如何使用 ldap‘安全组’进行 httpd 托管的 Nagios 网站的身份验证?

如何使用 ldap‘安全组’进行 httpd 托管的 Nagios 网站的身份验证?

以下是我们试图实现的目标:

我们希望对 NagiOS 特定“安全组”中的 Windows 活动目录用户进行身份验证。

为此,我创建了以下新配置文件,如下所示:

/etc/httpd/conf.d/nagios.conf

ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"

<Directory "/usr/lib64/nagios/cgi-bin/">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   DirectoryIndex index.php index.html
   AuthType Basic
   AuthBasicProvider ldap file
   AuthName "LDAP Authentication"
   AuthLDAPURL "ldap://server01.mytestdomain.com:389/CN=Nagios_Auth_Group,OU=Test,OU=IT,OU=authorization,DC=mytestdomain,DC=local?sAMAccountName?sub?"
   AuthLDAPBindDN "CN=Nagios_User,OU=Users,DC=mytestdomain,DC=local"
   AuthLDAPBindPassword "mypass#01"
   AuthLDAPGroupAttribute  memberUid
   AuthLDAPGroupAttributeIsDN on
   Require ldap-group "CN=Nagios_Auth_Group,OU=Test,OU=IT,OU=authorization,DC=mytestdomain,DC=local"
   AuthUserFile /etc/nagios/htpasswd.users
   Require valid-user
</Directory> 

Alias /nagios "/usr/share/nagios/html"

<Directory "/usr/share/nagios/html">
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   DirectoryIndex index.php index.html
   AuthType Basic
   AuthBasicProvider ldap file
   AuthName "LDAP Authentication"
   AuthLDAPURL "ldap://server01.mytestdomain.com:389/CN=Nagios_Auth_Group,OU=Test,OU=IT,OU=authorization,DC=mytestdomain,DC=local?sAMAccountName?sub?"
   AuthLDAPBindDN "CN=Nagios_User,OU=Users,DC=mytestdomain,DC=local"
   AuthLDAPBindPassword "mypass#01"
   AuthLDAPGroupAttribute  memberUid
   AuthLDAPGroupAttributeIsDN on
   Require ldap-group "CN=Nagios_Auth_Group,OU=Test,OU=IT,OU=authorization,DC=mytestdomain,DC=local"
   AuthUserFile /etc/nagios/htpasswd.users
   Require valid-user
</Directory>

收到错误:

/var/log/httpd/错误日志

[Date and Time removed] [auth_basic:error] [pid XXXXXX] [client 127.0.0.1:44068] AH01617: user nagios_test_user01: authentication failure for "/nagios/": Password Mismatch

可能有助于解决错误或配置问题的附加信息:

操作系统详细信息:

NAME="Red Hat Enterprise Linux Server"
VERSION="7.3 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="7.3"
PRETTY_NAME="Red Hat Enterprise Linux"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.3:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.3
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.3"
Red Hat Enterprise Linux Server release 7.3 (Maipo)
Red Hat Enterprise Linux Server release 7.3 (Maipo)

uname -a

Linux server07 3.10.0-514.6.1.el7.x86_64 #1 SMP [Date & Time details removed] x86_64 x86_64 x86_64 GNU/Linux

httpd-v

Server version: Apache/2.4.6 (Red Hat Enterprise Linux)
Server built:   [Date & Time details removed]

Nagios 版本

Nagios® Core™ Version 4.2.4

错误

[Mon Mar 02 09:33:12.273726 2020] [auth_basic:error] [pid 38654] [client 127.0.0.1:57388] AH08217: user test_user: authentication failure for "/nagios/": Password Mismatch

答案1

您在 中指定了错误的 DN AuthLDAPBindDN。“绑定”参数允许 Apache本身在执行查找之前登录到 LDAP 服务器 - 因此在这里指定组没有意义,它必须是一个有效的用户帐户。

在这种情况下,因为你指定了BindPW属于“Nagios_User”帐户的,那么BindDN当然必须指定姓名该帐户的:

AuthLDAPBindDN "CN=Nagios_User,OU=Services,DC=mytestdomain,DC=local"
AuthLDAPBindPW "mypass#01"

为了方便起见,Active Directory 还接受非标准的简写形式:

AuthLDAPBindDN "[email protected]"

相关内容