LDAP/ActiveDirectory Authorization/Authentication and Zenoss

Click here for more Zenoss Tips and Tricks.

Introduction

Zenoss is built using Zope.  Zope contains plugins for all aspects of authentication and authorization.  We will install two plugins (LDAPUserFolder and LDAPMultiPlugins) which will enable this functionality and then we will configure the Zenoss Zope instance to use these plugins.

Note that this HowTo does not touch upon storing Zenoss data in an LDAP server (that requires some Zenoss hacking). The purpose of this HowTo is to address authentication and authorization (via roles) only.

Further note that this HowTo assumes that you are using RHEL/CentOS 5 or greater and that you have installed Zenoss via the available RPMs.

Theory

Before we get started, it will help to get a little theory out of the way.  What is authentication?  What is authorization?  How are the different?

  • Authentication is the process that identifies the user and verifies this identity.
  • Authorization is the process which takes the identity and determines what a user has permission to do

For the default Zenoss setup, authorization is handled by Roles.

In this tutorial we will first discuss how to setup authentication against LDAP and then you can optionally map certain users in your LDAP server to particular Roles in Zenoss.  This allows some of your LDAP users to have different privileges than others.

Backup

Before making any changes, we will back up our current zope database (as root):

# service zenoss stop

# cp /opt/zenoss/var/Data.fs /opt/zenoss/var/Data.fs.bak

# service zenoss start

Installation

As root perform the following:

# yum install python-ldap

# wget http://www.dataflake.org/software/ldapuserfolder/ldapuserfolder_2.9-beta/LDAPUserFolder-2.9-beta.tgz/download

# wget http://www.dataflake.org/software/ldapmultiplugins/ldapmultiplugins_1.5/LDAPMultiPlugins-1.5.tgz/download

# tar xvzf LDAPUserFolder-2.9-beta.tgz -C /opt/zenoss/lib/python/Products/

# tar xvzf LDAPMultiPlugins-1.5.tgz -C /opt/zenoss/lib/python/Products/

# service zenoss restart

Configuration

Everything should be installed at this point, so we just need to configure it.  We will do this in several steps:

Login to http://zenoss_srv:8080/zport/manage as an administrator.  Here you will notice two frames (called “left frame” and “right frame” from here on). First, click “acl_users” in the left frame. This will load acl_users into the right frame.  In the right frame, choose “Import/Export” and follow the instructions to perform an export.  This will backup your current authentication/authorization scheme.

After exporting acl_users, you will be back at the acl_users object.  In the upper right corner, next to “Add”, select one of the Multi Plugins.  If you are using ActiveDirectory, choose “ActiveDirectory Multi Plugin”.  Otherwise, choose “LDAP Multi Plugin”.

This will open up the first configuration screen we will look at.  If you are using ActiveDirectory, fill in the values like this:

ID: ActiveDirectory

Title: ActiveDirectory Authentication

LDAP Server: dc.domain.local (or just domain.local to use AD's round-robin DNS)

Use SSL: yes (or no if your setup doesn't support SSL)

Read-only: yes

Login Name Attribute: sAMAccountName

User ID Attribute: sAMAccountName

RDN Attribute: sAMAccountName

Users Base DN: OU=Users,DC=domain,DC=local

User password encryption: SHA

Manager DN:

Password:

User password encryption: SHA

Otherwise, do this for a normal LDAP setup:

ID: LDAP

Title: LDAP Authentication

LDAP Server[:port]: ldap.domain.local

Use SSL: yes (or no if your setup doesn't support SSL)

Read-only: yes

Login Name Attribute: uid

User ID Attribute: uid

RDN Attribute: uid

Users Base DN: OU=People,DC=domain,DC=local

Manager DN:

Password:

User password encryption: SHA

Now you have two choices to make.  The first one is this: What role(s) should ALL LDAP/ActiveDirectory users have?  This takes a bit of knowledge about Zenoss.  However there are three common scenarios:

  • LDAP users should have no privileges, unless explicitly granted otherwise:
Default User Roles:
  • LDAP users should have read-only permission, unless explicitly granted otherwise:
Default User Roles: ZenUser
  • LDAP users should have full permissions:
Default User Roles: Manager

The second choice you need to make is this: will you be using LDAP/ActiveDirectory to indicate what Roles a user has?  If so, also set the following:

Group storage: Groups stored on LDAP server

Groups Base DN: OU=Groups,DC=domain,DC=local

Otherwise, do this:

Group storage: Groups not stored on LDAP server

Groups Base DN:

Finally, click Add.  You will be taken back to the acl_users screen.  We will now enable this plugin.  Click on the plugin instance (named “LDAP” or “ActiveDirectory”) and check Authentication and User_Enumeration, then click “Update”.

If you didn’t enable Groups stored in the LDAP server above, you are done!

If you enabled Groups stored on LDAP server above, first, enable Roles on this screen.  Next, we will setup our Group/Role mappings.  Click on the “Contents” tab at the top of the right frame.  Select “acl_users” in the right frame.  Make sure that “Group mapping” says “Manually map LDAP groups to Zope roles” (apply changes if necessary).  Then, click on the “Groups” tab at the top.  It should now list all the groups from your LDAP server.  Go down to the section “LDAP group to Zope role mappings”.  This is where you add the configuration that says “If a user is in a certain group, add them to this role.”  I can’t give more details here, because this is custom to your setup.  Once you’ve done this, you should be done!

3 thoughts on “LDAP/ActiveDirectory Authorization/Authentication and Zenoss

Leave a Reply

Your email address will not be published. Required fields are marked *