AuthType Basic
 # AuthUserFile /usr/local/nagios/etc/htpasswd.users
 # Require valid-user

 AuthBasicProvider ldap
 AuthName "Nagios server"
 AuthzLDAPAuthoritative off
 AuthLDAPBindDN "CN=bindAccount,OU=User,DC=domain,DC=com"
 AuthLDAPBindPassword xxxxxxxxx
 AuthLDAPURL ldaps://domain.com/OU=User,DC=Domain,DC=com?sAMAccountName?sub?(objectClass=user)
 AuthLDAPGroupAttribute member
 AuthLDAPGroupAttributeIsDN on
 Require ldap-group CN=NagiosAccessGroup,OU=Groups,DC=domain,DC=com
</Directory>

Replace the relevant LDAP parts in the above config and you can now use your companies regular LDAP or Active Directory as the authentication source for Nagios. Now if we go ahead and create contact objects in Nagios with names that match LAN logon’s and assign them to hosts and/or services we will have a seamless user experience.

Moreover than that you will have just integrated your Nagios RBAC with your companies LDAP and I think that’s pretty darn cool.

The last piece of the puzzle will be to throw together a quick script that automatically synchs those LDAP users into Nagios user contact objects… but I’ll leave that part up to you. Part 2 will begin covering configuration design with Users and Contacts.

Links

Presentation Pt1: User Permissions

Presentation Pt2: Users and Contacts

Presentation Pt3: Hosts and Services

Presentation Pt4: The art of service dependencies

comments powered by Disqus