nagios和openldap都是非常优秀的开源软件, nagios在监控方面几乎已经成了一种业界标准,而openldap本身就遵循ldap标准,几乎一提到用户的统一认证,我们首先想到的就是openldap 。而在对nagios进行用户认证管理方面,我们完全可以通过openldap和公司的OA、mail、ftp、wiki等系统进行整合。

下面以apache为例,其关于nagios的配置文件如下:

 1NameVirtualHost *:80
 2<virtualhost>
 3    ServerAdmin admin@361way.com
 4    DocumentRoot "/App/nagios/share"
 5    ServerName   nagios.361way.com
 6    ErrorLog "/var/log/httpd/nagios-error_log"
 7    CustomLog "/var/log/httpd/nagios-access_log" common
 8  scriptAlias /nagios/cgi-bin "/App/nagios/sbin"
 9  <directory>
10#    SSLRequireSSL
11     Options ExecCGI
12     AllowOverride None
13     Order allow,deny
14     Allow from all
15#    Order deny,allow
16#    Deny from all
17#    Allow from 127.0.0.1
18     AuthName "Nagios Access"
19     AuthType Basic
20     AuthBasicProvider  ldap
21     AuthzLDAPAuthoritative    off
22     AuthLDAPURL    ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
23     AuthLDAPBindDN     "cn=manager,dc=361way,dc=com"
24     AuthLDAPBindPassword       "password"
25     Require valid-user
26  </directory>
27  Alias /nagios "/App/nagios/share"
28  <directory>
29#    SSLRequireSSL
30     Options None
31     AllowOverride None
32     Order allow,deny
33     Allow from all
34#    Order deny,allow
35#    Deny from all
36#    Allow from 127.0.0.1
37     AuthName "Nagios Access"
38     AuthType Basic
39     AuthBasicProvider  ldap
40     AuthzLDAPAuthoritative    off
41     AuthLDAPURL    ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
42     AuthLDAPBindDN     "cn=manager,dc=361way,dc=com"
43     AuthLDAPBindPassword       "password"
44     Require valid-user
45  </directory>
46Alias /pnp4nagios "/App/pnp4nagios/share"
47<directory>
48        AllowOverride None
49        Order allow,deny
50        Allow from all
51        AuthName "Nagios Access"
52        AuthType Basic
53        AuthBasicProvider  ldap
54        AuthzLDAPAuthoritative    off
55     AuthLDAPURL   ldap://127.0.0.1:389/ou=Users,domainName=361way.com,o=domains,dc=361way,dc=com?uid?sub?(&(objectclass=inetOrgPerson)(accountstatus=active)(memberofgroup=dept.support@361way.com))
56        AuthLDAPBindDN     "cn=manager,dc=361way,dc=com"
57        AuthLDAPBindPassword       "password"
58        Require valid-user
59        <ifmodule mod_rewrite.c="">
60                # Turn on URL rewriting
61                RewriteEngine On
62                Options FollowSymLinks
63                # Installation directory
64                RewriteBase /pnp4nagios/
65                # Protect application and system files from being viewed
66                RewriteRule ^(application|modules|system) - [F,L]
67                # Allow any files or directories that exist to be displayed directly
68                RewriteCond %{REQUEST_FILENAME} !-f
69                RewriteCond %{REQUEST_FILENAME} !-d
70                # Rewrite all other URLs to index.php/URL
71                RewriteRule .* index.php/$0 [PT,L]
72        </ifmodule>
73</directory>
74</virtualhost>

该配置中将nagios 和pnp4nagios的认证都使用了ldap认证。不过nagios的认证只在此处使用还不行,还需要在cgi.cfg文件中做相关的配置。修改/App/nagios/etc/cgi.cfg文件中的下列配置如下:

1authorized_for_system_information=guest1,361way,guest2
2authorized_for_configuration_information=361way
3authorized_for_system_commands=361way
4authorized_for_all_services=guest1,361way,guest2
5authorized_for_all_hosts=guest1,361way,guest2
6authorized_for_all_service_commands=361way
7authorized_for_all_host_commands=361way

注:需要保证上面写的三个用户能在ldap的dept.support组中能查到。这样配置以后记得restart http和nagios服务使配置生效。生效后打开nagios.361way.com域名,就可以通过ldap认证过的用户名和密码访问nagios了。而且此处做了用户的二级管理,也增加了认证的安全性。用户不但要在ldap相关的组中存在,而且要在cgi.conf配置中存在。只有通过上面的两步认证才可以打开相关的URL。