Archived community.zenoss.org | full text search
Skip navigation
Currently Being Moderated

37.4 Authenticating with Microsoft Active Directory

VERSION 1 
Created on: Mar 1, 2010 8:21 AM by Zenoss API - Last Modified:  Mar 1, 2010 8:21 AM by Zenoss API

 4. Authenticating with Microsoft Active Directory

 4.1. Adding the Authentication Plugin

To add the plugin, you must access the ZMI (Zope Management Interface). This allows raw access to the Zope application server and its configured objects. These steps show how to add the ActiveDirectory Multi Plugin with its default settings.

  1. Browse to this URL:

    http://YourZenossInstallation:8080/zport/acl_users/manage

  2. Choose the ActiveDirectory Multi Plugin plugin, and then click Add.

  3. Complete the form with your credentials and paths:

     

    Table 37.2. Active Directory Multi Plugin Configuration

    NameDescription

    ID

    Enter adPlugin.

    Title

    Enter a title, or leave blank.

    LDAP Server[:port]

    Specify the address of the global catalog server from the prerequisites section. It should either be the resolvable hostname or IP address of the global catalog server followed by :3268 Example: ad1.zenoss.com:3268

    If using SSL, the name must be specified.

    Read-only

    Select this option.

    Users Base DN

    Use the value obtained from your AD administrator.

    Group storage

    Groups not stored on LDAP server.

    Groups Base DN

    Use the value obtained from your AD administrator.

    Manager DN

    Use the value obtained from your AD administrator.

    Password

    Use the value obtained from your AD administrator.


  4. Click Add to save your changes.

 4.2. Configuring Plugin Settings

The default plugin settings need some customizations.

  1. Browse to this URL:

    http://yourzenossinstallation:8080/zport/acl_users/adPlugin/manage

  2. Check the following boxes:

    • Authentication

    • Properties

    • User_Enumeration

    • Roles ([Select only if a default role other than Anonymous is desired.])

    • Role_Enumeration ([Select only if a default role other than Anonymous is desired.])

  3. Click Update to save your changes.

  4. Click Contents tab.

  5. Click acl_users folder.

  6. Set the following:

     

    Table 37.3. Active Directory acl_users Folder Customizations

    NameDescription

    User ID Attribute

    Windows Login Name (sAMAccountName)

    RDN Attribute

    Windows Login Name (sAMAccountName)


  7. Click Apply Changes to save your changes.

  8. Click LDAP Schema tab.

  9. In the Add LDAP schema item section, set the following:

     

    Table 37.4. Active Directory Schema Item Configuration

    NameDescription

    LDAP Attribute Name

    mail

    Friendly Name

    Email Address

    Multi-valued

    No

    Map to Name

    email


  10. Click Apply Changes to save your changes.

  11. Click Add to save your changes.

 4.3. Enabling Group to Role Mapping

You can optionally control your users' roles within Zenoss by using the Active Directory groups. If you choose not to do this, you can control their access by setting their roles within the user management section of the Zenoss Web interface. If you choose to use Active Directory groups, you should use the following steps.

  1. Browse to one of the following URLs:

    • For LDAP:

      http://yourzenossinstallation:8080/zport/acl_users/manage

    • For Active Directory:

      http://yourzenossinstallation:8080/zport/acl_users/adPlugin/manage

  2. Put a check in Roles and click Update.

  3. Click Properties tab.

  4. Change the groupid_attr to: cn.

  5. Click Save Changes to save your changes.

  6. Click Contents tab.

  7. Click acl_users folder.

  8. Set the following:

     

    Table 37.5. Active Directory Group to Role Configuration

    NameDescription

    Group storage

    Groups stored on LDAP server

    Group mapping

    Manually map LDAP groups to Zope roles


  9. Click Apply Changes to save your changes.

  10. Click Groups tab.

  11. Scroll to the bottom of the page and in the Add LDAP group to Zope role mapping section:

    1. Choose Zenoss Managers on the left and Manager on the right.

    2. Click Add.

    3. Choose Zenoss Users on the left and ZenUser on the right.

    4. Click Add.

    5. Click Apply Changes to save your changes.

 4.4. Verifying Connectivity and Credentials Outside of Zenoss

Verify your credential information is valid from the Zenoss server by using the ldapsearch command. To install this command, use the following for RPM-based systems:

# yum -y install openldap-clients

For the appliance, use the command:

# conary update openldap-clients

as the zenoss user on the Zenoss server:

ldapsearch -LLL -x -b 'BaseDN' -D 'Bind DN' -W -H ldap://LDAP_server-name \
"sAMAccountName=*" member
Comments (0)