If you want to use Windows directory (Active Directory) to authenticate Nagios web interface users — thas is, Nagios contacts — you can either use LDAP or Kerberos.

Note that authentication methods described here work for any web application published by Apache web server, and not only Nagios. Also note that passwords are sent in clear text over the network.

I have tested the following configurations on a Fedora Core 5, using Apache 2.2.2 and Nagios 2.7, Windows 2000 Active Directory.

Assuming that:

Your Active Directory domain is named your_domain.com,
A domain controller of that domain is your_dc.your_domain.com, the other domain controller being your_other_dc.your_domain.com (you most certainly have 2 of these, don't you ?),
the host runnin Nagios is called your_nagios_host.your_domain.com.

LDAP

According to the tests I've run, this method is too slow when run against a heavily loaded Active Directory (OU tree depth > 4, > 1000 users). Anyway, here is the configuration.

Create an Active Directory user, dedicated to LDAP access from Apache. Let's name it your_user, and place it in OU your_OU.

In Apache general configuration file (httpd.conf), append:

LoadModule authz_ldap_module modules/mod_authz_ldap.so

In the directory you intend to protect with authentication (which is /usr/local/nagios/sbin for Nagios, where the CGI scripts are stored), create a .htaccess file containing:

AuthType Basic
# What the users will see as a "title" of the login prompt:
AuthName "Domain Credentials Required"
# use plain LDAP authentication:
AuthzLDAPMethod ldap
# FQDN resolvable hostname (or IP) of the Windows
# AD domain controller:
AuthzLDAPServer your_dc.your_domain.com
# Distinguished Name (DN) of the user that mod_authz_ldap should
# bind to the LDAP server as when searching for the domain user
# provided by the web client (Active Directory does not allow
# anonymous binds).  Note, the cn attribute corresponds to the
# "Display Name" field of a user's account in the Active Directory
# Users and Computers tool, not their login username:
AuthzLDAPBindDN "cn=your_user,OU=your_OU,dc=your_domain,dc=com"
# the BindDN user's password:
AuthzLDAPBindPassword "SECRET"
# LDAP Attribute where the user's domain login username is stored in:
AuthzLDAPUserKey sAMAccountName
# Base DN to begin searching for users from in the LDAP:
AuthzLDAPUserBase "dc=your_domain,dc=com"
# Search in sub-containers below the UserBase DN if
# necessary (most likely):
AuthzLDAPUserScope subtree
# Require the username and password provided to be a valid
# user in the AD:
require valid-user

In red font, the fields to be changed to fit your configuration.

Note: only one DC is referenced in here, if it fails, you can't authenticate any more.

Kerberos

This tutorial is based on Microsoft support's "Providing Active Directory authentication via Kerberos protocol in Apache".

In Apache general configuration file (httpd.conf), append:

LoadModule auth_kerb_module modules/mod_auth_kerb.so

In Apache configuration directory (generally /etc/httpd/conf), create a file named "keytab" containing:

HTTP/your_nagios_host.your_domain.com@YOUR_DOMAIN.COM

Self-note: some day I should check if this is usefull when KrbVerifyKDC is off.

In Kerberos configuration file /etc/krb5.conf :

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = YOUR_DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 your_domain.COM = {
  kdc = your_dc.your_domain.com:88
  kdc = your_other_dc.your_domain.com:88
 }

[domain_realm]
 .your_domain.com = YOUR_DOMAIN.COM
 your_domain.com = YOUR_DOMAIN.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

In red, values to be changed to fit your environment.

You can check that Kerberos works with the following commands:

> kinit you@YOUR_DOMAIN.COM

Kerberos should ask for your password. Then check that Kerberos ticket was granted:

> klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: you@YOUR_DOMAIN.COM

Valid starting     Expires            Service principal
01/31/07 15:46:41  01/31/07 22:26:41  krbtgt/YOUR_DOMAIN.COM@YOUR_DOMAIN.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

At last, clean up Kerberos from the ticket you received:

> kdestroy

In the directory you intend to protect with authentication (which is /usr/local/nagios/sbin for Nagios, where the CGI scripts are stored), create a .htaccess file containing:

AuthName "Kerberos"
AuthType Kerberos
Krb5Keytab /etc/httpd/conf/keytab
KrbAuthRealm YOUR_DOMAIN.COM
KrbMethodNegotiate off
KrbSaveCredentials off
KrbVerifyKDC off
Require valid-user

Attention! Apache will receive user name from Kerberos in the form user@REALM (you@YOUR_DOMAIN.COM, domain name being UPPERCASE). This implies that you must define Nagios contacts using the same form.

Restart Apache and Nagios.

Windows authentication for Nagios

LDAP

Kerberos