Ticket #157 (assigned enhancement)

Opened 2 years ago

Last modified 20 months ago

LDAP authentification

Reported by: Nyal Owned by: mickem
Priority: 1 Milestone: 0.4.0
Component: Core Version: 0.4.0-Nightly
Severity: Feature Requests Keywords:
Cc:

Description (last modified by mickem) (diff)

Hi,

It would be great if NSClient++ could use also a LDAP for authentification. (Active Diretory, OpenLDAP,... for example) Network flow: 

check_nrpe (or nt) client <-----------> NSClient++ agent <------------> LDAP
                          NRPE protocol                  LDAP protocol
                        NSCLient protocol

Best regards,

Change History

follow-up: ↓ 2   Changed 2 years ago by mickem

  • owner changed from MickeM to mickem
  • status changed from new to assigned
  • description modified (diff)

I would say this is doubtful. humm... ideas ideas ideas see below :)

As is the only protocol supporting any form of "authentication" is NSClient and that is a simple password. You could technically add configure a "login" and authenticate with that and the supplied password but do you really want to?

NSClient does not use any encryption so you would be sending a domain password in clear text. I would like though for someone to extend NRPE protocol to support proper authentication in addition to encryption and if that happens I would say yes.

But as things are designed now I think it is better to view NRPE/NSClient as NOT SECURE along the lines of SNMP.

A thought just occurred, I could easily add a filter that "uses proper" authentication before passing the supplied command along to the client? Something along the lines of: 

check_nrpe ... -a my_check -c login=user password=password the-rest-of-the-arguments

and then add something like this to nsc.ini 

[Modules]
LoginFilter.dll
...

[LoginFilter]
filter_all=true
authenticate=LDAP|PASSWORD|...
ldap_...=...
username=<username>
password=<obfuscated password>

This I guess might be a feasible alternative to the present "totally unsecured" version. I would not be a "proper" thing but it would be better I guess.

Ideas thoughts etc...

// Michael Medin

in reply to: ↑ 1   Changed 2 years ago by Nyal

Mmm i see. NCLient doesn't send the user with the password. An other idea : maybe, you can do something like that (without modify NRPE or NSClient protocol).

nsc.ini file : 

authenticate=LDAP|PASSWORD|...

# Method LDAP
ldap_url=ldap.toto.com
ldap_username=nsclientuser

# Method PASSWORD
password=<password>

Network flow : 

check_nt client <-----------> NSClient++ agent <------------> LDAP
            SSL NSClient protocol               LDAP(S) protocol
              (password only)                 (user and password)

You have the password in the LDAP et Nagios. You don't have to change the password everywhere.

  Changed 2 years ago by mickem

yes, problem is check_nt does not support SSL (or any encryption) and I dont really play much on the "plugin side" then I would have to support a "custom" agent on the *nix side which is a bit outside my scope :/

And i would not have my passwords sent over the net un-encrypted, but your schematic is what I meant by "You could technically add configure a "login" and authenticate with that and the supplied password but do you really want to?" but again, no encryption: Scary, but if I do the filter thingy maybe I could add that as well since I shall be dabbling in the realms of LDAP, but since LDAP is new for me don't expect anything soon, *maybe* 0.4.0 but more likely 0.5.0.

// MickeM

  Changed 2 years ago by Nyal

Not a problem. I think i will be able to contribute on LDAP authentification. You do a great work ;)

Note: See TracTickets for help on using tickets.