This guide contains instructions for enabling LDAP authentication in Zenoss Core 4.2+ on a relatively clean install of CentOS 6 (64-bit).
Assumptions
- you are running CentOS 6
- you have installed Zenoss Core 4.2+ using the autodeploy script
Before You Begin
It’s recommended that you backup your Zenoss configuration, either through a VM snapshot (if that’s an option) or via the backup tool (Advanced -> Backups). You may also want to back up your acl_users settings as follows:
- Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as
admin. - Click
acl_usersin the tree view on the left side of the page. - Click
Import/Export. - Leave “Export object id” blank, select dumpfile location, then click
Export.
Install Required Auth Plugins
Download LDAPMultiPlugins, LDAPUserFolder, and python-ldap. The versions used as of time of writing this guide are as follows:
- LDAPMultiPlugins 1.14
- LDAPUserFolder 2.24
- python-ldap 2.4.10
Copy the downloaded tarballs to the Zenoss server.
Next, install the prerequisite packages.
# yum install gcc python-devel openssl-devel openldap-devel
Then, use easy_install to install the three packages you downloaded above. (Note: You must use the easy_install tool if you installed Zenoss using the autodeploy script.)
# su - zenoss zenoss@zenprod:~$ su Password: # cd ~/build # easy_install Products.LDAPMultiPlugins-1.14.tar.gz ... # easy_install Products.LDAPUserFolder-2.24.tar.gz ... # easy_install python-ldap-2.4.10.tar.gz ...
Restart Zope.
zenoss@zenprod:~$ zopectl restart
Configure the LDAP Multi Plugin
- Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as
admin. - Click
acl_usersin the tree view on the left side of the page. - Select
LDAP Multi Pluginfrom the dropdown list and clickAdd. - Configure the plugin. (Note: your configuration may vary depending on what you want to do, i.e. if you will be assigning roles based on LDAP groups or not.)
ID: <enter an ID>
Title: <enter a title>
LDAP Server: YOUR_LDAP_SERVER
check Use SSL if necessary
check Read-only
Login Name Attribute, User ID Attribute, RDN Attribute: UID (uid)
Users Base DN: YOUR_BASE_DN
select Groups not stored on LDAP server
Groups Base DN: <blank>
Manager DN: <blank>
User password encryption: SHA
Default User Roles: <blank>
- Click
acl_usersthen click the LDAP config you just created from the list. - Check the boxes next to “Authentication”, “User_Enumeration”, and “Role_Enumeration”.
At this point, you should be able to log in to Zenoss using credentials from LDAP.
Configure Authorization
To configure Zenoss role mappings from LDAP groups, please see this post: http://community.zenoss.org/message/30124#30124
Restricting Zenoss access to a subset of specific users
- Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as
admin. - Click
acl_usersin the tree view on the left side of the page. - Click
roleManager. - Click
Add a Roleand enter “ZenNone” for the ID, then save. - Click
acl_usersin the tree view on the left side of the page. - Click your LDAP config.
- Select the
Contentstab. - Click
acl_usersin the list. - Change Default User Roles to “ZenNone” and apply changes.
- Click
acl_usersin the tree view on the left side of the page. - Click
roleManager. - Select the
Securitytab. - Check all the checkboxes under Manager, Owner, and ZenManager. (IMPORTANT! If you do not do this step, you will lock your admin account out of the system!)
- Uncheck all the checkboxes under Acquire permission settings?
- Check the checkboxes for “Access contents information” and “View” under ZenUser.
- Click
Save Changes.
When finished, users who are in LDAP are given restricted access (via the ZenNone role) by default, unless they have been granted a different Zenoss role. You can edit Zenoss role assignments via Zope manager -> acl_users -> roleManager.