nagios和openldap都是非常优秀的开源软件, nagios在监控方面几乎已经成了一种业界标准,而openldap本身就遵循ldap标准,几乎一提到用户的统一认证,我们首先想到的就是openldap 。而在对nagios进行用户认证管理方面,我们完全可以通过openldap和公司的OA、mail、ftp、wiki等系统进行整合。
下面以apache为例,其关于nagios的配置文件如下:
NameVirtualHost *:80 <VirtualHost *:80> ServerAdmin admin@361way.com DocumentRoot "/App/nagios/share" ServerName nagios.361way.com ErrorLog "/var/log/httpd/nagios-error_log" CustomLog "/var/log/httpd/nagios-access_log" common scriptAlias /nagios/cgi-bin "/App/nagios/sbin" <Directory "/App/nagios/sbin"> # SSLRequireSSL Options ExecCGI AllowOverride None Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 AuthName "Nagios Access" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com)) AuthLDAPBindDN "cn=manager,dc=361way,dc=com" AuthLDAPBindPassword "password" Require valid-user </Directory> Alias /nagios "/App/nagios/share" <Directory "/App/nagios/share"> # SSLRequireSSL Options None AllowOverride None Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 AuthName "Nagios Access" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com)) AuthLDAPBindDN "cn=manager,dc=361way,dc=com" AuthLDAPBindPassword "password" Require valid-user </Directory> Alias /pnp4nagios "/App/pnp4nagios/share" <Directory "/App/pnp4nagios/share"> AllowOverride None Order allow,deny Allow from all AuthName "Nagios Access" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com)) AuthLDAPBindDN "cn=manager,dc=361way,dc=com" AuthLDAPBindPassword "password" Require valid-user <IfModule mod_rewrite.c> # Turn on URL rewriting RewriteEngine On Options FollowSymLinks # Installation directory RewriteBase /pnp4nagios/ # Protect application and system files from being viewed RewriteRule ^(application|modules|system) - [F,L] # Allow any files or directories that exist to be displayed directly RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d # Rewrite all other URLs to index.php/URL RewriteRule .* index.php/$0 [PT,L] </IfModule> </Directory> </VirtualHost>
该配置中将nagios 和pnp4nagios的认证都使用了ldap认证。不过nagios的认证只在此处使用还不行,还需要在cgi.cfg文件中做相关的配置。修改/App/nagios/etc/cgi.cfg文件中的下列配置如下:
authorized_for_system_information=guest1,361way,guest2 authorized_for_configuration_information=361way authorized_for_system_commands=361way authorized_for_all_services=guest1,361way,guest2 authorized_for_all_hosts=guest1,361way,guest2 authorized_for_all_service_commands=361way authorized_for_all_host_commands=361way
注:需要保证上面写的三个用户能在ldap的dept.support组中能查到。这样配置以后记得restart http和nagios服务使配置生效。生效后打开nagios.361way.com域名,就可以通过ldap认证过的用户名和密码访问nagios了。而且此处做了用户的二级管理,也增加了认证的安全性。用户不但要在ldap相关的组中存在,而且要在cgi.conf配置中存在。只有通过上面的两步认证才可以打开相关的URL。