If you are reading this as an email, you'll probably want to go view it on the zenoss-users forum instead as I put in a bit of formatting that won't come through in the email. The link should be at the bottom of this message.
Authenticating Zenoss Users Against Active Directory Note: Some of this is taken from the Zenoss guide, "How to Authenticate via LDAP" found here: http://www.zenoss.com/community/docs/howtos/how-to-authenticate-via-ldap/. First and foremost: ensure you have made a backup of your Zenoss installation, or at least the "acl_users (PAS)" object. See below for details on exporting this. Ensure that the "python-ldap" module is installed Code: [EMAIL PROTECTED] ~]$ rpm -q python-ldap python-ldap-2.2.0-2.1 Switch to the zenoss user Code: [EMAIL PROTECTED] ~]$ sudo su - zenoss Download and install two Zope plugins for ldap authentication Code: [EMAIL PROTECTED] ~]$ wget http://www.dataflake.org/software/ldapuserfolder/ldapuserfolder_2.8/LDAPUserFolder-2.8.tgz [EMAIL PROTECTED] ~]$ wget http://www.dataflake.org/software/ldapmultiplugins/ldapmultiplugins_1.5/LDAPMultiPlugins-1.5.tgz [EMAIL PROTECTED] ~]$ tar xvfz LDAPMultiPlugins-1.5.tgz -C $ZENHOME/Products [EMAIL PROTECTED] ~]$ tar xvfz LDAPUserFolder-2.8.tgz -C $ZENHOME/Products Restart Zenoss (just a Zope restart will do, but might as well restart all of it.) Code: [EMAIL PROTECTED] ~]$ service zenoss restart Go to http://zenoss_svr:8080/zport/manage and log in with the Zope admin user. In the right (main) pane, you will see the "acl_users (PAS)" object. It would probably be a good idea to export this. Just click the checkbox to the right of it, click the "Import/Export" button and follow the prompts. Click on the "acl_users (PAS)" link. After the pane loads, click the drop-down in the upper right next to "Add" and select "ActiveDirectory Multi Plugin" Change the defaults for the plugin to look like the table below. Note: From the LDAPMultiPlugins README.txt file: On the contained LDAPUserFolder's "Configure" tab, choose a property other than "objectGUID", e.g. "sAMAccountName" for the User ID property. This is why I use Canonical Name below. LDAP Server: dc.domain.local (or just domain.local to use AD's round-robin DNS) Login Name Attribute: Canonical Name User ID Attribute: Canonical Name RDN Attribute: Canonical Name Users Base DN: OU=Users,DC=domain,DC=local Groups Base DN: OU=Groups,DC=domain,DC=local Manager DN: CN=zenoss-user,OU=Users,DC=domain,DC=local Note: The value of "Manager DN" is the user to use for ldap binds. I sincerely hope no one is using the domain Administrator account for anything in Zenoss, but that you've created a utility account for Zenoss' use. Click on the plugin you just created, then click the Contents tab, then click on the contained "acl_users" folder. Make sure everything matches the settings you typed in on the last step, and that the rest look like this: Group Storage: Groups not stored on LDAP server Group mapping: Manually map LDAP groups to Zope roles (The value of this field doesn't matter for us) Manager DN Usage: Always Read-Only: Checked To get AD to work properly a few properties of the ADMultiPlugin need to be changed. After adding the plugin, click on the "acl_users" link in the left-hand navigation pane. Then click your ADMultiPlugin on the right, and click the Properties tab at the top. Modify the values like so: groupid_attr: cn grouptitle_attr: name group_class: top,group You should now be able to click on the "Users" tab of the "acl_users" folder within the AD Plugin and do a user lookup successfully. Click on the "acl_users" link on the left-hand navigation pane, click on your AD Plugin and then click on the "Authentication" link. Ensure that your AD plugin is listed at the top of the list. Go back to the "Activate" tab of the AD plugin, and this time click on "User_Enumeration" and ensure that the AD plugin is listed at the top of that list as well. Add some users to the specific Roles you'd like them to have by going back to the top-level "acl_users" folder and clicking on the roleManager plugin. By adding the AD plugin to the top of the list of user_enumeration plugins you can assign ldap users to the various groups. You can also pre-create user accounts in Zenoss' users tab. At this point you should be able to log out of Zope and log back in to the Zenoss install using an ldap user. Note: If an ldap user tries to log in to Zenoss and has not either been "pre-created" in Zenoss or in Zope with the correct roles, that user will still be able to log in but will not be able to see any information and will probably have to "authenticate" multiple times to no avail. This means the user is not associated with any Zope roles and therefore has no rights to anything in Zenoss. I have not found a way to get Zope to use AD/LDAP groups for the different Zope Roles although it is supposedly possible. It just hasn't worked for me yet. Like I said above, some of this was taken from the Zenoss guide on setting up LDAP auth. The rest was taken from the various README.txt and INSTALL.txt files that come with the LDAPMultiPlugins and LDAPUserFolder plugins. If anything in this documentation is vague, I would highly suggest reading those documents. And if that doesn't help, I'd be more than willing to help you out. I would also highly suggest setting up Zenoss to use SSL. I wrote up another document on how I did that here: http://community.zenoss.com/forums/viewtopic.php?t=3928 Let me know if this is helpful, or where it needs to be explained more fully! seth wright ([EMAIL PROTECTED]) windows engineer 540.568.2912 (office) james madison university -------------------- m2f -------------------- Read this topic online here: http://community.zenoss.com/forums/viewtopic.php?p=13168#13168 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
