#3. Authenticating with Microsoft Active Directory
#3.1. Adding the Authentication Plugin
To add the plugin you will need to access the ZMI (Zope Management Interface). This allows raw access to the Zope application server and its configured objects. The following steps describe the process of adding the ActiveDirectory Multi Plugin with its default settings.
Browse to this URL:
http://
YourZenossInstallation
:8080/zport/acl_users/manageChoose the ActiveDirectory Multi Plugin plugin, and then click .
Complete the form with your credentials and paths:
#Table 31.2. Active Directory Multi Plugin Configuration
Name Description ID
Enter
adPlugin
Title
This can be set to anything or just left as blank
LDAP Server[:port]
address of the global catalog server from the prerequisites section. It should either be the resolvable hostname or IP address of the global catalog server followed by :3268 Example: ad1.zenoss.com:3268
If using SSL, the name must be specified.
Read-only
this should be checked
Users Base DN
use the value obtained from your AD administrator
Group storage
Groups not stored on LDAP server
Groups Base DN
use the value obtained from your AD administrator
Manager DN
use the value obtained from your AD administrator
Password
use the value obtained from your AD administrator
Click
to save your changes.
#3.2. Configuring Plugin Settings
The default plugin settings need some customizations.
Browse to this URL:
http://
yourzenossinstallation
:8080/zport/acl_users/adPlugin/manageCheck the following boxes:
Authentication
Properties
User_Enumeration
Click
to save your changes.Click
tab.Click
folder.Set the following:
#Table 31.3. Active Directory
Folder CustomizationsName Description User ID Attribute
Windows Login Name (sAMAccountName)
RDN Attribute
Windows Login Name (sAMAccountName)
Click
to save your changes.Click
tab.In the
section, set the following:#Table 31.4. Active Directory Schema Item Configuration
Name Description LDAP Attribute Name
mail
Friendly Name
Email Address
Multi-valued
No
Map to Name
email
Click
to save your changes.Click
to save your changes.
#3.3. Enabling Group to Role Mapping
As mentioned in the prerequisites section, you can optionally control your users' roles within Zenoss using the Active Directory groups. If you choose not to do this, you simply control their access by setting their roles within the user management section of the Zenoss web interface instead. Which method you choose is entirely up to you. If you choose to use Active Directory groups, you should use the following steps.
Browse to this URL:
http://
yourzenossinstallation
:8080/zport/acl_users/managePut a check in Roles and click
.Click
tab.Change the groupid_attr to:
cn
.Click
to save your changes.Click
tab.Click
folder.Set the following:
#Table 31.5. Active Directory Group to Role Configuration
Name Description Group storage
Groups stored on LDAP server
Group mapping
Manually map LDAP groups to Zope roles
Click
to save your changes.Click
tab.Scroll to the bottom of the page and in the
mapping section:Choose Zenoss Managers on the left and Manager on the right.
Click
.Choose Zenoss Users on the left and ZenUser on the right.
Click
.Click
to save your changes.
#3.4. Verifying Connectivity and Credentials Outside of Zenoss
Verify your credential information is valid from the Zenoss server by using the ldapsearch command. To install this command, use the following for RPM-based systems:
# yum -y install openldap-clients
For the appliance, use the command:
# conary update openldap-clients
as the zenoss user on the Zenoss server:
ldapsearch -LLL -x -b 'BaseDN
' -D 'Bind DN
' -W -H ldap://LDAP_server-name
\ "sAMAccountName=*" member