Monthly Archives: March 2008

LDAP/ActiveDirectory Authorization/Authentication and Zenoss

Click here for more Zenoss Tips and Tricks.


Zenoss is built using Zope.  Zope contains plugins for all aspects of authentication and authorization.  We will install two plugins (LDAPUserFolder and LDAPMultiPlugins) which will enable this functionality and then we will configure the Zenoss Zope instance to use these plugins.

Note that this HowTo does not touch upon storing Zenoss data in an LDAP server (that requires some Zenoss hacking). The purpose of this HowTo is to address authentication and authorization (via roles) only.

Further note that this HowTo assumes that you are using RHEL/CentOS 5 or greater and that you have installed Zenoss via the available RPMs.


Before we get started, it will help to get a little theory out of the way.  What is authentication?  What is authorization?  How are the different?

  • Authentication is the process that identifies the user and verifies this identity.
  • Authorization is the process which takes the identity and determines what a user has permission to do

For the default Zenoss setup, authorization is handled by Roles.

In this tutorial we will first discuss how to setup authentication against LDAP and then you can optionally map certain users in your LDAP server to particular Roles in Zenoss.  This allows some of your LDAP users to have different privileges than others.


Before making any changes, we will back up our current zope database (as root):

# service zenoss stop

# cp /opt/zenoss/var/Data.fs /opt/zenoss/var/Data.fs.bak

# service zenoss start


As root perform the following:

# yum install python-ldap

# wget

# wget

# tar xvzf LDAPUserFolder-2.9-beta.tgz -C /opt/zenoss/lib/python/Products/

# tar xvzf LDAPMultiPlugins-1.5.tgz -C /opt/zenoss/lib/python/Products/

# service zenoss restart


Everything should be installed at this point, so we just need to configure it.  We will do this in several steps:

Login to http://zenoss_srv:8080/zport/manage as an administrator.  Here you will notice two frames (called “left frame” and “right frame” from here on). First, click “acl_users” in the left frame. This will load acl_users into the right frame.  In the right frame, choose “Import/Export” and follow the instructions to perform an export.  This will backup your current authentication/authorization scheme.

After exporting acl_users, you will be back at the acl_users object.  In the upper right corner, next to “Add”, select one of the Multi Plugins.  If you are using ActiveDirectory, choose “ActiveDirectory Multi Plugin”.  Otherwise, choose “LDAP Multi Plugin”.

This will open up the first configuration screen we will look at.  If you are using ActiveDirectory, fill in the values like this:

ID: ActiveDirectory

Title: ActiveDirectory Authentication

LDAP Server: dc.domain.local (or just domain.local to use AD's round-robin DNS)

Use SSL: yes (or no if your setup doesn't support SSL)

Read-only: yes

Login Name Attribute: sAMAccountName

User ID Attribute: sAMAccountName

RDN Attribute: sAMAccountName

Users Base DN: OU=Users,DC=domain,DC=local

User password encryption: SHA

Manager DN:


User password encryption: SHA

Otherwise, do this for a normal LDAP setup:


Title: LDAP Authentication

LDAP Server[:port]: ldap.domain.local

Use SSL: yes (or no if your setup doesn't support SSL)

Read-only: yes

Login Name Attribute: uid

User ID Attribute: uid

RDN Attribute: uid

Users Base DN: OU=People,DC=domain,DC=local

Manager DN:


User password encryption: SHA

Now you have two choices to make.  The first one is this: What role(s) should ALL LDAP/ActiveDirectory users have?  This takes a bit of knowledge about Zenoss.  However there are three common scenarios:

  • LDAP users should have no privileges, unless explicitly granted otherwise:
Default User Roles:
  • LDAP users should have read-only permission, unless explicitly granted otherwise:
Default User Roles: ZenUser
  • LDAP users should have full permissions:
Default User Roles: Manager

The second choice you need to make is this: will you be using LDAP/ActiveDirectory to indicate what Roles a user has?  If so, also set the following:

Group storage: Groups stored on LDAP server

Groups Base DN: OU=Groups,DC=domain,DC=local

Otherwise, do this:

Group storage: Groups not stored on LDAP server

Groups Base DN:

Finally, click Add.  You will be taken back to the acl_users screen.  We will now enable this plugin.  Click on the plugin instance (named “LDAP” or “ActiveDirectory”) and check Authentication and User_Enumeration, then click “Update”.

If you didn’t enable Groups stored in the LDAP server above, you are done!

If you enabled Groups stored on LDAP server above, first, enable Roles on this screen.  Next, we will setup our Group/Role mappings.  Click on the “Contents” tab at the top of the right frame.  Select “acl_users” in the right frame.  Make sure that “Group mapping” says “Manually map LDAP groups to Zope roles” (apply changes if necessary).  Then, click on the “Groups” tab at the top.  It should now list all the groups from your LDAP server.  Go down to the section “LDAP group to Zope role mappings”.  This is where you add the configuration that says “If a user is in a certain group, add them to this role.”  I can’t give more details here, because this is custom to your setup.  Once you’ve done this, you should be done!

Lent: East and West

My good friend Ben has some interesting observations about Lent in the Orthodox tradition and in the Catholic/Protestant traditions.  He describes the Eastern view of sin very well: it is a cancer that, once we let it into our person, devours us from the inside out.  However, I too have been thinking about Lent East and West a bit.  Here are my observations:

First, meatfare and cheesefare weeks are kind of like Mardi Gras, in the sense that we do enjoy things like meat and cheese more than normal as we prepare for Lent (at least I do).  However, there is a markedly different feel to this time of year.Our scripture readings for this period are pretty heavy: the Publican and the Pharisee, the Prodigal Son, the Last Judgement and the Expulsion of Adam and Eve from the Garden.They serve to, for four weeks, remind us that we are the pharisee, the prodigal, the goats and Adam.  There isn’t really anything to party about here.  All of this leads up to Forgiveness Vespers.  After we have focused on our “missing the mark” for four weeks, we admit that the path of healing begins with repentance.  Thus, each person repents to and begs for forgiveness from each other member of the parish.

Second, Lent in the Western context often focuses on what is being “given up.” The Orthodox tradition speaks much differently, we talk about what we get: healing, joy, prayer, mended relationships.  These are the byproducts of our fasting because we know the goal: Pascha!  One may ask, how do you get mended relationships from fasting?  Well, several ways.  First, our limited eating should focus also on saving money.  This money should then be spent for alms so that we can help the poor around us.  But more than just money, we should donate our time as well.  When we do these things, we begin heal the dysfunctional social relationships that have created things like poverty and, hopefully, we make a new friend in the process.  Second, we are reminded that food is made for the body, not the body for food.  In realizing this, we begin to heal from our enslavement to our passions which drive us to sin.  What relationship is mended from this you ask?  Why our relationship to God!  Our passions are given to us to love God, yet we choose to love ourselves instead and fill ourselves to the brim as though God would not provide the next meal for us.  To restrain the passions is to free them so that they might find fulfillment in Him who is the source of all things.  This is why Lent is such a great joy (though a difficult joy to be sure)!