Re: [Nagios-users] Nagios - LDAP/RSA authentication
Keven, Yes when nagios is doing nothing it sits exactly for 10 mins i managed to make it 30 mins by changing the LDAPCacheTTL parameter in httpd.conf but it only gave me time upto 30 mins then started giving authentication errors because it was checking against the cached password. we are using RSA through LDAP for the majority of our services to have a secure ad centralized user DB, we have a group of users with different permissions thats why the default user wouldn't work in our case. i was hoping to find the parameter that sets the 10min idle timeout for the browser/nagios/ldap combo Best Regards -- Mohammed Al-Kout On Sat, Jan 24, 2009 at 14:53, Kevin Keane wrote: > If the RSA password really changes every minute, your Web browser should > ask for a new password every minute with the next HTTP request. If Nagios > simply sits there and you don't do anything, I believe it refreshes every > five to ten minutes. So that is when the browser would ask for the new > password. If you are actually working with it and clicking on links, then it > would probably ask for a password earlier. > > BTW, could you post this back to the mailing list rather than me > personally? Other people may have great ideas on it, too, and this type of > discussion should also be archived. > > What might help here is something along the lines of Kerberos, but I > believe Apache does not support it, at least not out of the box. > > The other possibility is to have some kind of "front end" that handles > authentication and then forwards the HTTP requests to Nagios. In Nagios, you > could then use the default-user to allow access for anyone (you wouldn't be > able to restrict access by group or so, though). > > Personally, I think that for Nagios purposes, you should ditch RSA and go > back to a local password file for nagios. I suspect using RSA with Nagios > actually reduces rather than increases the security. This is because an > attacker could potentially see many different passwords, and use that to > deduct information about the sequence of RSA keys and possibly in the end > predict the next one. RSA is pretty strong overall, so this is not a huge > risk, but something to keep in mind. > > Mohammed Al-Kout wrote: > >> Keven, >> >> The rsa password changes every 1 min,the nagios session timeouts ( i.e >> requires re authentication ) every 10 mins, all i need is is there a way to >> change this value to stay longer than 10 mins ? like 2-3 hours for example. >> >> Best Regards >> -- >> Mohammed Al-Kout >> >> >> >> >> >> On Sat, Jan 24, 2009 at 11:57, Kevin Keane > subscript...@kkeane.com>> wrote: >> >>Of course you wouldn't get it with the local passwd file, because >>that password never changes. It's not the LDAP Cache settings, but >>the fact that your RSA passwords themselves are changing >>frequently - presumably every ten minutes - as you said earlier. >> >>Mohammed Al-Kout wrote: >> >>Keven, >> >> we didn't get the reauthenticate window when we had the local >>passwd file once we enabled ldap authentication its repopping >>at exactly 10 mins it has something to do with the LDAP Cache >>settings. >> >>Best Regards >>-- >>Mohammed Al-Kout >> >> >> >> >> >>On Fri, Jan 23, 2009 at 15:32, Kevin Keane >>mailto:subscript...@kkeane.com> >><mailto:subscript...@kkeane.com >><mailto:subscript...@kkeane.com>>> wrote: >> >> There is no "idle timeout" when using HTTP authentication, >>because >> there are no sessions involved that would be idle. >> >> Each request stands on its own, and is separately >>authenticated. >> >> Mohammed Al-Kout wrote: >> >> What about the idle timeout ? >> >> Best Regards >> -- >> Mohammed Al-Kout >> >> >> >> >> >> On Thu, Jan 22, 2009 at 09:49, Kevin Keane >> ><mailto:subscript...@kkeane.com> >> <mailto:subscript...@kkeane.com <mailto:subscript...@kkeane.com>> >> <mailto:subscript...@kkeane.com >><mailto:subscript...@kkeane.com> >> <mailto:subscript...@kkeane.com >><mailto:subscript...@kkeane.com>>>> wrote: >> >> No. It has nothing to do
Re: [Nagios-users] Nagios - LDAP/RSA authentication
i will try to set the parameters same as yours and try it
Best Regards
--
Mohammed Al-Kout
On Thu, Jan 22, 2009 at 11:41, Werner Flamme wrote:
> Mohammed Al-Kout [22.01.2009 05:06]:
> > Warner,
> >
> > in my setup i'm not using authz, but i noticed something you are using "
> > AuthUserFile /some/file " why is it required if the users are on ldap ?
>
> Mohammed,
>
> we have some accounts not stored in LDAP ("emergency", "srvadm"). So
> this is our way to combine LDAP and local accounts.
>
> Regards,
> Werner
>
> >
> >
> > On Wed, Jan 21, 2009 at 17:50, Werner Flamme
> wrote:
> >
> >> Mohammed Al-Kout [21.01.2009 14:31]:
> >>> Warner,
> >>>
> >>> the session seems to be expiring after ( 10-20) and nagios asks for
> >>> reauthentication, ( we are using RSA passwords that change frequently
> so
> >> the
> >>> LDAPCAche does not apply in our case ) are you using mod_auth_ldap ?
> >>> what are the parameters you use in the httpd.conf for LDAP Cache
> settings
> >>>
> >> Mohammed,
> >>
> >> I hope I get them all:
> >> AuthName "LDAP Auth"
> >> AuthType Basic
> >> AuthBasicProvider ldap files
> >> AuthLDAPURL "ldap://ldap.domain.tld/ou=people,dc=domain,dc=tld?uid?sub";
> >> AuthLDAPAuthoritative off
> >> AuthBasicAuthoritative On
> >> require valid-user
> >> AuthUserFile /some/file
> >>
> >> I do not see any special parameter about LDAP cache or SSL cache (we use
> >> SSL, we don't want to pass the words unciphered via network ;-)).
> >>
> >> We're running apache 2.2.3 that loads the modules "suexec authz_host
> >> actions alias auth_basic authz_groupfile authn_file authz_user authn_dbm
> >> autoindex cgi dir env expires include log_config mime negotiation
> >> setenvif status userdir asis imagemap ldap authnz_ldap ssl php5 perl
> >> authz_default rewrite".
> >>
> >> Regards,
> >> Werner
> >>
> >>>
> >>>
> >>>
> >>>
> >>> On Wed, Jan 21, 2009 at 16:22, Werner Flamme
> >> wrote:
> >>>> Mohammed Al-Kout [21.01.2009 14:00]:
> >>>>> Hello,
> >>>>>
> >>>>> i'm running Nagios 3.0.1 on Apache 2.0.52 its been running on a local
> >>>>> userfile for sometime, recently i switched to LDAP authentication
> with
> >>>>> mod_auth_ldap its working fine, the problem is i'm getting the
> >>>>> authentication popup every 10-20 mins, is there a way to stop this or
> >> set
> >>>> a
> >>>>> longer interval ? i'm not sure what is causing this popup to
> reappear
> >> (
> >>>>> LDAP , Apache or Nagios ) if anyone has an idea please lemme know
> >>>> Neither of them. We use LDAP auth for years, and there are no such
> >> popups.
> >>
> >>
> >>
> >>
> --
> >> This SF.net email is sponsored by:
> >> SourcForge Community
> >> SourceForge wants to tell your story.
> >> http://p.sf.net/sfu/sf-spreadtheword
> >> ___
> >> Nagios-users mailing list
> >> Nagios-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/nagios-users
> >> ::: Please include Nagios version, plugin version (-v) and OS when
> >> reporting any issue.
> >> ::: Messages without supporting info will risk being sent to /dev/null
> >>
> >
>
>
> --
> Werner Flamme, Abt. WKDV
> Helmholtz-Zentrum für Umweltforschung GmbH - UFZ
> Permoserstr. 15 - 04318 Leipzig
> Tel.: (0341) 235-1921 - Fax (0341) 235-451921
> Information nach §§ 37a HGB, 35a GmbHG:
> Sitz der Gesellschaft: Leipzig
> Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703
> Vorsitzender des Aufsichtsrats: MinDirig Hartmut F. Grübel
> Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch
> Administrativer Geschäftsführer: Dr. Andreas Schmidt
>
>
> --
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> ___
> Nagios-users mailing list
> Nagios-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword___
Nagios-users mailing list
Nagios-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting
any issue.
::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] Nagios - LDAP/RSA authentication
Warner, the session seems to be expiring after ( 10-20) and nagios asks for reauthentication, ( we are using RSA passwords that change frequently so the LDAPCAche does not apply in our case ) are you using mod_auth_ldap ? what are the parameters you use in the httpd.conf for LDAP Cache settings Best Regards -- Mohammed Al-Kout On Wed, Jan 21, 2009 at 16:22, Werner Flamme wrote: > Mohammed Al-Kout [21.01.2009 14:00]: > > Hello, > > > > i'm running Nagios 3.0.1 on Apache 2.0.52 its been running on a local > > userfile for sometime, recently i switched to LDAP authentication with > > mod_auth_ldap its working fine, the problem is i'm getting the > > authentication popup every 10-20 mins, is there a way to stop this or set > a > > longer interval ? i'm not sure what is causing this popup to reappear ( > > LDAP , Apache or Nagios ) if anyone has an idea please lemme know > > Neither of them. We use LDAP auth for years, and there are no such popups. > > Regards, > Werner > > > -- > This SF.net email is sponsored by: > SourcForge Community > SourceForge wants to tell your story. > http://p.sf.net/sfu/sf-spreadtheword > ___ > Nagios-users mailing list > Nagios-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nagios-users > ::: Please include Nagios version, plugin version (-v) and OS when > reporting any issue. > ::: Messages without supporting info will risk being sent to /dev/null > -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] Nagios - LDAP/RSA authentication
Hello, i'm running Nagios 3.0.1 on Apache 2.0.52 its been running on a local userfile for sometime, recently i switched to LDAP authentication with mod_auth_ldap its working fine, the problem is i'm getting the authentication popup every 10-20 mins, is there a way to stop this or set a longer interval ? i'm not sure what is causing this popup to reappear ( LDAP , Apache or Nagios ) if anyone has an idea please lemme know Best Regards -- Mohammed Al-Kout -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
