OpenID-Icinga-Ubuntu-12.04.md

Notes

• These instructions were developed for Ubuntu 12.04, but they will work for 12.10 and 13.04 with minor differences noted below.
• If you have trouble, see the Errors section at the bottom.

---

Procedure

1. Install Apache
   • apt-get install apache2

• Install Icinga
  • apt-get install icinga
• Install libapache2-mod-auth-openid
  • Install package dependencies: apt-get install libcurl3-gnutls libopkele3
  • Ubuntu 12.04: There is a bug in v0.5 included in Precise, instead we need to install v0.7 from Quantal
    • Download the package: http://packages.ubuntu.com/quantal/amd64/libapache2-mod-auth-openid/download
    • Install the package: dpkg -i libapache2-mod-auth-openid_0.7-1_amd64.deb
  • Ubuntu 12.10 / 13.04: Just install the package normally
    • apt-get install libapache2-mod-auth-openid
  • Enable the module in Apache: a2enmod authopenid
• Modify Icinga's config for Apache to replace Basic authentication with OpenID:
  • In this case we use Google Apps as our authentication provider
  • Anyone who is signed in to yourdomain.com on Google Apps will be allowed read-only access to Icinga -- we use the email schema to match against "@yourdomain.com" and allow any "valid-user"s.
  • vi /etc/icinga/apache2.conf:

  • @@ -18,8 +18,13 @@
       Order Allow,Deny
     	Allow From All
     
    -	AuthName "Icinga Access"
    -	AuthType Basic
    -	AuthUserFile /etc/icinga/htpasswd.users
    +	AuthName "Monitoring Server"
     	require valid-user
    +	AuthType OpenID
    +	AuthOpenIDDBLocation /var/cache/mod_auth_openid/mod_auth_openid.db
    +	AuthOpenIDTrusted ^https://www.google.com/accounts/o8/ud
    +	AuthOpenIDAXRequire email http://openid.net/schema/contact/email @yourdomain\.com
    +	AuthOpenIDSingleIdP https://www.google.com/accounts/o8/id
    +	AuthOpenIDAXUsername email
    +	AuthOpenIDSecureCookie Off  # demands SSL; off for now
     </DirectoryMatch>

• Create the database where OpenID credentials will be stored:
  • mkdir -p /var/cache/mod_auth_openid
  • chown www-data: /var/cache/mod_auth_openid/
  • chmod 700 /var/cache/mod_auth_openid/
  • touch /var/cache/mod_auth_openid/mod_auth_openid.db
  • chown www-data: /var/cache/mod_auth_openid/mod_auth_openid.db
  • chmod 644 /var/cache/mod_auth_openid/mod_auth_openid.db
• Restart Apache:
  • service apache2 restart
• Test:
  • Navigate to http://yourhost/icinga/
  • If you are not logged in to Google Apps, you will be challenged:
    • "192.168.5.207 is asking for some information from your Google Account. To see and approve the request, sign in."
    • "192.168.5.207 would like to: View your email address"
  • When you are authenticated with Google, you are HTTP redirected to the Icinga web UI
  • The web UI displays your logged-in username as your email address: "Icinga 1.6.1 - Logged in as [email protected]"
  • Conclusion: OpenID authentication works!
• Next we need to enumerate some contacts in Icinga, so that specific users may receive notifications and execute commands ("acknowledge service problem", "re-schedule next check", "schedule downtime for host", etc.):
  • vi /etc/icinga/objects/contacts_icinga.cfg
  • Copy the "root" contact definition to create a new one with contact_name and email set to "[email protected]" (as seen in the web UI); update the alias field as well. Add this contact to the admins contact group.

  • @@ -26,6 +26,18 @@
             email                           root@localhost
             }
     
    +define contact{
    +        contact_name                    [email protected]
    +        alias                           John Q. User
    +        service_notification_period     24x7
    +        host_notification_period        24x7
    +        service_notification_options    w,u,c,r
    +        host_notification_options       d,r
    +        service_notification_commands   notify-service-by-email
    +        host_notification_commands      notify-host-by-email
    +        email                           [email protected]
    +        }
    +
     
     
     ###############################################################################
    @@ -42,5 +54,5 @@
     define contactgroup{
             contactgroup_name       admins
             alias                   Nagios Administrators
    -        members                 root
    +        members                 root,[email protected]
             }

• Instruct Icinga to "check external commands":
  • Ubuntu 12.10 / 13.04: Icinga package now includes a Debconf question about whether you want to enable external commands, but it didn't seem to do what I expected. You should follow along below to ensure proper config.
  • vi /etc/icinga/icinga.cfg

  • @@ -152,7 +152,7 @@
     # you will have to enable this.
     # Values: 0 = disable commands, 1 = enable commands
     
    -check_external_commands=0
    +check_external_commands=1

• Grant ability to submit external commands to the user which the CGI runs as, www-data:
  • usermod -a -G nagios www-data
  • chmod 770 /var/lib/icinga/rw/
• Restart Icinga and Apache:
  • service icinga restart
  • service apache2 restart
• Test -- try rescheduling a check:
  • Click on "Service Detail" on the left side nav bar
  • Use a checkbox to select a service on the right of the result rows
  • Use the "Commands for checked services" drop-down in the upper right to select "Re-schedule Next Service Check"
  • Click "Submit"
  • Click "Commit"
  • You should see a green dialog box, "Your command requests were successfully submitted to Icinga for processing."

---

Errors

• "Invalid command 'AuthOpenIDDBLocation', perhaps misspelled or defined by a module not included in the server configuration":
  • Did you remember to run a2enmod authopenid?
• "User is not authorized to access this location.":
  • Did you remember to change yourdomain.com to... your domain?
• "Error: Could not open command file '/var/lib/icinga/rw/icinga.cmd' for update!":
  • Did you remember to restart Apache before submitting a command?