Re: [Nagios-users] Advanced authentication
applications. Once they're logged in there, we would pass their username over to Nagios via URL querystring or hidden form value, etc (not going for maximum security). Indeed not, anyone who wants can pretend to be anyone else. Still, if it's an internal intranet, and you capture the IP addresses, you can find out whodunit On the Nagios server we would use PHP to populate the REMOTE_USER Apache ENV variable with the passed username so that Nagios can compare that to the contacts and provide them with their applicable views. I'm afraid you can't do that. You would set the REMOTE_USER (or any other env) for the scope of that PHP page ONLY. One option would be to edit all the nagios CGIs to look for the username in the query string, and set the variable at the top of the CGI (in main). Or replace all instances of ENV.REMOTE_USER with a function which Another option might be to execute the cgi's from a PHP page which pre-sets the username. You could use mod_rewrite to rewrite *.cgi to nagportal.php?cgi=*.cgi. In both cases you would have to maintain the username throughout the session. If you edit all the links in nagios on the fly to pass in a new username, (change status.cgi to status.cgi?username=bob), you would have a problem with people emailing links to others. One option for this would be to use PHP's session capabilities to store the username. You would set a cookie with the username in and read it on each call. That would work with both the php and the editing-the-cgi way. Both of those solutions are a fair amount of effort. A final solution could be using the apache module SetEnvIf. Something like SetEnvIf Cookies:.*loginname=(username);.* REMOTE_USER=\1 But I don't think SetEnvIf will let you do that. What you're trying to do isn't that easy, as it goes against normal authentication practices. Is it necessary to modify the Nagios/cgi config in any way to achieve what we're doing? Perhaps Is is necessary to modify the Apache config? Perhaps Is is necessary to set any other ENV variables besides REMOTE_USER? No - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
On Oct 29, 2008, at 10:37 AM, Phillips, Dustin B (DBphillips) wrote: Thanks for the replies. Ultimately what we would like to do is authenticate the user via another website that we already use as a single sign-on portal for other web applications. Once they're logged in there, we would pass their username over to Nagios via URL querystring or hidden form value, etc (not going for maximum security). On the Nagios server we would use PHP to populate the REMOTE_USER Apache ENV variable with the passed username so that Nagios can compare that to the contacts and provide them with their applicable views. You can pass htaccess authentication as part of the URL but I don't know if it's sticky for links accessed from that page -- http://username:[EMAIL PROTECTED] I'm not aware of other methods to transparently pass it but they may exist. htaccess has been around for quite a long time. -- Marc - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
I have achieved something like you describe with a Reverse Proxy SSO called Vulture NG (http://vulture.open-source.fr/wiki/). It works really well when you need to authenticate on differents nagios servers (like in a distributed setup). Maybe this can help you Olivier Jan Marc Powell [EMAIL PROTECTED] a écrit : On Oct 29, 2008, at 10:37 AM, Phillips, Dustin B (DBphillips) wrote: Thanks for the replies. Ultimately what we would like to do is authenticate the user via another website that we already use as a single sign-on portal for other web applications. Once they're logged in there, we would pass their username over to Nagios via URL querystring or hidden form value, etc (not going for maximum security). On the Nagios server we would use PHP to populate the REMOTE_USER Apache ENV variable with the passed username so that Nagios can compare that to the contacts and provide them with their applicable views. You can pass htaccess authentication as part of the URL but I don't know if it's sticky for links accessed from that page -- http://username:[EMAIL PROTECTED] I'm not aware of other methods to transparently pass it but they may exist. htaccess has been around for quite a long time. -- Marc - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
Thanks for the replies.
Ultimately what we would like to do is authenticate the user via another
website that we already use as a single sign-on portal for other web
applications. Once they're logged in there, we would pass their username
over to Nagios via URL querystring or hidden form value, etc (not going for
maximum security). On the Nagios server we would use PHP to populate the
REMOTE_USER Apache ENV variable with the passed username so that Nagios can
compare that to the contacts and provide them with their applicable views.
Currently we are able to pass the username value to the Nagios server and we
appear to be populating the Apache ENV variable successfully via PHP using
apache_setenv('REMOTE_USER', '[username]'); however when we then redirect
to the Nagios homepage, Nagios does not appear to be picking up the
username. It states that we're logged in as ? and obviously nothing is
accessible.
Questions:
Is it necessary to modify the Nagios/cgi config in any way to achieve what
we're doing?
Is is necessary to modify the Apache config?
Is is necessary to set any other ENV variables besides REMOTE_USER?
Thanks for any assistance/guidance you can provide!
Dustin
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited.
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] Advanced authentication
Sorry if this has already been asked but I¹m new to the list. Question: Is there an add-on or other method for enabling more advanced authentication for Nagios or is htaccess the only method? I¹m thinking something more like a MySQL database or LDAP, etc. Thanks, Dustin E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
Hi Dustin, As the htaccess authentication is provided by Apache, you can certainly use any authentication Apache supports (LDAP, SQL etc.) See the following Apache manual pages: http://httpd.apache.org/docs/2.2/howto/auth.html - htaccess authentication howto http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html - SQL authentication http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html - LDAP authentication Hope this helps. Regards, Andy Phillips, Dustin B (DBphillips) wrote: Sorry if this has already been asked but I’m new to the list. Question: Is there an add-on or other method for enabling more advanced authentication for Nagios or is htaccess the only method? I’m thinking something more like a MySQL database or LDAP, etc. Thanks, Dustin E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
Hi Dustin; Be reminded that if you use this method (and it's what I used) then you need to remember to use a wildcard (*) in your /etc/nagios/cgi.cfg to give all who can see the CGI access via Apache the access to do it. Otherwise, Apache verifies their user/pass, but the Nagios CGI denies them. Allan On Tue, Oct 28, 2008 at 15:28, Andy Shellam [EMAIL PROTECTED]wrote: Hi Dustin, As the htaccess authentication is provided by Apache, you can certainly use any authentication Apache supports (LDAP, SQL etc.) See the following Apache manual pages: http://httpd.apache.org/docs/2.2/howto/auth.html - htaccess authentication howto http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html - SQL authentication http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html - LDAP authentication Hope this helps. Regards, Andy Phillips, Dustin B (DBphillips) wrote: Sorry if this has already been asked but I'm new to the list. Question: Is there an add-on or other method for enabling more advanced authentication for Nagios or is htaccess the only method? I'm thinking something more like a MySQL database or LDAP, etc. Thanks, Dustin E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- [EMAIL PROTECTED] 金鱼 http://linkedin.com/in/goldfish please, no proprietary attachments (http://tinyurl.com/cbgq) - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
On Oct 28, 2008, at 2:08 PM, Phillips, Dustin B (DBphillips) wrote: Sorry if this has already been asked but I’m new to the list. Question: Is there an add-on or other method for enabling more advanced authentication for Nagios or is htaccess the only method? I’m thinking something more like a MySQL database or LDAP, etc. Any authentication module supported by apache would work as long as you end up with a username in $REMOTE_USER that can be matched against a contact. Most generally work through the htaccess mechanism but the authorization source doesn't have to be htpasswd. Nagios doesn't care how the authorization happens, just that the variable is populated. -- Marc - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
On Oct 28, 2008, at 2:35 PM, Allan Clark wrote: Hi Dustin; Be reminded that if you use this method (and it's what I used) then you need to remember to use a wildcard (*) in your /etc/nagios/ cgi.cfg to give all who can see the CGI access via Apache the access to do it. Otherwise, Apache verifies their user/pass, but the Nagios CGI denies them. Please explain... There are very limited cases i can think of that you would want to wildcard any of the authorized_for variables, none of which are required to access the cgi's when using authentication. -- Marc - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
On Tue, Oct 28, 2008 at 3:08 PM, Phillips, Dustin B (DBphillips) [EMAIL PROTECTED] wrote: Question: Is there an add-on or other method for enabling more advanced authentication for Nagios or is htaccess the only method? I'm thinking something more like a MySQL database or LDAP, etc. You can use any form of http authentication. I use http's ldap authentication module, and mod_auth_mysql works fine also. -- During times of universal deceit, telling the truth becomes a revolutionary act. George Orwell - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Advanced authentication
Exactly. You want to make sure a contact is setup and is assigned to the appropriate objects. The contact name should make the name authenticated by apache. Taylor On Tue, Oct 28, 2008 at 12:50 PM, Marc Powell [EMAIL PROTECTED] wrote: On Oct 28, 2008, at 2:35 PM, Allan Clark wrote: Hi Dustin; Be reminded that if you use this method (and it's what I used) then you need to remember to use a wildcard (*) in your /etc/nagios/ cgi.cfg to give all who can see the CGI access via Apache the access to do it. Otherwise, Apache verifies their user/pass, but the Nagios CGI denies them. Please explain... There are very limited cases i can think of that you would want to wildcard any of the authorized_for variables, none of which are required to access the cgi's when using authentication. -- Marc - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- Taylor Dondich Check out Lilac, a configuration tool for Nagios 3 at http://www.lilacplatform.com Check out my Shortcut with O'Reilly Press: Network Monitoring with Nagios: http://oreilly.com/catalog/9780596528195/index.html - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
