nagios和openldap都是非常优秀的开源软件, nagios在监控方面几乎已经成了一种业界标准,而openldap本身就遵循ldap标准,几乎一提到用户的统一认证,我们首先想到的就是openldap 。而在对nagios进行用户认证管理方面,我们完全可以通过openldap和公司的OA、mail、ftp、wiki等系统进行整合。
下面以apache为例,其关于nagios的配置文件如下:
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin admin@361way.com
DocumentRoot "/App/nagios/share"
ServerName nagios.361way.com
ErrorLog "/var/log/httpd/nagios-error_log"
CustomLog "/var/log/httpd/nagios-access_log" common
scriptAlias /nagios/cgi-bin "/App/nagios/sbin"
<Directory "/App/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
AuthLDAPBindDN "cn=manager,dc=361way,dc=com"
AuthLDAPBindPassword "password"
Require valid-user
</Directory>
Alias /nagios "/App/nagios/share"
<Directory "/App/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Nagios Access"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
AuthLDAPBindDN "cn=manager,dc=361way,dc=com"
AuthLDAPBindPassword "password"
Require valid-user
</Directory>
Alias /pnp4nagios "/App/pnp4nagios/share"
<Directory "/App/pnp4nagios/share">
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
AuthLDAPBindDN "cn=manager,dc=361way,dc=com"
AuthLDAPBindPassword "password"
Require valid-user
<IfModule mod_rewrite.c>
# Turn on URL rewriting
RewriteEngine On
Options FollowSymLinks
# Installation directory
RewriteBase /pnp4nagios/
# Protect application and system files from being viewed
RewriteRule ^(application|modules|system) - [F,L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Rewrite all other URLs to index.php/URL
RewriteRule .* index.php/$0 [PT,L]
</IfModule>
</Directory>
</VirtualHost>该配置中将nagios 和pnp4nagios的认证都使用了ldap认证。不过nagios的认证只在此处使用还不行,还需要在cgi.cfg文件中做相关的配置。修改/App/nagios/etc/cgi.cfg文件中的下列配置如下:
authorized_for_system_information=guest1,361way,guest2 authorized_for_configuration_information=361way authorized_for_system_commands=361way authorized_for_all_services=guest1,361way,guest2 authorized_for_all_hosts=guest1,361way,guest2 authorized_for_all_service_commands=361way authorized_for_all_host_commands=361way
注:需要保证上面写的三个用户能在ldap的dept.support组中能查到。这样配置以后记得restart http和nagios服务使配置生效。生效后打开nagios.361way.com域名,就可以通过ldap认证过的用户名和密码访问nagios了。而且此处做了用户的二级管理,也增加了认证的安全性。用户不但要在ldap相关的组中存在,而且要在cgi.conf配置中存在。只有通过上面的两步认证才可以打开相关的URL。