Click here for more Zenoss Tips and Tricks.
Zenoss is built using Zope. Zope contains plugins for all aspects of authentication and authorization. We will install two plugins (LDAPUserFolder and LDAPMultiPlugins) which will enable this functionality and then we will configure the Zenoss Zope instance to use these plugins.
Note that this HowTo does not touch upon storing Zenoss data in an LDAP server (that requires some Zenoss hacking). The purpose of this HowTo is to address authentication and authorization (via roles) only.
Further note that this HowTo assumes that you are using RHEL/CentOS 5 or greater and that you have installed Zenoss via the available RPMs.
Before we get started, it will help to get a little theory out of the way. What is authentication? What is authorization? How are the different?
- Authentication is the process that identifies the user and verifies this identity.
- Authorization is the process which takes the identity and determines what a user has permission to do
For the default Zenoss setup, authorization is handled by Roles.
In this tutorial we will first discuss how to setup authentication against LDAP and then you can optionally map certain users in your LDAP server to particular Roles in Zenoss. This allows some of your LDAP users to have different privileges than others.
Before making any changes, we will back up our current zope database (as root):
# service zenoss stop # cp /opt/zenoss/var/Data.fs /opt/zenoss/var/Data.fs.bak # service zenoss start
As root perform the following:
# yum install python-ldap # wget http://www.dataflake.org/software/ldapuserfolder/ldapuserfolder_2.9-beta/LDAPUserFolder-2.9-beta.tgz/download # wget http://www.dataflake.org/software/ldapmultiplugins/ldapmultiplugins_1.5/LDAPMultiPlugins-1.5.tgz/download # tar xvzf LDAPUserFolder-2.9-beta.tgz -C /opt/zenoss/lib/python/Products/ # tar xvzf LDAPMultiPlugins-1.5.tgz -C /opt/zenoss/lib/python/Products/ # service zenoss restart
Everything should be installed at this point, so we just need to configure it. We will do this in several steps:
Login to http://zenoss_srv:8080/zport/manage as an administrator. Here you will notice two frames (called “left frame” and “right frame” from here on). First, click “acl_users” in the left frame. This will load acl_users into the right frame. In the right frame, choose “Import/Export” and follow the instructions to perform an export. This will backup your current authentication/authorization scheme.
After exporting acl_users, you will be back at the acl_users object. In the upper right corner, next to “Add”, select one of the Multi Plugins. If you are using ActiveDirectory, choose “ActiveDirectory Multi Plugin”. Otherwise, choose “LDAP Multi Plugin”.
This will open up the first configuration screen we will look at. If you are using ActiveDirectory, fill in the values like this:
ID: ActiveDirectory Title: ActiveDirectory Authentication LDAP Server: dc.domain.local (or just domain.local to use AD's round-robin DNS) Use SSL: yes (or no if your setup doesn't support SSL) Read-only: yes Login Name Attribute: sAMAccountName User ID Attribute: sAMAccountName RDN Attribute: sAMAccountName Users Base DN: OU=Users,DC=domain,DC=local User password encryption: SHA Manager DN: Password: User password encryption: SHA
Otherwise, do this for a normal LDAP setup:
ID: LDAP Title: LDAP Authentication LDAP Server[:port]: ldap.domain.local Use SSL: yes (or no if your setup doesn't support SSL) Read-only: yes Login Name Attribute: uid User ID Attribute: uid RDN Attribute: uid Users Base DN: OU=People,DC=domain,DC=local Manager DN: Password: User password encryption: SHA
Now you have two choices to make. The first one is this: What role(s) should ALL LDAP/ActiveDirectory users have? This takes a bit of knowledge about Zenoss. However there are three common scenarios:
- LDAP users should have no privileges, unless explicitly granted otherwise:
Default User Roles:
- LDAP users should have read-only permission, unless explicitly granted otherwise:
Default User Roles: ZenUser
- LDAP users should have full permissions:
Default User Roles: Manager
The second choice you need to make is this: will you be using LDAP/ActiveDirectory to indicate what Roles a user has? If so, also set the following:
Group storage: Groups stored on LDAP server Groups Base DN: OU=Groups,DC=domain,DC=local
Otherwise, do this:
Group storage: Groups not stored on LDAP server Groups Base DN:
Finally, click Add. You will be taken back to the acl_users screen. We will now enable this plugin. Click on the plugin instance (named “LDAP” or “ActiveDirectory”) and check Authentication and User_Enumeration, then click “Update”.
If you didn’t enable Groups stored in the LDAP server above, you are done!
If you enabled Groups stored on LDAP server above, first, enable Roles on this screen. Next, we will setup our Group/Role mappings. Click on the “Contents” tab at the top of the right frame. Select “acl_users” in the right frame. Make sure that “Group mapping” says “Manually map LDAP groups to Zope roles” (apply changes if necessary). Then, click on the “Groups” tab at the top. It should now list all the groups from your LDAP server. Go down to the section “LDAP group to Zope role mappings”. This is where you add the configuration that says “If a user is in a certain group, add them to this role.” I can’t give more details here, because this is custom to your setup. Once you’ve done this, you should be done!