Requirements:
– Apache 2 (with Apache modules for LDAP Authentification called „libapache2-mod-vhost-ldap“ and „libapache2-mod-ldap-userdir“)
– Installed Icinga Version
– the Path are for Debian – It shoud be the some on moste Linux Systems
To Authentificate to an AD Server you need the following things FROM the Server – and – Actualy its plain LDAP not SSL !
– Servername
– The complete Domain Name
– you should have a User who can Read on Ldap Server
– A Group to Put your Icinga Users into
————–
Then open the Apache Config for Icinga. On a Debian System it is located at
/etc/apache2/conf.d/icinga.conf
the config looks like this (not exactly the Same but its an old System 😉 :
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.ScriptAlias /icinga/cgi-bin „/usr/local/icinga/sbin“
#ScriptAlias /nagios/cgi-bin „/usr/local/icinga/sbin“
#alias /nagvis „/usr/local/nagios/share/nagvis“
#Alias /nagios „/usr/local/icinga/share/“
#Alias /nagios3 „/usr/local/icinga/share/“<Directory „/usr/local/icinga/sbin“>
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
</Directory>
Alias /icinga „/usr/local/icinga/share/“<Directory „/usr/local/icinga/share/“>
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
</Directory>
—
You now have to add the following strings to you config into the <Directory> Statements :
AuthName „Restricted“
## AuthName: – the Name for the Authentification window
AuthType Basic
## AuthType : – Asks for Username an Password
AuthLDAPURL „ldap://----escape_sem_autolink_uri:1158f9d4f51659c5e8b3c48996265210----:389/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
## AuthLDAPURL : This is your Query String – Where can the LDAP Server Reached and how to ask him about your Data and whitch Object are used (AD contains a loot of Objects like „computer“ or something – It sould be logical to use „person“)
[YOURLDAPSERVER] : Your Domain Controller
[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“
[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“
AuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“
## AuthLDAPURL: – you LDAP Lookup User to connect to the AD and query your Authentification String
[USERNAME FROM ADS] : If the Name of the Object is „JOHN DOW“ you shold COPY THE NAME DISPLAYED IN AD MANAGER INTO THIS FIELD
[YOUR OU]: This is the Organisation Unit, your Lookup User is Stored into – Mostly its „System Users“ or something else (without Quotes)
[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“
[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“
for Example the AuthLDAPBindDN looks like this:
AuthLDAPBindDN „CN=John Dow,OU=System Users,DC=FOO,DC=BAA“
AuthLDAPBindPassword „[password]“
## AuthLDAPBindPassword : its the password for the Lookup user
require valid-user
# You Need a Valid User to enter…
AuthBasicProvider ldap
# AuthBasicProvider : Use LDAP for Authentification
AuthzLDAPAuthoritative off
#
require ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“
#require ldap-group : the User who wants to logon to you Icinga Server must place into this security Group in the ADS
[Group] : this is the Groupname showd in AD Manager – Don’t know why, dont use Blanks.
[YOUR OU]: This is the Organisation Unit, your Lookup User is Stored into – Mostly its „System Users“ or something else (without Quotes)
[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“
[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“
#####################################
After Adding this your config should look like these:
# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.ScriptAlias /icinga/cgi-bin „/usr/local/icinga/sbin“
#ScriptAlias /nagios/cgi-bin „/usr/local/icinga/sbin“
#alias /nagvis „/usr/local/nagios/share/nagvis“
#Alias /nagios „/usr/local/icinga/share/“
#Alias /nagios3 „/usr/local/icinga/share/“<Directory „/usr/local/icinga/sbin“>
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName „Restricted“
AuthType Basic
AuthLDAPURL „ldap://----escape_sem_autolink_uri:1158f9d4f51659c5e8b3c48996265210----:389/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
AuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“
AuthLDAPBindPassword „[password]“
require valid-user
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
require ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“</Directory>
Alias /icinga „/usr/local/icinga/share/“<Directory „/usr/local/icinga/share/“>
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName „Restricted“
AuthType Basic
AuthLDAPURL „ldap://----escape_sem_autolink_uri:1158f9d4f51659c5e8b3c48996265210----:389/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
AuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“
AuthLDAPBindPassword „[password]“
require valid-user
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
require ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“</Directory>
it sould be done.
if i forgot something, please use the comments below.
