nagios使用ldap用户认证

nagios和openldap都是非常优秀的开源软件， nagios在监控方面几乎已经成了一种业界标准，而openldap本身就遵循ldap标准，几乎一提到用户的统一认证，我们首先想到的就是openldap 。而在对nagios进行用户认证管理方面，我们完全可以通过openldap和公司的OA、mail、ftp、wiki等系统进行整合。

下面以apache为例，其关于nagios的配置文件如下：

NameVirtualHost *:80

    ServerAdmin admin@361way.com
    DocumentRoot "/App/nagios/share"
    ServerName   nagios.361way.com
    ErrorLog "/var/log/httpd/nagios-error_log"
    CustomLog "/var/log/httpd/nagios-access_log" common
  scriptAlias /nagios/cgi-bin "/App/nagios/sbin"
  
#    SSLRequireSSL
     Options ExecCGI
     AllowOverride None
     Order allow,deny
     Allow from all
#    Order deny,allow
#    Deny from all
#    Allow from 127.0.0.1
     AuthName "Nagios Access"
     AuthType Basic
     AuthBasicProvider  ldap
     AuthzLDAPAuthoritative    off
     AuthLDAPURL    ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
     AuthLDAPBindDN     "cn=manager,dc=361way,dc=com"
     AuthLDAPBindPassword       "password"
     Require valid-user
  
  Alias /nagios "/App/nagios/share"
  
#    SSLRequireSSL
     Options None
     AllowOverride None
     Order allow,deny
     Allow from all
#    Order deny,allow
#    Deny from all
#    Allow from 127.0.0.1
     AuthName "Nagios Access"
     AuthType Basic
     AuthBasicProvider  ldap
     AuthzLDAPAuthoritative    off
     AuthLDAPURL    ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
     AuthLDAPBindDN     "cn=manager,dc=361way,dc=com"
     AuthLDAPBindPassword       "password"
     Require valid-user
  
Alias /pnp4nagios "/App/pnp4nagios/share"

        AllowOverride None
        Order allow,deny
        Allow from all
        AuthName "Nagios Access"
        AuthType Basic
        AuthBasicProvider  ldap
        AuthzLDAPAuthoritative    off
     AuthLDAPURL   ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
        AuthLDAPBindDN     "cn=manager,dc=361way,dc=com"
        AuthLDAPBindPassword       "password"
        Require valid-user
        
                # Turn on URL rewriting
                RewriteEngine On
                Options FollowSymLinks
                # Installation directory
                RewriteBase /pnp4nagios/
                # Protect application and system files from being viewed
                RewriteRule ^(application|modules|system) - [F,L]
                # Allow any files or directories that exist to be displayed directly
                RewriteCond %{REQUEST_FILENAME} !-f
                RewriteCond %{REQUEST_FILENAME} !-d
                # Rewrite all other URLs to index.php/URL
                RewriteRule .* index.php/$0 [PT,L]
        

该配置中将nagios 和pnp4nagios的认证都使用了ldap认证。不过nagios的认证只在此处使用还不行，还需要在cgi.cfg文件中做相关的配置。修改/App/nagios/etc/cgi.cfg文件中的下列配置如下：

authorized_for_system_information=guest1,361way,guest2
authorized_for_configuration_information=361way
authorized_for_system_commands=361way
authorized_for_all_services=guest1,361way,guest2
authorized_for_all_hosts=guest1,361way,guest2
authorized_for_all_service_commands=361way
authorized_for_all_host_commands=361way

注:需要保证上面写的三个用户能在ldap的dept.support组中能查到。这样配置以后记得restart http和nagios服务使配置生效。生效后打开nagios.361way.com域名，就可以通过ldap认证过的用户名和密码访问nagios了。而且此处做了用户的二级管理，也增加了认证的安全性。用户不但要在ldap相关的组中存在，而且要在cgi.conf配置中存在。只有通过上面的两步认证才可以打开相关的URL。