update-djnro-realms.pl interfaces with the DjNRO eduroam management system to automatically generate Nagios config based on test credentials supplied by IdPs and recorded in DjNRO.
Configuration is done in a YAML config file. By default it looks for this in OMD_ROOT/etc/djnro-realms.cfg for OMD systems, or /etc/djnro-realms.cfg on other systems.
Full documentation of the config file can be obtained from perldoc(1)
The DjNRO database connection string is configured as follows:
---
djnroDSN: DBI:mysql:database=djnro;host=localhost
djnroDbPass: very_secret_password
djnroDbUser: realm_monitorThe script needs limited access into DjNRO's database. In particular, it needs SELECT access to the following tables: django_admin_log, django_content_type, edumanage_instrealm, edumanage_instrealmmon, edumanage_monlocalauthnparam, edumanage_name_i18n, edumanage_contact, edumanage_institutioncontactpool, edumanage_institutiondetails_contact, edumanage_institutiondetails
The generated configuration uses Nagios' template inheritance mechanism to create "default" information. The templates we use for this are as follows:
# Used by update-djnro-realms.pl for autogenerated per-realm services out of DjNRO
define service {
name djnro-generated-realm
host_name eduroam NRO
use generic-service,srv-pnp
check_command check_multi!idp_realm!-s EAP_METHOD="$_SERVICEEAP_METHOD$" -s EAP_PHASE2="$_SERVICEEAP_PHASE2$" -s EAP_ANONYMOUS="$_SERVICEEAP_ANONYMOUS$" -s EAP_USERNAME="$_SERVICEEAP_USERNAME$" -s EAP_PASSWORD='$_SERVICEEAP_PASSWORD$' -s REALM="$_SERVICEREALM$" -s FLAGS="$_SERVICEFLAGS"
check_interval 15
first_notification_delay 45
max_check_attempts 3
notes This service was auto-generated from monitoring information supplied by the institutional administrators. Updates can be made at <a href="https://eduroam.ac.aq/manage/$_SERVICEEDITURI$">https://eduroam.ac.aq/manage/instrealmsmon</a> and are automatically applied every few hours. For queries about this realm, please contact the help desk at $_SERVICEINSTITUTION$.
notes_url https://eduroam.ac.aq/manage/$_SERVICEEDITURI$
notification_interval 10080
notifications_enabled 1
register 0
retry_interval 2
servicegroups +instrealms
stalking_options w,c
_EDITURI instrealmsmon
_INSTITUTION Home Organisation
}
# Used by update-djnro-realms.pl for autogenerated contacts out of DjNRO
define contact {
name djnro-generated-contact
alias DjNRO Generated Contact
use generic-contact
can_submit_commands 0
host_notification_options n
host_notification_period none
host_notifications_enabled 0
register 0
service_notification_commands djnro-realm-notify-by-email
service_notification_options w,c,r
service_notification_period djnro-realm-contact-times
service_notifications_enabled 1
}
# Used by update-djnro-realms.pl for autogenerated per-realm services out of DjNRO
define serviceescalation {
name djnro-generated-serviceescalation
host_name eduroam NRO
contact escalation-contact
first_notification 4
last_notification 0
notification_interval 10080
register 0
}
# Used by update-djnro-realms.pl for autogenerated per-realm services out of DjNRO
define servicedependency {
name djnro-generated-servicedependency
service_description flrs-health
hostgroup_name eduroam-flr-servers
dependent_host_name eduroam NRO
execution_failure_criteria n
notification_failure_criteria w,u,c,p
register 0
}
And the corresponding check_multi config referenced as idp_realm is:
attribute [ name ] = EAP
attribute [ collapse ] = 0
command [ flr-1_$REALM$ ] = $USER2$/rad_eap_test -H antarctica-flr-1.eduroam.ac.aq -P 1812 -S $USER101$ -A "$EAP_ANONYMOUS$" -u "$EAP_USERNAME$" -p '$EAP_PASSWORD$' -s eduroam -e "$EAP_METHOD$" -2 "$EAP_PHASE2$" -m WPA-EAP -i "0/0 https://monitor.eduroam.ac.aq/" -O "eduroam.ac.aq" -I 172.20.1.2 -M -22:44:66:00:41:51 -C -V -t 8
command [ flr-2_$REALM$ ] = $USER2$/rad_eap_test -H antarctica-flr-2.eduroam.ac.aq -P 1812 -S $USER101$ -A "$EAP_ANONYMOUS$" -u "$EAP_USERNAME$" -p '$EAP_PASSWORD$' -s eduroam -e "$EAP_METHOD$" -2 "$EAP_PHASE2$" -m WPA-EAP -i "0/0 https://monitor.eduroam.ac.aq/" -O "eduroam.ac.aq" -I 172.25.9.3 -M 22:44:66:00:41:51 -C -V -t 8
info [ flr-1_$REALM$::post_warning ] = [check monitoring account's username, password, and expiry date]
info [ flr-2_$REALM$::post_warning ] = [check monitoring account's username, password, and expiry date]
info [ flr-1_$REALM$::post_critical ] = [check your RADIUS server(s), firewall config, and/or the RADIUS secret you have for antarctica-flr-1]
info [ flr-2_$REALM$::post_critical ] = [check your RADIUS server(s), firewall config, and/or the RADIUS secret you have for antarctica-flr-2]
command [ Certificate ] = $USER2$/rad_eap_test -H antarctica-flr-1.eduroam.ac.aq -P 1812 -S $USER101$ -A "$EAP_ANONYMOUS$" -u "$EAP_USERNAME$" -p '$EAP_PASSWORD$' -s eduroam -e "$EAP_METHOD$" -2 "$EAP_PHASE2$" -m WPA-EAP -i "0/0 https://monitor.eduroam.ac.aq/" -O "eduroam.ac.aq" -I 172.20.1.2 -M 22:44:66:00:41:51 -b -X 10 -t 8
eval [ DYNAMIC_CHECK ] = if ($FLAGS$ & 1) { \
return 'check_dummy 0 "Dynamic checks disabled for $REALM$"'; \
} else { \
return '$USER2$/check_eduroam_radsec -H $REALM$ --dns-udp-timeout 7 -D -N OK -R _radsec._tcp.eduroam.ac.aq -T antarctica-flr-1.eduroam.ac.aq -T antarctica-flr-2.eduroam.ac.aq -p 2083 -S' ; \
}
command [ Dynamic ] = $DYNAMIC_CHECK$
info [ Dynamic::post_critical ] = [see https://eduroam.ac.aq/faq/configuration/#naptr for the correct format of NAPTR records]
info [ Dynamic::post_unknown ] = [There may be a problem with your DNS server]
It is sometimes necessary to override the incoming credentials from DjNRO, for example when an IdP mandates a specific outer identity. This can be done in the config file as follows:
---
credentialOverride:
eduroam.ac.aq:
anonymous: [email protected]
method: PEAP
pass: password
phase2: MSCHAPV2
username: [email protected]
flags: 2The flags entry (passed to check_multi as
It may be desirable to separate service-affecting problems from best-practice type problems. For example, it is a good idea to check whether a certificate is going to expire, but until it expires it is not service affecting. Thus the config option generateExtraService will generate a second set of services, service escalations, and service dependencies for each realm.
These use the same inheritance described above, but have their config sections suffixed -extra. So a minimal set of additional templates would be:
define service {
name djnro-generated-realm-extra
use djnro-generated-realm
check_command check_multi!idp_realm_extra!-s EAP_METHOD="$_SERVICEEAP_METHOD$" -s EAP_PHASE2="$_SERVICEEAP_PHASE2$" -s EAP_ANONYMOUS="$_SERVICEEAP_ANONYMOUS$" -s EAP_USERNAME="$_SERVICEEAP_USERNAME$" -s EAP_PASSWORD='$_SERVICEEAP_PASSWORD$' -s REALM="$_SERVICEREALM$" -s FLAGS="$_SERVICEFLAGS"
register 0
}
define serviceescalation {
name djnro-generated-serviceescalation-extra
use djnro-generated-serviceescalation
register 0
}
define servicedependency {
name djnro-generated-servicedependency-extra
use djnro-generated-servicedependency
hostgroup_name eduroam NRO
dependent_host_name eduroam NRO
register 0
}
Some contacts may not wish to receive notifications, and so it is possible to disable those contacts in the config file:
---
disableContacts:
- [email protected]This mechanism is used automatically but the notification-optout.cgi script.