0

I have both Nagvis and Nagios set up for LDAPS authentication. I have a monitor point (link) in Nagvis which brings me to the Service information in Nagios Core. When I click the link in Nagvis to get to Nagios I get the following error: /var/log/httpd24/error_log:

[cgi:error] [pid 25523] [client 155.157.39.194:23160] Premature end of script headers: status.cgi, referer: https://[EM Server FQDN]/nagios/cgi-bin/status.cgi?host=all

When I land at the next page I am met with an Internal Server Error page which just tells me to consult the error logs. Hitting F5 or the Back Navigation button on the browser resolves the issue. When I instead replace LDAPS authentication with Basic Authentication, no problems occur.

My CGI files have proper permissions. Something must be getting lost in the process of the LDAP authentication?

Any help is appreciated! Attached my nagios.conf...

   ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

   <Directory "/usr/local/nagios/sbin">
  SSLRequireSSL
  Options ExecCGI
  AllowOverride AuthConfig
  Order deny,allow
  Deny from all

  # Limit HTTP methods
  <LimitExcept GET POST OPTIONS>
       Require all denied
  </LimitExcept>

 Allow from <IP subnet of allowed hosts>
 Session on
 SessionCookieName httpd_nagsess path=/
 SessionMaxAge 1800
 SessionCryptoPassphrase <obscured>
 ErrorDocument 401 /auth/login.html

 AuthFormProvider ldap
 AuthType form
 AuthLDAPGroupAttributeIsDN on
 AuthName "Nagios Login via Active Directory (LDAPS)"
 AuthLDAPURL "ldaps://<domain controller #1 FQDN>:3269 <domain controller #2 FQDN>:3269/DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>?sAMAccountName?sub?(objectClass=*)" NONE
 AuthLDAPBindDN "CN=AD-Binder,OU=Service Accounts,OU=Users and Groups,OU=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>"
   AuthLDAPBindPassword <obscured>
   require ldap-group CN=em_admin,OU=Groups,OU=Users and Groups,OU=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>,DC=<obscured>

</Directory>
user2423096
  • 53
  • 1
  • 8

1 Answers1

0

The problem was with my login form. According to the apache documentation on "Inline Login with Body Preservation" (https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html) I needed the following three lines in my form:

<input type="hidden" name="httpd_method" value="POST" />
<input type="hidden" name="httpd_mimetype" value="application/x-www-form-urlencoded" />
<input type="hidden" name="httpd_body" value="<?php echo $_SERVER['REDIRECT_QUERY_STRING'];?>" />

The PHP stuff given to the httpd_body was what I needed to actually preserve the original request. I found a few mentions out there of Inline Form Login not working out of the box but no solid solution for it. My solution works for me. Note login.html had to become login.php. See my login form below:

login.php

Finally here is my nagios.conf (Im not including identical nagios/share Directory): nagios.conf

FYI, did this outside the login form part of login.php to figure out where this info was held:

<?php
$info = phpinfo();
echo "<html><h2>$info</h2>";
?>
user2423096
  • 53
  • 1
  • 8