Enabling LDAP Authentication in Zenoss Core 5

From Zenoss Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

Zenoss 5 Installation

Start a new shell in the running zope service and save the service instance with a new name

serviced service shell -s LDAP_Plugin -i zope bash

Install the prerequisite packages

yum -y install gcc python-devel openssl-devel openldap-devel

Remove the data cached by yum

yum clean all

Switch to the Zenoss user

su - zenoss

Install the required packages using easy_install

easy_install python-ldap

easy_install setuptools

easy_install dataflake.fakeldap

easy_install Products.LDAPUserFolder

easy_install Products.LDAPMultiPlugins

Complete the modification of the service instance

Exit to logout as zenoss

Exit again to leave the shell

Commit the changes you have made: "serviced snapshot commit LDAP_Plugin"

Restart zope

serviced service restart zope

Configuration

Restrict Zenoss access
  1. Connect to: "https://<Zenoss-Server>/zport/manage"
  2. Login as admin
  3. Click on "acl_users" in the left frame
  4. Choose "Import/Export" in the right frame and follow the instructions to create a Backup of the current configuration
  5. After the Backup has been created, select "roleManager" in the right frame
  6. Click on "Add a role"
  7. Enter "ZenNone" as the Role ID
  8. Click on "Add Role"
  9. Select the Security tab
  10. Check all the checkboxes under "Manager", "Owner" and "ZenManager"
  11. Check only "Access contents information" and "View" under "ZenUser"
  12. Uncheck all the checkboxes under "Acquire permission settings?"
  13. Click on "Save Changes"
Add a new LDAP Multi Plugin configuration
  1. Click on "acl_users" in the left frame
  2. Select "LDAP Multi Plugin" from the dropdown list in the right frame and click "Add"
  3. The following configuration should be seen as a suggestion and might need some tweaking, depending on your environment:
    ID: <enter an ID>
    Title: <enter a title>
    LDAP Server[:port]: <LDAP-Server-FQDN>
    check "Use SSL" if necessary
    check "Read-only"
    Login Name Attribute, User ID Attribute, RDN Attribute: Leave default, can be changed afterwards
    Users Base DN: <Users-Base-DN>
    Group storage: "Groups stored on LDAP server"
    Groups Base DN: <Groups-Base-DN>
    Manager DN: <Manager-DN>
    User password encryption: SHA
    Default User Roles: ZenNone
  4. Click on "Add"
Configure the LDAP Schema
  1. Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
  2. Select the Contents tab
  3. Click on "acl_users"
  4. Select the LDAP Schema
  5. Add the following Attribute Matchings:
LDAP Attribute Name Friendly Name Mapped to Name Multi-valued Binary
objectGUID AD Object GUID objectGUID No No
cn Canonical Name No No
dn Distinguished Name dn No No
mail E-Mail Address email No No
givenName First Name first_name No No
memberOf Group DNs memberOf Yes No
sn Last Name last_name No No
sAMAccountName Windows Login Name windows_login_name No No
Configure the Group mapping
  1. Select the Groups tab
  2. Scroll down to the "Add LDAP group to Zope role mapping" section
  3. Configure the mapping
Activate the LDAP Multi Plugin functionalities
  1. Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
  2. Check the following:
    Authentication (authenticateCredentials)
    Properties (getPropertiesForUser)
    Roles (getRolesForPrincipal)
    User_Enumeration (enumerateUsers)
    Role_Enumeration (enumerateRoles)
  3. Click on "Update"
Change the Login Attributes

After configuration the additional LDAP Attributes, as mentioned above, we can change the Login Attributes

  1. Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
  2. Select the Contents tab
  3. Click on "acl_users"
  4. Change the "Login Name Attribute" "User ID Attribute" and "RDN Attribute" (I'm using the "Windows Login Name")
  5. Click on "Apply Changes"


Now you should be all set.


Please keep in mind that you might have to modify the configuration to fit your needs.

Also make sure that you consult your security team to ensure that you comply with all the security policies in place!