Ticket #157 (assigned enhancement)
LDAP authentification
| Reported by: | Nyal | Owned by: | mickem |
|---|---|---|---|
| Priority: | 1 | Milestone: | 0.4.0 |
| Component: | Core | Version: | 0.4.0-nightly |
| Severity: | Feature Requests | Keywords: | |
| Cc: |
Description (last modified by mickem) (diff)
Hi,
It would be great if NSClient++ could use also a LDAP for authentification. (Active Diretory, OpenLDAP,... for example) Network flow:
check_nrpe (or nt) client <-----------> NSClient++ agent <------------> LDAP
NRPE protocol LDAP protocol
NSCLient protocol
Best regards,
Change History
comment:1 follow-up: ↓ 2 Changed 4 years ago by mickem
- Owner changed from MickeM to mickem
- Status changed from new to assigned
- Description modified (diff)
comment:2 in reply to: ↑ 1 Changed 4 years ago by Nyal
Mmm i see. NCLient doesn't send the user with the password. An other idea : maybe, you can do something like that (without modify NRPE or NSClient protocol).
nsc.ini file :
authenticate=LDAP|PASSWORD|... # Method LDAP ldap_url=ldap.toto.com ldap_username=nsclientuser # Method PASSWORD password=<password>
Network flow :
check_nt client <-----------> NSClient++ agent <------------> LDAP
SSL NSClient protocol LDAP(S) protocol
(password only) (user and password)
You have the password in the LDAP et Nagios. You don't have to change the password everywhere.
comment:3 Changed 4 years ago by mickem
yes, problem is check_nt does not support SSL (or any encryption) and I dont really play much on the "plugin side" then I would have to support a "custom" agent on the *nix side which is a bit outside my scope :/
And i would not have my passwords sent over the net un-encrypted, but your schematic is what I meant by "You could technically add configure a "login" and authenticate with that and the supplied password but do you really want to?" but again, no encryption: Scary, but if I do the filter thingy maybe I could add that as well since I shall be dabbling in the realms of LDAP, but since LDAP is new for me don't expect anything soon, *maybe* 0.4.0 but more likely 0.5.0.
MickeM
I would say this is doubtful. humm... ideas ideas ideas see below :)
As is the only protocol supporting any form of "authentication" is NSClient and that is a simple password. You could technically add configure a "login" and authenticate with that and the supplied password but do you really want to?
NSClient does not use any encryption so you would be sending a domain password in clear text. I would like though for someone to extend NRPE protocol to support proper authentication in addition to encryption and if that happens I would say yes.
But as things are designed now I think it is better to view NRPE/NSClient as NOT SECURE along the lines of SNMP.
A thought just occurred, I could easily add a filter that "uses proper" authentication before passing the supplied command along to the client? Something along the lines of:
and then add something like this to nsc.ini
This I guess might be a feasible alternative to the present "totally unsecured" version. I would not be a "proper" thing but it would be better I guess.
Ideas thoughts etc...
Michael Medin