Icinga – Q&D – How to authentificate the ICINGA classic ui with Active Directory

Requirements:

– Apache 2 (with Apache modules for LDAP Authentification called „libapache2-mod-vhost-ldap“ and „libapache2-mod-ldap-userdir“)

– Installed Icinga Version

– the Path are for Debian – It shoud be the some on moste Linux Systems

 

To Authentificate to an AD Server you need the following things FROM the Server – and – Actualy its plain LDAP not SSL !

– Servername

– The complete Domain Name

– you should have a User who can Read on Ldap Server

– A Group to Put your Icinga Users into

————–

Then open the Apache Config for Icinga. On a Debian System it is located at

/etc/apache2/conf.d/icinga.conf

the config looks like this (not exactly the Same but its an old System 😉 :

 

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file.  Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /icinga/cgi-bin „/usr/local/icinga/sbin“
#ScriptAlias /nagios/cgi-bin „/usr/local/icinga/sbin“
#alias /nagvis   „/usr/local/nagios/share/nagvis“
#Alias /nagios „/usr/local/icinga/share/“
#Alias /nagios3 „/usr/local/icinga/share/“

<Directory „/usr/local/icinga/sbin“>
#  SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1

</Directory>
Alias /icinga „/usr/local/icinga/share/“

<Directory „/usr/local/icinga/share/“>
#  SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1


</Directory>

 

You now have to add the following strings to you config into the <Directory> Statements :

 

AuthName „Restricted“

## AuthName:  – the Name for the Authentification window
AuthType Basic

## AuthType :  – Asks for Username an Password
AuthLDAPURL „ldap://----escape_sem_autolink_uri:1158f9d4f51659c5e8b3c48996265210----:389/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
## AuthLDAPURL : This is your Query String – Where can the LDAP Server Reached and how to ask him about your Data and whitch Object are used (AD contains a loot of Objects like „computer“ or something – It sould be logical to use „person“)

[YOURLDAPSERVER] : Your Domain Controller

[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“

[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“

AuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“

## AuthLDAPURL: – you LDAP Lookup User to connect to the AD and query your Authentification String

[USERNAME FROM ADS] : If the Name of the Object is „JOHN DOW“ you shold COPY THE NAME DISPLAYED IN AD MANAGER INTO THIS FIELD

[YOUR OU]: This is the Organisation Unit, your Lookup User is Stored into – Mostly its „System Users“ or something else (without Quotes)

[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“

[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“

 

for Example the AuthLDAPBindDN looks like this:

AuthLDAPBindDN „CN=John Dow,OU=System Users,DC=FOO,DC=BAA“

 

AuthLDAPBindPassword „[password]“

## AuthLDAPBindPassword : its the password for the Lookup user
require valid-user

# You Need a Valid User to enter…
AuthBasicProvider ldap

# AuthBasicProvider : Use LDAP for Authentification
AuthzLDAPAuthoritative off

#
require ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“

#require ldap-group : the User who wants to logon to you Icinga Server must place into this security Group in the ADS

[Group] : this is the Groupname showd in AD Manager – Don’t know why, dont use Blanks.

[YOUR OU]: This is the Organisation Unit, your Lookup User is Stored into – Mostly its „System Users“ or something else (without Quotes)

[DOMAIN] : if your AD Name is „FOO.BAA“ – Domain iss „FOO“

[TopLEVELDOMAIN] : if your AD Name is „FOO.BAA“ – the Topleveldomain iss „BAA“

 

#####################################

After Adding this your config should look like these:

 

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file.  Customize the paths, etc. as
# needed to fit your system.

ScriptAlias /icinga/cgi-bin „/usr/local/icinga/sbin“
#ScriptAlias /nagios/cgi-bin „/usr/local/icinga/sbin“
#alias /nagvis   „/usr/local/nagios/share/nagvis“
#Alias /nagios „/usr/local/icinga/share/“
#Alias /nagios3 „/usr/local/icinga/share/“

<Directory „/usr/local/icinga/sbin“>
#  SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
AuthName „Restricted“
AuthType Basic
AuthLDAPURL „ldap://----escape_sem_autolink_uri:1158f9d4f51659c5e8b3c48996265210----:389/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
AuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“
AuthLDAPBindPassword „[password]“
require valid-user
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
require ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“

</Directory>
Alias /icinga „/usr/local/icinga/share/“

<Directory „/usr/local/icinga/share/“>
#  SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
#  Order deny,allow
#  Deny from all
#  Allow from 127.0.0.1
AuthName „Restricted“
AuthType Basic
AuthLDAPURL „ldap://----escape_sem_autolink_uri:1158f9d4f51659c5e8b3c48996265210----:389/cn=Users,dc=[DOMAIN],dc=[TOPLEVELDOMAIN]?samAccountName?sub?(objectCategory=person)“
AuthLDAPBindDN „CN=[USERNAME FROM ADS],OU=[YOUR OU],DC=[DOMAIN],DC=[TOPLEVELDOMAIN]“
AuthLDAPBindPassword „[password]“
require valid-user
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
require ldap-group „CN=[Group],OU=[OrgaUnit],DC=[DOMAIN,DC=[TOPLEVELDOMAIN]“

</Directory>

 

 

it sould be done.

if i forgot something, please use the comments below.