Enabling LDAP Authentication in Zenoss Core 5
Contents
- 1 Zenoss 5 Installation
- 1.1 Start a new shell in the running zope service and save the service instance with a new name
- 1.2 Install the prerequisite packages
- 1.3 Remove the data cached by yum
- 1.4 Switch to the Zenoss user
- 1.5 Install the required packages using easy_install
- 1.6 Complete the modification of the service instance
- 1.7 Restart zope
- 2 Configuration
Zenoss 5 Installation
Start a new shell in the running zope service and save the service instance with a new name
serviced service shell -s LDAP_Plugin -i zope bash
Install the prerequisite packages
yum -y install gcc python-devel openssl-devel openldap-devel
Remove the data cached by yum
yum clean all
Switch to the Zenoss user
su - zenoss
Install the required packages using easy_install
easy_install python-ldap
easy_install setuptools
easy_install dataflake.fakeldap
easy_install Products.LDAPUserFolder
easy_install Products.LDAPMultiPlugins
Complete the modification of the service instance
Exit to logout as zenoss
Exit again to leave the shell
Commit the changes you have made: "serviced snapshot commit LDAP_Plugin"
Restart zope
serviced service restart zope
Configuration
Restrict Zenoss access
- Connect to: "https://<Zenoss-Server>/zport/manage"
- Login as admin
- Click on "acl_users" in the left frame
- Choose "Import/Export" in the right frame and follow the instructions to create a Backup of the current configuration
- After the Backup has been created, select "roleManager" in the right frame
- Click on "Add a role"
- Enter "ZenNone" as the Role ID
- Click on "Add Role"
- Select the Security tab
- Check all the checkboxes under "Manager", "Owner" and "ZenManager"
- Check only "Access contents information" and "View" under "ZenUser"
- Uncheck all the checkboxes under "Acquire permission settings?"
- Click on "Save Changes"
Add a new LDAP Multi Plugin configuration
- Click on "acl_users" in the left frame
- Select "LDAP Multi Plugin" from the dropdown list in the right frame and click "Add"
- The following configuration should be seen as a suggestion and might need some tweaking, depending on your environment:
ID: <enter an ID>
Title: <enter a title>
LDAP Server[:port]: <LDAP-Server-FQDN>
check "Use SSL" if necessary
check "Read-only"
Login Name Attribute, User ID Attribute, RDN Attribute: Leave default, can be changed afterwards
Users Base DN: <Users-Base-DN>
Group storage: "Groups stored on LDAP server"
Groups Base DN: <Groups-Base-DN>
Manager DN: <Manager-DN>
User password encryption: SHA
Default User Roles: ZenNone - Click on "Add"
Configure the LDAP Schema
- Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
- Select the Contents tab
- Click on "acl_users"
- Select the LDAP Schema
- Add the following Attribute Matchings:
LDAP Attribute Name Friendly Name Mapped to Name Multi-valued Binary objectGUID AD Object GUID objectGUID No No cn Canonical Name No No dn Distinguished Name dn No No mail E-Mail Address email No No givenName First Name first_name No No memberOf Group DNs memberOf Yes No sn Last Name last_name No No sAMAccountName Windows Login Name windows_login_name No No
Configure the Group mapping
- Select the Groups tab
- Scroll down to the "Add LDAP group to Zope role mapping" section
- Configure the mapping
Activate the LDAP Multi Plugin functionalities
- Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
- Check the following:
Authentication (authenticateCredentials)
Properties (getPropertiesForUser)
Roles (getRolesForPrincipal)
User_Enumeration (enumerateUsers)
Role_Enumeration (enumerateRoles) - Click on "Update"
Change the Login Attributes
After configuration the additional LDAP Attributes, as mentioned above, we can change the Login Attributes
- Click on "acl_users" and then the ID of your LDAP configuration you have just created in the left frame
- Select the Contents tab
- Click on "acl_users"
- Change the "Login Name Attribute" "User ID Attribute" and "RDN Attribute" (I'm using the "Windows Login Name")
- Click on "Apply Changes"
Now you should be all set.
Please keep in mind that you might have to modify the configuration to fit your needs.
Also make sure that you consult your security team to ensure that you comply with all the security policies in place!