Tag Archives: PAM
No network would be complete without monitoring, so in this example, we will install the popular monitoring software Nagios and use the Apache web server with a mod called pwauth.
First, make sure you have joined the domain. Because pwauth connects Apache with PAM, we will be able to login to Nagios using our Active Directory credentials.
First we will install Apache and pwauth and set the SeLinux and Firewall configuration.
#yum install httpd
# yum install mod_authnz_external pwauth
#setsebool -P httpd_can_sendmail 1 [[BR]]
#setsebool -P httpd_can_network_connect 1 [[BR]]
#firewall-cmd --permanent --add-service=http [[BR]]
#firewall-cmd --permanent --add-service=https [[BR]]
#firewall-cmd --add-service=http [[BR]]
#firewall-cmd --add-service=https [[BR]]
Since we don’t want just anyone having access to this site, we will restrict it to domain admins by using the PAM pwauth module.
Add the following line at the top of the file. The braces allow the space in the group name.
auth required pam_succeed_if.so user ingroup [Domain Admins]
#yum install php nagios
Configure the nagios web site. In this example, we will put nagios at the root of the server instead of in a subdirectory.
Make the file look exactly like below.
ScriptAlias /cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
AuthName "Nagios Access"
Edit the main apache configuration File
Comment out any existing line beginning with ‘ScriptAlias’ and update the following Line
Make sure we will get alerts for service outages.
Update the following line.
email firstname.lastname@example.org ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******
Finish configuring Nagios and grant administrative privileges.
Update the following lines.
Start The Services
#systemctl enable nagios.service
#systemctl start nagios.service
#systemctl enable httpd.service
#systemctl start httpd.service
Browse to http://nagiosserver/ and you should now be able to login using your Active Directory domain administrator account.
Jenkins is a software package that is popular among programmers and is used to automate software builds. It runs on Apache Tomcat.
First, make sure you have joined the domain. Because Jenkins uses PAM for authentication, it can be setup to allow people to login with their Active Directory credentials.
#yum install java tomcat tomcat-webapps
Jenkins comes as a .war package. It needs to be moved into the webapps directory where it will be auto extracted by Tomcat on startup.
#mv jenkins.war /var/lib/tomcat/webapps
Open the firewall to allow Jenkins agents and Tomcat to communicate
#firewall-cmd --add-port 8080/tcp
#firewall-cmd --permanent --add-port 8080/tcp
#firewall-cmd --add-port 7777/tcp
#firewall-cmd --permanent --add-port 7777/tcp
#systemctl enable tomcat.service
#systemctl start tomcat.service
Access Jenkins through http://servername:8080/jenkins
Click ‘Manage Jenkins’ > ‘Configure System’ and set the following values.
Jenkins URL : http://servername:8080/jenkins/
System Admin e-mail address: email@example.com
SSHD Port : Disable
SMTP server: mail.corp.mydomain.com
Click Manage Jenkins > Configure Global Security
Check Enable security
Set ‘TCP port for JNLP slave agents’ to ‘fixed (7777)’
The next setting is not accurate. Even though it says Unix user database, it has recently been updated to use PAM, which lets use use Active Directory.
Set ‘Access Control’ > ‘Security Realm’ to ‘Unix user/group database’