Here is what I did to get Zenoss LDAP role mapping working on our Zenoss systems...
- Follow the first part of the guide at http://www.zenoss.com/community/docs/howtos/how-to-authenticate-via-ldap and get the plugins installed.
- Follow the second part of the guide to configure your LDAP server settings.
- Navigate to acl_users/LDAP on the left, and under the Activate tab make sure that all of the items are checked off (Authentication, Reset Credentials, Properties, Groups, Roles, etc...) and click "Update".
- Navigate to acl_users/LDAP/acl_users on the left in the Zope management interface, you'll be under the "Configure" tab.
- Make sure that "Group mapping (Applies to LDAP group storage only)" is set to "Manually map LDAP groups to Zope roles" as the "Automatically map LDAP groups to Zope roles" does not seem to work (or at least I could never get it working). Also make sure that the "Manager DN Usage" option is set to "Always".
- Navigate to the "Groups" tab under acl_users/LDAP/acl_users.
- From here, you need to add the LDAP groups which correspond to each role. For instance, our groups are ZenChange, ZenEngineering, ZenManagement, ZenAdministrators, etc...
- To add a group, go to the "Add LDAP group" section under the "Groups" tab and enter a group name. Keep the object class as "groupOfUniqueNames" and click the "Add" button. You should then see the group listed and it should also be listed in your actual LDAP tree.
- You then need to scroll down to the "Add LDAP group to Zope role mapping" section, select one of the groups that you added, select a role to map to that LDAP group, then click "Add". For example, we have ZenEngineering assigned the "Manager" role, and ZenUsers assigned the "ZenUser" role. Don't use the "ZenManager" role since it doesn't work properly, use the "Manager" role instead.
- You'll then need to manually add users to those groups in LDAP. Since the Zope LDAP plugin only supports limited types of LDAP groups, you will need to add the users in a specific format. I personally use WEBMIN for this task. I login to the WEBMIN console, I navigate to Servers/LDAP Server on the left, then select Browse Database. Select your Groups OU, and you should see your Zenoss groups listed there. Click on a group and you should see a property called "uniqueMember". To add someone to this group you need to add a new line with their username details. Click on the edit link next to the "uniqueMember" property.
- Here is an example from one of our servers (with fake usernames):
cn=admin,dc=mydomain,dc=com
uid=bbopshedrop,ou=Users,dc=mydomain,dc=com
uid=wewillrockyou,ou=Users,dc=mydomain,dc=com
uid=dancelikearebel,ou=Users,dc=mydomain,dc=com
- Just specify each user on a separate line and click "Save".
(I'm sure there's a way to automate the addition/removal to/from these groups via some form of script, I just haven't personally figured it out yet).
After you have done this, when any of these users logs in to Zenoss they will be granted rights based on the role assigned to the group that they are in.
_______________________________________________________________________________________
Now, on to the next trick...
Premise
No one should be able to login to a Zenoss server without explicit permission.
How we did it:
Create the ZenNone role
* Go to the “Manage� page - i.e. http://your-server.com:8080/zport/manage
* Click “acl_users�
* Click “Role Manager�
* Click Add a Role (Beside Current Roles)
* Type “ZenNone� as the Role
Assign the Default LDAP Role to ZenNone
* Go to the “Manage� page - i.e. http://your-server.com:8080/zport/manage
* Expand “acl_users�
* Expand “LDAP�
* Click “acl_users� (under LDAP)
* Change the “Default User Roles� to “ZenNone� at the bottom of the page
* Click “Apply Changes�
Remove "Acquire Permission Settings"
* Go to the “Manage� page - i.e. http://your-server.com:8080/zport/manage
* Click “acl_users�
* Click “roleManager�
* Click the Security tab at the top right
* Remove the “Acquire Permission Settings� from all the users
* Add all permissions to “Manager�, “Owner� “ZenManager�
* Check off “Access contents information� and “View� for ZenUser
* Add ZenNone to the view at the bottom of the page where it says “User Defined Roles�
* Make sure that ZenNone has no permissions
* Save Changes
(After performing the above steps, any LDAP user not defined in one of the Zenoss groups will be granted the default ZenNone role and will not be able to view/change anything on the Zenoss servers).
Note: If you accidentally click save after unchecking the “Acquire Permissions Settings� checkboxes, but before actually applying permissions to any of the roles you will lose access to the roleManager object. You will need to login to the Zope management interface using the standard Zenoss admin account. After you are logged in, connect to the management interface on a different Zenoss server, put a checkmark next to the roleManager object and click Import/Export, use the “Save to file on server� option and click the “Export� button. Login to the server via SSH as root and navigate to /usr/local/zenoss/zenoss/var. You should see a roleManager.zexp file there. Copy the file to the original server. SSH in to the original server, become root (sudo su), then become the zenoss user (su zenoss). Once you are the Zenoss user, navigate to $ZENHOME/import. Copy the file from it's current location to the import directory. Once this is done, go to the management interface on that server, put a checkmark in the checkbox next to the roleManager object and click on the “Delete� button. Once the object has been deleted, click on the Import/Export button. Select roleManager.zexp in the “Import file name� dropdown and click the “Import� button. Once the import is completed you should now have access to the roleManager item once again. Once you have verified that you have access to the object, delete the .zexp files from the various locations.
Regards,
Ryan Matte
Nova Networks
happy
grin Sorry, I'm not an expert on this field to help you 
