nagios - Web interface: authentication through kerberos OK, what about authorization on cgi.cfg?

openldap kerberos nagios

I would like to know if groups can be set on cgi.cfg file

I'm afraid that the answer is no. Nagios hasn't supported this feature yet. The value of authorized_ options must be a comma-delimited list of names of authenticated users. But if, as you said, "these groups can be extracted from a LDAP", so you can add every members in a group with a little shell script.

Nagios has the authorized_for_read_only option to configure a list of usernames that have read-only rights in the CGIs. Assuming that the nagios_reader.ldif contains:

# nagios_reader, it, domain.com
dn: cn=nagios_reader,ou=it,dc=domain,dc=com
cn: nagios_reader
member: cn=foo,ou=it,dc=domain,dc=com
member: cn=bar,ou=it,dc=domain,dc=com
objectClass: groupOfNames
objectClass: top

You can configure all the members of this group as a value of authorized_for_read_only variable by using:

$ ldapsearch -x -W -D "cn=manager,dc=domain,dc=com" "cn=nagios_reader" | \
    awk -F"=|," '/member: / { print $2 }' | \
    while read u; do sed -i "/^authorized_for_read_only/s/$/,$u/" cgi.cfg; done

Related

iptables PREROUTING not in effect
Nftables issue with ftp firewall and conntrack
You've reached your limit of 0 GPUs NVIDIA K80 when start an instance with gpu on gcp
Can't start apache... (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
How configure SSH to connect to a host via proxy using one SSH key
Apache .htaccess trick to authenticate only once for all subdomains? [duplicate]
Where to find and how to block blacklisted IPs and proxies?
Puppet client not connection to master - SSL connect Error
How do I confirm what my PDC is using for it's time source and how do I setup an external time source?
Simple client / server with nc not working
Specifying a Postfix Instance to send outbound email
How to run a cron job?