Tag Archives: PAM

The Fedora 20 Active Directory Integration Guide : Apache and Nagios

No network would be complete without monitoring, so in this example, we will install the popular monitoring software Nagios and use the Apache web server with a mod called pwauth.

First, make sure you have joined the domain.  Because pwauth connects Apache with PAM, we will be able to login to Nagios using our Active Directory credentials.

First we will install Apache and pwauth and set the SeLinux and Firewall configuration.

#yum install httpd
# yum install mod_authnz_external pwauth
#setsebool -P httpd_can_sendmail 1 [[BR]]
#setsebool -P httpd_can_network_connect 1 [[BR]]
#firewall-cmd --permanent --add-service=http [[BR]]
#firewall-cmd --permanent --add-service=https [[BR]]
#firewall-cmd --add-service=http [[BR]]
#firewall-cmd --add-service=https [[BR]]

Since we don’t want just anyone having access to this site, we will restrict it to domain admins by using the PAM pwauth module.

#vi /etc/pam.d/pwauth

Add the following line at the top of the file.  The braces allow the space in the group name.

auth       required     pam_succeed_if.so user ingroup [Domain Admins]

Install Nagios.

#yum install php nagios

Configure the nagios web site.  In this example, we will put nagios at the root of the server instead of in a subdirectory.

#vi /etc/httpd/conf.d/nagios.conf

Make the file look exactly like below.

ScriptAlias /cgi-bin/ "/usr/lib64/nagios/cgi-bin/"

<Location "/">
AuthName "Nagios Access"
AuthType Basic
AuthBasicProvider external
AuthExternal pwauth
Require valid-user

<Directory "/usr/lib64/nagios/cgi-bin/">
#  SSLRequireSSL
Options ExecCGI
AllowOverride None

<Directory "/usr/share/nagios/html">
#  SSLRequireSSL
Options None
AllowOverride None

Edit the main apache configuration File

#vi /etc/httpd/conf/httpd.conf

Comment out any existing line beginning with ‘ScriptAlias’ and update the following Line

DocumentRoot "/usr/share/nagios/html"

Make sure we will get alerts for service outages.

#vi /etc/nagios/objects/contacts.cfg

Update the following line.

email                           username@corp.mydomain.com   ; <<***** CHANGE THIS TO YOUR EMAIL ADDRESS ******

Finish configuring Nagios and grant administrative privileges.

#vi /etc/nagios/cgi.cfg

Update the following lines.


Start The Services

#systemctl enable nagios.service
#systemctl start nagios.service
#systemctl enable httpd.service
#systemctl start httpd.service

Browse to http://nagiosserver/ and you should now be able to login using your Active Directory domain administrator account.

The Fedora 20 Active Directory Integration Guide : Jenkins

Jenkins is a software package that is popular among programmers and is used to automate software builds.  It runs on Apache Tomcat.

First, make sure you have joined the domain.  Because Jenkins uses PAM for authentication, it can be setup to allow people to login with their Active Directory credentials.

Install Tomcat

#yum install java tomcat tomcat-webapps

Jenkins comes as a .war package.  It needs to be moved into the webapps directory where it will be auto extracted by Tomcat on startup.

#mv jenkins.war /var/lib/tomcat/webapps

Open the firewall to allow Jenkins agents and Tomcat to communicate

#firewall-cmd --add-port 8080/tcp
#firewall-cmd --permanent --add-port 8080/tcp
#firewall-cmd --add-port 7777/tcp
#firewall-cmd --permanent --add-port 7777/tcp

Start Tomcat.

#systemctl enable tomcat.service
#systemctl start tomcat.service

Access Jenkins through http://servername:8080/jenkins
Click ‘Manage Jenkins’ > ‘Configure System’ and set the following values.
Jenkins URL : http://servername:8080/jenkins/
System Admin e-mail address: username@corp.mydomain.com
SSHD Port : Disable
SMTP server: mail.corp.mydomain.com

Click Manage Jenkins > Configure Global Security
Check Enable security
Set ‘TCP port for JNLP slave agents’ to ‘fixed (7777)’

The next setting is not accurate.  Even though it says Unix user database, it has recently been updated to use PAM, which lets use use Active Directory.
Set ‘Access Control’ > ‘Security Realm’ to ‘Unix user/group database’