Enabling LDAP Authentication in Zenoss Core 4.2+ and CentOS 6

Posted on by

This guide contains instructions for enabling LDAP authentication in Zenoss Core 4.2+ on a relatively clean install of CentOS 6 (64-bit).

Assumptions

  • you are running CentOS 6
  • you have installed Zenoss Core 4.2+ using the autodeploy script

Before You Begin

It’s recommended that you backup your Zenoss configuration, either through a VM snapshot (if that’s an option) or via the backup tool (Advanced -> Backups). You may also want to back up your acl_users settings as follows:

  1. Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as admin.
  2. Click acl_users in the tree view on the left side of the page.
  3. Click Import/Export.
  4. Leave “Export object id” blank, select dumpfile location, then click Export.

Install Required Auth Plugins

Download LDAPMultiPlugins, LDAPUserFolder, and python-ldap. The versions used as of time of writing this guide are as follows:

  • LDAPMultiPlugins 1.14
  • LDAPUserFolder 2.24
  • python-ldap 2.4.10

Copy the downloaded tarballs to the Zenoss server.

Next, install the prerequisite packages.

# yum install gcc python-devel openssl-devel openldap-devel

Then, use easy_install to install the three packages you downloaded above. (Note: You must use the easy_install tool if you installed Zenoss using the autodeploy script.)

# su - zenoss
zenoss@zenprod:~$ su
Password:
# cd ~/build
# easy_install Products.LDAPMultiPlugins-1.14.tar.gz
...
# easy_install Products.LDAPUserFolder-2.24.tar.gz
...
# easy_install python-ldap-2.4.10.tar.gz
...

Restart Zope.

zenoss@zenprod:~$ zopectl restart

Configure the LDAP Multi Plugin

  1. Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as admin.
  2. Click acl_users in the tree view on the left side of the page.
  3. Select LDAP Multi Plugin from the dropdown list and click Add.
  4. Configure the plugin. (Note: your configuration may vary depending on what you want to do, i.e. if you will be assigning roles based on LDAP groups or not.)

ID: <enter an ID>
Title: <enter a title>
LDAP Server: YOUR_LDAP_SERVER
check Use SSL if necessary
check Read-only
Login Name Attribute, User ID Attribute, RDN Attribute: UID (uid)
Users Base DN: YOUR_BASE_DN
select Groups not stored on LDAP server
Groups Base DN: <blank>
Manager DN: <blank>
User password encryption: SHA
Default User Roles: <blank>

  1. Click acl_users then click the LDAP config you just created from the list.
  2. Check the boxes next to “Authentication”, “User_Enumeration”, and “Role_Enumeration”.

At this point, you should be able to log in to Zenoss using credentials from LDAP.

Configure Authorization

To configure Zenoss role mappings from LDAP groups, please see this post: http://community.zenoss.org/message/30124#30124

Restricting Zenoss access to a subset of specific users

  1. Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as admin.
  2. Click acl_users in the tree view on the left side of the page.
  3. Click roleManager.
  4. Click Add a Role and enter “ZenNone” for the ID, then save.
  5. Click acl_users in the tree view on the left side of the page.
  6. Click your LDAP config.
  7. Select the Contents tab.
  8. Click acl_users in the list.
  9. Change Default User Roles to “ZenNone” and apply changes.
  10. Click acl_users in the tree view on the left side of the page.
  11. Click roleManager.
  12. Select the Security tab.
  13. Check all the checkboxes under Manager, Owner, and ZenManager. (IMPORTANT! If you do not do this step, you will lock your admin account out of the system!)
  14. Uncheck all the checkboxes under Acquire permission settings?
  15. Check the checkboxes for “Access contents information” and “View” under ZenUser.
  16. Click Save Changes.

When finished, users who are in LDAP are given restricted access (via the ZenNone role) by default, unless they have been granted a different Zenoss role. You can edit Zenoss role assignments via Zope manager -> acl_users -> roleManager.

Print Friendly, PDF & Email

Comments are closed.