This guide contains instructions for enabling LDAP authentication in Zenoss Core 4.2+ on a relatively clean install of CentOS 6 (64-bit).<\/p>\n
It’s recommended that you backup your Zenoss configuration, either through a VM snapshot (if that’s an option) or via the backup tool (Advanced -> Backups). You may also want to back up your acl_users settings as follows:<\/p>\n
admin<\/code>.<\/li>\n- Click
acl_users<\/code> in the tree view on the left side of the page.<\/li>\n- Click
Import\/Export<\/code>.<\/li>\n- Leave “Export object id” blank, select dumpfile location, then click
Export<\/code>.<\/li>\n<\/ol>\nInstall Required Auth Plugins<\/h3>\n
Download LDAPMultiPlugins<\/a>, LDAPUserFolder<\/a>, and python-ldap<\/a>. The versions used as of time of writing this guide are as follows:<\/p>\n\n- LDAPMultiPlugins 1.14<\/li>\n
- LDAPUserFolder 2.24<\/li>\n
- python-ldap 2.4.10<\/li>\n<\/ul>\n
Copy the downloaded tarballs to the Zenoss server.<\/p>\n
Next, install the prerequisite packages.<\/p>\n
# yum install gcc python-devel openssl-devel openldap-devel<\/pre>\nThen, use easy_install<\/code> to install the three packages you downloaded above. (Note<\/strong>: You must use the easy_install<\/code> tool if you installed Zenoss using the autodeploy script.)<\/p>\n# su - zenoss\r\nzenoss@zenprod:~$ su\r\nPassword:\r\n# cd ~\/build\r\n# easy_install Products.LDAPMultiPlugins-1.14.tar.gz\r\n...\r\n# easy_install Products.LDAPUserFolder-2.24.tar.gz\r\n...\r\n# easy_install python-ldap-2.4.10.tar.gz\r\n...<\/pre>\nRestart Zope.<\/p>\n
zenoss@zenprod:~$ zopectl restart<\/pre>\nConfigure the LDAP Multi Plugin<\/h3>\n\n- Go to https:\/\/YOUR_ZENOSS_SERVER\/zport\/manage<\/a> and log in as
admin<\/code>.<\/li>\n- Click
acl_users<\/code> in the tree view on the left side of the page.<\/li>\n- Select
LDAP Multi Plugin<\/code> from the dropdown list and click Add<\/code>.<\/li>\n- Configure the plugin. (Note: your configuration may vary depending on what you want to do, i.e. if you will be assigning roles based on LDAP groups or not.)<\/li>\n<\/ol>\n
ID:<\/strong> <enter an ID>
\nTitle:<\/strong> <enter a title>
\nLDAP Server:<\/strong> YOUR_LDAP_SERVER
\ncheck Use SSL<\/strong> if necessary
\ncheck Read-only<\/strong>
\nLogin Name Attribute, User ID Attribute, RDN Attribute:<\/strong> UID (uid)
\nUsers Base DN:<\/strong> YOUR_BASE_DN
\nselect Groups not stored on LDAP server<\/strong>
\nGroups Base DN:<\/strong> <blank>
\nManager DN:<\/strong> <blank>
\nUser password encryption:<\/strong> SHA
\nDefault User Roles:<\/strong> <blank><\/p>\n\n- Click
acl_users<\/code> then click the LDAP config you just created from the list.<\/li>\n- Check the boxes next to “Authentication”, “User_Enumeration”, and “Role_Enumeration”.<\/li>\n<\/ol>\n
At this point, you should be able to log in to Zenoss using credentials from LDAP.<\/p>\n
Configure Authorization<\/h3>\n
To configure Zenoss role mappings from LDAP groups, please see this post: http:\/\/community.zenoss.org\/message\/30124#30124<\/a><\/p>\nRestricting Zenoss access to a subset of specific users<\/h2>\n\n- Go to https:\/\/YOUR_ZENOSS_SERVER\/zport\/manage<\/a> and log in as
admin<\/code>.<\/li>\n- Click
acl_users<\/code> in the tree view on the left side of the page.<\/li>\n- Click
roleManager<\/code>.<\/li>\n- Click
Add a Role<\/code> and enter “ZenNone” for the ID, then save.<\/li>\n- Click
acl_users<\/code> in the tree view on the left side of the page.<\/li>\n- Click your LDAP config.<\/li>\n
- Select the
Contents<\/code> tab.<\/li>\n- Click
acl_users<\/code> in the list.<\/li>\n- Change Default User Roles<\/strong> to “ZenNone” and apply changes.<\/li>\n
- Click
acl_users<\/code> in the tree view on the left side of the page.<\/li>\n- Click
roleManager<\/code>.<\/li>\n- Select the
Security<\/code> tab.<\/li>\n- Check all the checkboxes under Manager, Owner, and ZenManager. (IMPORTANT!<\/strong> If you do not do this step, you will lock your admin account out of the system!)<\/li>\n
- Uncheck all the checkboxes under Acquire permission settings?<\/strong><\/li>\n
- Check the checkboxes for “Access contents information” and “View” under ZenUser<\/strong>.<\/li>\n
- Click
Save Changes<\/code>.<\/li>\n<\/ol>\nWhen finished, users who are in LDAP are given restricted access (via the ZenNone role) by default, unless they have been granted a different Zenoss role. You can edit Zenoss role assignments via Zope manager -> acl_users -> roleManager<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"This guide contains instructions for enabling LDAP authentication in Zenoss Core 4.2+ on a relatively clean install of CentOS 6 (64-bit). Assumptions you are running CentOS 6 you have installed Zenoss Core 4.2+ using the autodeploy script Before You Begin It’s recommended that you backup your Zenoss configuration, either through a VM snapshot (if that’s… Continue reading