I promised many weeks ago that I would begin distilling my Conference presentation down into small digestible posts and I am pleased to say that I ceased being lazy, so here is part 1!
This presentation was designed to be a guideline for new users on designing their configuration architecture and overcoming those first few small hurdles in turning Nagios into a viable business monitoring solution. Some of the architectural decisions are going to be suited more towards a single-business as opposed to a highly distributed environment such as a consultancy.
One of my favourite little known features about Nagios is the ability to use contact objects to delegate user permissions and before we jump into the bigger quandaries of design, it’s probably best that we can ensure we understand how to get the end user the information they need to do their job.
When a user logs in to Nagios; Nagios will see if there is an existing contact object that has the same name as the user… if that user hasn’t been assigned a special permission (such as view all hosts) then Nagios will only display the hosts to which that contact object has been assigned. That’s pretty neat huh?
Using this feature and groups you can effectively build your own role based access control (otherwise known as RBAC), but this on its own is not all that useful for a business of a reasonable size. I mean what if you have 100+ potential Nagios users? You don’t want to have to add them all into the htpasswd file… and you certainly don’t want to have to maintain that file!
Nagios uses Apache basic authentication (hence the htpasswd file)… which means it should accept any valid Apache authentication method. How about trying out the Apache LDAP module like so?
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin" <Directory "/usr/local/nagios/sbin"> SetEnv TZ "Australia/Melbourne" Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthName "Nagios Core" AuthType Basic # AuthUserFile /usr/local/nagios/etc/htpasswd.users # Require valid-user AuthBasicProvider ldap AuthName "Nagios server" AuthzLDAPAuthoritative off AuthLDAPBindDN "CN=bindAccount,OU=User,DC=domain,DC=com" AuthLDAPBindPassword xxxxxxxxx AuthLDAPURL ldaps://domain.com/OU=User,DC=Domain,DC=com?sAMAccountName?sub?(objectClass=user) AuthLDAPGroupAttribute member AuthLDAPGroupAttributeIsDN on Require ldap-group CN=NagiosAccessGroup,OU=Groups,DC=domain,DC=com </Directory>
Replace the relevant LDAP parts in the above config and you can now use your companies regular LDAP or Active Directory as the authentication source for Nagios. Now if we go ahead and create contact objects in Nagios with names that match LAN logon’s and assign them to hosts and/or services we will have a seamless user experience.
Moreover than that you will have just integrated your Nagios RBAC with your companies LDAP and I think that’s pretty darn cool.
The last piece of the puzzle will be to throw together a quick script that automatically synchs those LDAP users into Nagios user contact objects… but I’ll leave that part up to you. Part 2 will begin covering configuration design with Users and Contacts.
Presentation Pt1: User Permissions
Presentation Pt4: The art of service dependenciescomments powered by Disqus