Version 2 (modified by jonmills, 8 years ago)

--

Overview

This page details how to authenticate & authorize which users can access your OMD/Check_MK/Nagios monitoring website. As usual, there's lots of pieces involved:

Requirements

  • Authentication
    • httpd - uses the system's shared Apache daemon
    • mod_ssl -- uses the system-installed mod_ssl RPM package to secure the site
    • mod_authnz_ldap -- this apache module does the heavy lifting for us
    • auth.conf -- Requires custom editing of the file $OMD_ROOT/etc/apache/conf.d/auth.conf
  • Authorization
    • multisite.mk -- requires tweaks to this file
    • contacts.mk -- like with the old nagios cgi's, you need contact objects corresponding to the LDAP user names passed by Apache in the HTTP_USER var

auth.conf

  • This is an example $OMD_ROOT/etc/apache/conf.d/auth.conf file
    • Your ldapurl may vary ;-)
      <Location "/myexample">
        SSLRequireSSL
        SSLOptions +StdEnvVars
      
        order deny,allow
        deny from all
      
        AuthName "OMD Monitoring Site myexample"
        AuthType Basic
        AuthUserFile /omd/sites/myexample/etc/htpasswd
      
        AuthBasicProvider ldap
        AuthLDAPBindDN cn=proxy-user,dc=example,dc=org
        AuthLDAPBindPassword passw0rd
        AuthLDAPURL "ldap://ldap.example.org ldap2.example.org/ou=people,dc=example,dc=org?uid?sub?"
        AuthzLDAPAuthoritative on
      
        Require valid-user
        Satisfy any
      </Location>