Version 1 (modified by jonmills, 8 years ago)

--

Overview

This page details how to authenticate & authorize which users can access your OMD/Check_MK/Nagios monitoring website. As usual, there's lots of pieces involved:

Requirements

  • Authentication
    • httpd - uses the system's shared Apache daemon
    • mod_ssl -- uses the system-installed mod_ssl RPM package to secure the site
    • mod_authnz_ldap -- this apache module does the heavy lifting for us
    • auth.conf -- Requires custom editing of the file $OMD_ROOT/etc/apache/conf.d/auth.conf
  • Authorization
    • multisite.mk -- requires tweaks to this file
    • contacts.mk -- like with the old nagios cgi's, you need contact objects corresponding to the LDAP user names passed by Apache in the HTTP_USER var

auth.conf

  • This is an example $OMD_ROOT/etc/apache/conf.d/auth.conf file
    <Location "/myexample">
      SSLRequireSSL
      SSLOptions +StdEnvVars
    
      order deny,allow
      deny from all
    
      AuthName "OMD Monitoring Site myexample"
      AuthType Basic
      AuthUserFile /omd/sites/myexample/etc/htpasswd
    
      AuthBasicProvider ldap
      AuthLDAPBindDN cn=proxy-user,dc=example,dc=org
      AuthLDAPBindPassword passw0rd
      AuthLDAPURL "ldap://ldap.example.org ldap2.example.org/ou=people,dc=example,dc=org?uid?sub?"
      AuthzLDAPAuthoritative on
    
      Require valid-user
      Satisfy any
    </Location>