Apache LDAPS Template for nagios.conf

# ====================================================================================
# OsbornePro LLC. Nagios Core Apache2 Configuration file template to use LDAP over SSL
# ====================================================================================
# Configuration Starts at line 63
#
# LDAPS REQUIREMENTS: 
#    1.) Root CA Subject Name (CN value) must differ from the LDAPS Subject Name (CN value) in order to be trusted by OpenSSL
#    2.) LDAPS Certificate contents must contain the base64 server certificate followed by the base64 Root CA certificates
#    3.) Define users allowed to access Nagios in your Nagios /usr/local/nagios/etc/cgi.cfg file (EXAMPLE SETTING: authorized_for_all_service_commands=nagiosadmin,domainuser)
#
#--------------------------------------------------------------------------------------------------------------------------
# (If not already done) CREATE A ROOT CA ON A SERVER THAT IS DIFFERENT FROM YOUR LDAP SERVER USING THE BELOW COMMANDS
#--------------------------------------------------------------------------------------------------------------------------
#sudo openssl genrsa -des3 -out private/ca.key 4096
#sudo openssl req -new -x509 -days 365 -key /etc/ssl/private/ca.key -out /etc/ssl/certs/ca.crt
#
#--------------------------------------------------------------------------------------------------------------------------
# TRUST THE NEWLY CREATED CA BY COPYING IT TO YOUR LDAP SERVER AND ADDING IT TO THE TRUSTED CERTIFICATE STORE
#--------------------------------------------------------------------------------------------------------------------------
#scp -P 22 -i ~/.ssh/id_rsa /etc/ssl/certs/ca.crt username@ldapserver.domain.com:/tmp/ca.crt
#
#--------------------------------------------------------------------------------------------------------------------------
# CREATE A CERTIFICATE REQUEST ON LDAP SERVER AND TRUST THE ca.crt CERTIFICATE
#--------------------------------------------------------------------------------------------------------------------------
#sudo cp /tmp/ca.crt /usr/share/ca-certificates/mozilla/ca.crt
#echo "[*] Ensure your ca.crt certificate is selected by using the space bar in the below commands select window
#dpkg-reconfigure ca-certificates 
#
#echo "[*] Creating CSR request"
#sudo mkdir /etc/ssl/requests
#sudo openssl req -out /etc/ssl/requests/ldap.csr -new -newkey rsa:2048 -nodes -keyout /etc/ssl/private/ldap.key
#
#echo "[*] Copy the CSR request over to your CA server"
#scp -P 22 -i ~/.ssh/id_rsa /etc/ssl/requests/ldap.csr username@ca-server.domain.com:/tmp/ldap.csr
#
#--------------------------------------------------------------------------------------------------------------------------
# COMPLETE CSR REQUEST USING THIS COMMAND ON YOUR CA
#--------------------------------------------------------------------------------------------------------------------------
#sudo openssl x509 -req -days 365 -in /tmp/ldap.csr -CA /etc/ssl/certs/ca.crt -CAkey /etc/ssl/private/ca.key -CAcreateserial -out /etc/ssl/certs/ldap.crt -sha256
#
#echo "[*] Copy the completed certificate back over to your LDAP server"
#scp -P 22 -i ~/.ssh/id_rsa /etc/ssl/requests/ldap.crt username@ca-server.domain.com:/tmp/ldap.crt
# 
#--------------------------------------------------------------------------------------------------------------------------
# MOVE /tmp/ldap.crt OUT OF /tmp DIRECTORY AND INTO APPRORPIATE ONE AND SET PERMISSIONS OF LDAP SERVICE ON THOSE CERTS
#--------------------------------------------------------------------------------------------------------------------------
#sudo cp /tmp/ldap.crt /etc/ssl/certs/ldap.crt
#USER=$(ps aux | grep slapd | cut -d" " -f1 | grep -wv root)
#sudo chown $USER:$USER /etc/ssl/certs/ldap.crt
#sudo chown $USER:$USER /etc/ssl/private/ldap.key
#
#echo "[*] Create expected certificate file contents for LDAPS"
#sudo cat {/etc/ssl/certs/ldap.crt,/etc/ssl/certs/ca.crt} > /etc/ssl/certs/ldaps-cert.crt
#sudo chown $USER:$USER /etc/ssl//certs/ldaps-cert.crt
#
#echo "[*] Ensure the slapd service is configured to use those certificates
# Modify /etc/ldap/ldap.conf file so it uses the below values
#    olcTLSCertificateKeyFile: /etc/ssl/private/ldap.key
#    olcTLSCertificateFile: /etc/ssl/certs/ldaps-cert.crt
#sudo systemctl restart slapd.service
#sudo slapcat -b "cn=config" | egrep "olcTLSCertificateFile|olcTLSCertificateKeyFile"

#-------------------------------------------------- BEGIN CONFIGURATION ---------------------------------------------------#
# Below values are to ensure current LDAP authentication is used instead of cached values
LDAPSharedCacheSize 500000
LDAPCacheEntries -1
LDAPCacheTTL -1
LDAPOpCacheEntries -1
LDAPOpCacheTTL -1

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"
<Directory "/usr/local/nagios/sbin">
   SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthBasicProvider ldap
   AuthType Basic
   AuthLDAPGroupAttributeIsDN on
   AuthName "Enter LDAP Credentials"
#
# FOR OPEN LDAP
   AuthLDAPGroupAttribute member
#  AuthLDAPURL "ldap://ldapserver.domain.com:389/ou=People,dc=domain,dc=com?uid?sub?(objectClass=*)" NONE
   AuthLDAPURL "ldaps://ldapserver.domain.com:636/ou=People,dc=domain,dc=com?uid?sub?(objectClass=*)" NONE
#
# FOR ACTIVE DIRECTORY
#  AuthLDAPGroupAttribute memberOf
#  #AuthLDAPURL "ldap://ldapserver.domain.com:389/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" NONE
#  AuthLDAPURL "ldaps://ldapserver.domain.com:636/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" NONE
#
   AuthLDAPBindDN "cn=admin,dc=domain,dc=com"
   AuthLDAPBindPassword "Password123!"
   Require ldap-group cn=nagiosusers,ou=Groups,dc=domain,dc=com
#  OR
#  Require valid-user
#
# BELOW IS USED FOR LOCAL USER ACCESS
#   <IfVersion >= 2.3>
#      <RequireAll>
#         Require all granted
#         AuthName "Nagios Access"
#         AuthType Basic
#         AuthUserFile /usr/local/nagios/etc/htpasswd.users
#         Require valid-user
#      </RequireAll>
#   </IfVersion>
#   <IfVersion < 2.3>
#      Order allow,deny
#      Allow from all
#      AuthName "Nagios Access"
#      AuthType Basic
#      AuthUserFile /usr/local/nagios/etc/htpasswd.users
#      Require valid-user
#   </IfVersion>
</Directory>

Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
   SSLRequireSSL
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthBasicProvider ldap
   AuthType Basic
   AuthLDAPGroupAttributeIsDN on
   AuthName "Enter LDAP Credentials"
#
# FOR OPEN LDAP
   AuthLDAPGroupAttribute member
#  AuthLDAPURL "ldap://ldapserver.domain.com:389/ou=People,dc=domain,dc=com?uid?sub?(objectClass=*)" NONE
   AuthLDAPURL "ldaps://ldapserver.domain.com:636/ou=People,dc=domain,dc=com?uid?sub?(objectClass=*)" NONE
#
# FOR ACTIVE DIRECTORY
#  AuthLDAPGroupAttribute memberOf
#  #AuthLDAPURL "ldap://ldapserver.domain.com:389/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" NONE
#  AuthLDAPURL "ldaps://ldapserver.domain.com:636/cn=Users,dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)" NONE
#
   AuthLDAPBindDN "cn=admin,dc=domain,dc=com"
   AuthLDAPBindPassword "Password123!"
   Require ldap-group cn=nagiosusers,ou=Groups,dc=domain,dc=com
#  OR
#  Require valid-user
#
# BELOW IS USED FOR LOCAL USER ACCESS
#
#   <IfVersion >= 2.3>
#      <RequireAll>
#         Require all granted
#         AuthName "Nagios Access"
#         AuthType Basic
#         AuthUserFile /usr/local/nagios/etc/htpasswd.users
#         Require valid-user
#      </RequireAll>
#   </IfVersion>
#   <IfVersion < 2.3>
#      Order allow,deny
#      Allow from all
#      AuthName "Nagios Access"
#      AuthType Basic
#      AuthUserFile /usr/local/nagios/etc/htpasswd.users
#      Require valid-user
#   </IfVersion>
</Directory>