nagios - Web interface: authentication through kerberos OK, what about authorization on cgi.cfg?

I would like to know if groups can be set on cgi.cfg file

I'm afraid that the answer is no. Nagios hasn't supported this feature yet. The value of authorized_ options must be a comma-delimited list of names of authenticated users. But if, as you said, "these groups can be extracted from a LDAP", so you can add every members in a group with a little shell script.

Nagios has the authorized_for_read_only option to configure a list of usernames that have read-only rights in the CGIs. Assuming that the nagios_reader.ldif contains:

# nagios_reader, it, domain.com
dn: cn=nagios_reader,ou=it,dc=domain,dc=com
cn: nagios_reader
member: cn=foo,ou=it,dc=domain,dc=com
member: cn=bar,ou=it,dc=domain,dc=com
objectClass: groupOfNames
objectClass: top

You can configure all the members of this group as a value of authorized_for_read_only variable by using:

$ ldapsearch -x -W -D "cn=manager,dc=domain,dc=com" "cn=nagios_reader" | \
    awk -F"=|," '/member: / { print $2 }' | \
    while read u; do sed -i "/^authorized_for_read_only/s/$/,$u/" cgi.cfg; done