Overview

This page details how to authenticate & authorize which users can access your OMD/Check_MK/Nagios monitoring website. As usual, there's lots of pieces involved:

Requirements

  • Authentication
    • httpd - uses the system's shared Apache daemon
    • mod_ssl -- uses the system-installed mod_ssl RPM package to secure the site
    • mod_authnz_ldap -- this apache module does the heavy lifting for us
    • auth.conf -- Requires custom editing of the file $OMD_ROOT/etc/apache/conf.d/auth.conf
    • Full real protection, whole site needs to be SSL'd. Which means you need an SSL'd vhost, and a redirect to send port 80 traffic to port 443.
      • RedirectMatch ^/nagios[/]*$ https://site.example.org/nagios/
  • Authorization
    • multisite.mk -- requires tweaks to this file
    • contacts.mk -- like with the old nagios cgi's, you need contact objects corresponding to the LDAP user names passed by Apache in the HTTP_USER var

Authentication

auth.conf

  • This is an example $OMD_ROOT/etc/apache/conf.d/auth.conf file
    • Your ldapurl may vary ;-)
      # For mod_authnz_ldap to speak LDAPS or TLS, you must declare a SSL CA certificate...
      <IfModule mod_authnz_ldap.c>
              LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/myexample_ca.pem
              LDAPVerifyServerCert off
              LDAPSharedCacheSize 200000
              LDAPCacheEntries 1024
              LDAPCacheTTL 600
              LDAPOpCacheEntries 1024
              LDAPOpCacheTTL 600
              LDAPTrustedMode TLS
      </IfModule>
      
      <Location "/myexample">
        SSLRequireSSL
        SSLOptions +StdEnvVars
      
        order deny,allow
        deny from all
      
        AuthName "OMD Monitoring Site myexample"
        AuthType Basic
        AuthUserFile /omd/sites/myexample/etc/htpasswd
      
        AuthBasicProvider ldap
        AuthLDAPBindDN cn=proxy-user,dc=example,dc=org
        AuthLDAPBindPassword passw0rd
        AuthLDAPURL "ldap://ldap.example.org ldap2.example.org/ou=people,dc=example,dc=org?uid?sub?"
        AuthzLDAPAuthoritative on
      
        Require valid-user
        Satisfy any
      </Location>
      

Authorization

multisite.mk

  • Example $OMD_ROOT/etc/check_mk/multisite.mk file that authorizes a single user, 'janedoe', to be a site admin
  • Defines a default user ('guest') with only read-only privileges
  • Check_MK Authorization Documentation
# Confguration for Check_MK Multisite

# Users with unrestricted permissions
admin_users = [ "omdadmin", "janedoe" ]

# Users seeing all data but cannot do any action
guest_users = [ "guest" ]

# A lists of all normal operational users allowed to use
# Multisite. If this variable is not set, then everybody with a correct
# HTTP login may use Multisite and gets the role "user"
users       = [ "meier", "huber", "mueller" ]

# Users not explicitely being listed in admin_users or guest_users
# get the role "user" if they have a valid login. You can change this
# to "guest", "admin" or None by setting the following variable:
default_user_role = "guest"