Enabling LDAP Authentication in Zenoss Core 5

Zenoss 5 Installation

Start a new shell in the running zope service and save the service instance with a new name

serviced service shell -s LDAP_Plugin -i zope bash

Install the prerequisite packages

yum -y install gcc python-devel openssl-devel openldap-devel

Remove the data cached by yum

yum clean all

Switch to the Zenoss user

su - zenoss

Install the required packages using easy_install

easy_install python-ldap

easy_install setuptools

easy_install dataflake.fakeldap

easy_install Products.LDAPUserFolder

easy_install Products.LDAPMultiPlugins

Complete the modification of the service instance

Exit to logout as zenoss

Exit again to leave the shell

Commit the changes you have made: "serviced snapshot commit LDAP_Plugin"

Restart zope

serviced service restart zope

Configuration

Restrict Zenoss access

1. Connect to: "https://<Zenoss-Server>/zport/manage"
2. Login as admin
3. Click on "acl_users" in the left frame
4. Choose "Import/Export" in the right frame and follow the instructions to create a Backup of the current configuration
5. After the Backup has been created, select "roleManager" in the right frame
6. Click on "Add a role"
7. Enter "ZenNone" as the Role ID
8. Click on "Add Role"
9. Select the Security tab
10. Check all the checkboxes under "Manager", "Owner" and "ZenManager"
11. Check only "Access contents information" and "View" under "ZenUser"
12. Uncheck all the checkboxes under "Acquire permission settings?"
13. Click on "Save Changes"

Add a new LDAP Multi Plugin configuration

1. Click on "acl_users" in the left frame
2. Select "LDAP Multi Plugin" from the dropdown list in the right frame and click "Add"
3. The following configuration should be seen as a suggestion and might need some tweaking, depending on your environment:
   ID: <enter an ID>
   Title: <enter a title>
   LDAP Server[:port]: <LDAP-Server-FQDN>
   check "Use SSL" if necessary
   check "Read-only"
   Login Name Attribute, User ID Attribute, RDN Attribute: Leave default, can be changed afterwards
   Users Base DN: <Users-Base-DN>
   Group storage: "Groups stored on LDAP server"
   Groups Base DN: <Groups-Base-DN>
   Manager DN: <Manager-DN>
   User password encryption: SHA
   Default User Roles: ZenNone
   
4. Click on "Add"

Configure the LDAP Schema

1. Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
2. Select the Contents tab
3. Click on "acl_users"
4. Select the LDAP Schema
5. Add the following Attribute Matchings:

LDAP Attribute Name	Friendly Name	Mapped to Name	Multi-valued	Binary
objectGUID	AD Object GUID	objectGUID	No	No
cn	Canonical Name		No	No
dn	Distinguished Name	dn	No	No
mail	E-Mail Address	email	No	No
givenName	First Name	first_name	No	No
memberOf	Group DNs	memberOf	Yes	No
sn	Last Name	last_name	No	No
sAMAccountName	Windows Login Name	windows_login_name	No	No

Configure the Group mapping

1. Select the Groups tab
2. Scroll down to the "Add LDAP group to Zope role mapping" section
3. Configure the mapping

Activate the LDAP Multi Plugin functionalities

1. Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
2. Check the following:
   Authentication (authenticateCredentials)
   Properties (getPropertiesForUser)
   Roles (getRolesForPrincipal)
   User_Enumeration (enumerateUsers)
   Role_Enumeration (enumerateRoles)
   
3. Click on "Update"

Change the Login Attributes

After configuration the additional LDAP Attributes, as mentioned above, we can change the Login Attributes

1. Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
2. Select the Contents tab
3. Click on "acl_users"
4. Change the "Login Name Attribute" "User ID Attribute" and "RDN Attribute" (I'm using the "Windows Login Name")
5. Click on "Apply Changes"

Now you should be all set.

Please keep in mind that you might have to modify the configuration to fit your needs.

Also make sure that you consult your security team to ensure that you comply with all the security policies in place!