Here is what I did to get Zenoss role mapping working on our Zenoss systems...
- Follow the first part of the guide at http://www.zenoss.com/community/docs/howtos/how-to-authenticate-via-ldap and get the plugins installed. - Follow the second part of the guide to configure your LDAP server settings. - Navigate to acl_users/LDAP on the left, and under the Activate tab make sure that all of the items are checked off (Authentication, Reset Credentials, Properties, Groups, Roles, etc...) and click "Update". - Navigate to acl_users/LDAP/acl_users on the left in the Zope management interface then click on the "Groups" tab. - Make sure that "Group mapping (Applies to LDAP group storage only)" is set to Manually map LDAP groups to Zope roles" as the "Automatically map LDAP groups to Zope roles" does not seem to work (or at least I could never get it working). - Navigate to the "Groups" tab under acl_users/LDAP/acl_users. - From here, you need to add the LDAP groups which correspond to each role. For instance, our groups are ZenChange, ZenEngineering, ZenManagement, ZenAdministrators, etc... - To add a group, go to the "Add LDAP group" section under the "Groups" tab and enter a group name. Keep the object class as "groupOfUniqueNames" and click the "Add" button. You should then see the group listed and it should also be listed in your actual LDAP tree. - You then need to scroll down to the "Add LDAP group to Zope role mapping" section, select one of the groups that you added, select a role to map to that LDAP group, then click "Add". For example, we have ZenEngineering assigned the "Manager" role, and ZenUsers assigned the "ZenUser" role. Don't use the "ZenManager" role since it doesn't work properly, use the "Manager" role instead. You'll then need to manually add users to those groups in LDAP. Since the Zope LDAP plugin only supports limited types of LDAP groups, you will need to add the users in a specific format. I personally use WEBMIN for this task. I login to the WEBMIN console, I navigate to Servers/LDAP Server on the left, then select Browse Database. Select your Groups OU, and you should see your Zenoss groups listed there. Click on a group and you should see a property called "uniqueMember". To add someone to this group you need to add a new line with their username details. Click on the edit link next to the "uniqueMember" property. Here is an example from one of our servers (with fake usernames): cn=admin,dc=novanoc,dc=com uid=bbopshedrop,ou=Users,dc=mydomain,dc=com uid=wewillrockyou,ou=Users,dc=mydomain,dc=com uid=dancelikearebel,ou=Users,dc=mydomain,dc=com Just specify each user on a separate line and click "Save". After you have done this, when any of these users logs in to Zenoss they will be granted the appropriate rights. _______________________________________________________________________________________ Now, on to the next trick... (This is copied directly from our company Wiki, so forgive the formatting if it's a bit off). Premise No one should be able to login to a Zenoss server without explicit permission. How we did it: Create the ZenNone role * Go to the âManageâ page - i.e. http://your-server.com:8080/zport/manage * Click âacl_usersâ * Click âRole Managerâ * Click Add a Role (Beside Current Roles) * Type âZenNoneâ as the Role Assign the Default LDAP Role to ZenNone * Go to the âManageâ page - i.e. http://your-server.com:8080/zport/manage * Expand âacl_usersâ * Expand âLDAPâ * Click âacl_usersâ (under LDAP) * Change the âDefault User Rolesâ to âZenNoneâ at the bottom of the page * Click âApply Changesâ Remove the "Acquire Permission Setting" * Go to the âManageâ page - i.e. http://your-server.com:8080/zport/manage * Click âacl_usersâ * Click âroleManagerâ * Click the Security tab at the top right * Remove the âAcquire Permission Settingsâ from all the users * Add all permissions to âManagerâ, âOwnerâ âZenManagerâ * Check off âAccess contents informationâ and âViewâ for ZenUser * Add ZenNone to the view at the bottom of the page where it says âUser Defined Rolesâ * Make sure that ZenNone has no permissions * Save Changes Note: If you accidentally click save after unchecking the âAcquire Permissions Settingsâ checkboxes, but before actually applying permissions to any of the roles you will lose access to the roleManager object. You will need to login to the Zope management interface using the standard Zenoss admin account. After you are logged in, connect to the management interface on a different Zenoss server, put a checkmark next to the roleManager object and click Import/Export, use the âSave to file on serverâ option and click the âExportâ button. Login to the server via SSH as root and navigate to /usr/local/zenoss/zenoss/var. You should see a roleManager.zexp file there. Copy the file to the /mspfiles NFS share. SSH in to the original server, become root (sudo su), then become the zenoss user (su zenoss). Once you are the Zenoss user, navigate to $ZENHOME/import. Copy the file from /mspfiles to the import directory. Once this is done, go to the management interface on that s erver, put a checkmark in the checkbox next to the roleManager object and click on the âDeleteâ button. Once the object has been deleted, click on the Import/Export button. Select roleManager.zexp in the âImport file nameâ dropdown and click the âImportâ button. Once the import is completed you should now have access to the roleManager item once again. Once you have verified that you have access to the object, delete the .zexp files from the various locations. -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=35737#35737 -------------------- m2f --------------------
_______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
