Archived community.zenoss.org | full text search
Skip navigation
1 2 Previous Next 107425 Views 19 Replies Latest reply: Aug 22, 2013 11:10 AM by Alan Milligan RSS
dragonf Rank: White Belt 13 posts since
May 6, 2009
Currently Being Moderated

May 6, 2009 1:33 PM

LDAP group to Zope role mappings doesn't work

Dear Gentlemen,

I've searched through Zenoss's forums as well as Zope and Plone forums regarding this problem (but didn't find any answer :().

I'm using Zenoss 2.3.3 with LDAPUserFolder and it works fine for authentication but the "LDAP group to Zope role mappings" simply doesn't work :evil:.

When the user authenticates, it's possible to see in "Cache" that it correctly belongs to Anonymous and ZenManager roles, but the user simply can't see/ do a thing in the UI. :cry:

Under "acl_users -> Default User Roles" it's possible to set i.e. "ZenUser" but then every user will belong to the ZenUser role even if the user is associated with the "ZenManager" group in LDAP/AD and mapped to ZenManager role.

I know that it's possible to create the user in Zenoss (userManager) and assign the roles there, but then, what would be the point in having LDAP/AD group -> role mappings? :roll:

Several other people in this (and other) forum also had the same problem. It seems that it worked before (with Plone at least) but it's not working anymore.

Does anyone knows why is this happening and whether we can do some workaround/ fix? Maybe using another plugin (other than LDAPUserFolder)?

This is very important. I appreciate your help, thanks! :wink:

Sincerely,

Guilherme
  • gene_wood Newbie 3 posts since
    Mar 4, 2009
    Currently Being Moderated
    1. May 12, 2009 7:38 PM (in response to dragonf)
    Same experience
    gfranco, I've encountered the exact same behavior. I have multiple zenoss installations, authenticating successfully against two different Active Directory domains. Both work fine for authentication, but the automatic role mapping described in the wiki page :

    http://www.zenoss.com/community/docs/howtos/how-to-authenticate-via-ldap/

    doesn't work. I also can see in the zope interface that the users' cached role values are being set correctly ( http://hostname:8080/zport/acl_users/ActiveDirectory/acl_users/manage_cache ) but inside zenoss, the role is the standard ZenUser.
  • gene_wood Newbie 3 posts since
    Mar 4, 2009
    Currently Being Moderated
    2. May 12, 2009 8:05 PM (in response to gene_wood)
    RE: Same experience
    Looks like others are having the same problem :

    crosse :
    http://forums.zenoss.com/viewtopic.php?t=3970

    onebee :
    http://forums.zenoss.com/viewtopic.php?t=3970&postdays=0&postorder=asc&start=15#29874
  • reighnman Rank: White Belt 60 posts since
    Apr 22, 2008
    Currently Being Moderated
    4. May 21, 2009 11:49 AM (in response to dragonf)
    RE: Same experience
    I had the same issue and in my attempt to fix locked myself out :oops:

    Have left it alone since happy
  • Matt Ray Rank: Zen Master 2,484 posts since
    Apr 5, 2008
    Currently Being Moderated
    7. Jun 3, 2009 12:04 PM (in response to dragonf)
    RE: Same experience
    I'm not using LDAP, but I know quite a few users do. Has anyone gotten this working with 2.4.1? Anyone want to offer suggestions or tips towards debugging this?

    -Matt
  • Matt Ray Rank: Zen Master 2,484 posts since
    Apr 5, 2008
    Currently Being Moderated
    8. Jun 3, 2009 2:51 PM (in response to Matt Ray)
    RE: Same experience
    Someone in IRC mentioned that they got it working after doing an easy_install python-ldap as the zenoss user. Is this missing in your install?

    -Matt
  • truecolor Newbie 1 posts since
    Jun 4, 2009
    Currently Being Moderated
    9. Jun 4, 2009 5:49 AM (in response to Matt Ray)
    RE: Same experience
    simulation credit auto
    grin Sorry, I'm not an expert on this field to help you grin
  • Ryan Matte ZenossMaster 653 posts since
    Mar 26, 2009
    Currently Being Moderated
    10. Jun 8, 2009 6:07 PM (in response to truecolor)
    Hopefully this helps...
    Here is what I did to get Zenoss LDAP role mapping working on our Zenoss systems...

    - Follow the first part of the guide at http://www.zenoss.com/community/docs/howtos/how-to-authenticate-via-ldap and get the plugins installed.

    - Follow the second part of the guide to configure your LDAP server settings.

    - Navigate to acl_users/LDAP on the left, and under the Activate tab make sure that all of the items are checked off (Authentication, Reset Credentials, Properties, Groups, Roles, etc...) and click "Update".

    - Navigate to acl_users/LDAP/acl_users on the left in the Zope management interface, you'll be under the "Configure" tab.

    - Make sure that "Group mapping (Applies to LDAP group storage only)" is set to "Manually map LDAP groups to Zope roles" as the "Automatically map LDAP groups to Zope roles" does not seem to work (or at least I could never get it working). Also make sure that the "Manager DN Usage" option is set to "Always".

    - Navigate to the "Groups" tab under acl_users/LDAP/acl_users.

    - From here, you need to add the LDAP groups which correspond to each role. For instance, our groups are ZenChange, ZenEngineering, ZenManagement, ZenAdministrators, etc...

    - To add a group, go to the "Add LDAP group" section under the "Groups" tab and enter a group name. Keep the object class as "groupOfUniqueNames" and click the "Add" button. You should then see the group listed and it should also be listed in your actual LDAP tree.

    - You then need to scroll down to the "Add LDAP group to Zope role mapping" section, select one of the groups that you added, select a role to map to that LDAP group, then click "Add". For example, we have ZenEngineering assigned the "Manager" role, and ZenUsers assigned the "ZenUser" role. Don't use the "ZenManager" role since it doesn't work properly, use the "Manager" role instead.

    - You'll then need to manually add users to those groups in LDAP. Since the Zope LDAP plugin only supports limited types of LDAP groups, you will need to add the users in a specific format. I personally use WEBMIN for this task. I login to the WEBMIN console, I navigate to Servers/LDAP Server on the left, then select Browse Database. Select your Groups OU, and you should see your Zenoss groups listed there. Click on a group and you should see a property called "uniqueMember". To add someone to this group you need to add a new line with their username details. Click on the edit link next to the "uniqueMember" property.

    - Here is an example from one of our servers (with fake usernames):

    cn=admin,dc=mydomain,dc=com
    uid=bbopshedrop,ou=Users,dc=mydomain,dc=com
    uid=wewillrockyou,ou=Users,dc=mydomain,dc=com
    uid=dancelikearebel,ou=Users,dc=mydomain,dc=com

    - Just specify each user on a separate line and click "Save".

    (I'm sure there's a way to automate the addition/removal to/from these groups via some form of script, I just haven't personally figured it out yet).

    After you have done this, when any of these users logs in to Zenoss they will be granted rights based on the role assigned to the group that they are in.
    _______________________________________________________________________________________

    Now, on to the next trick...

    Premise

    No one should be able to login to a Zenoss server without explicit permission.

    How we did it:

    Create the ZenNone role

    * Go to the “Manage� page - i.e. http://your-server.com:8080/zport/manage

    * Click “acl_users�

    * Click “Role Manager�

    * Click Add a Role (Beside Current Roles)

    * Type “ZenNone� as the Role

    Assign the Default LDAP Role to ZenNone

    * Go to the “Manage� page - i.e. http://your-server.com:8080/zport/manage

    * Expand “acl_users�

    * Expand “LDAP�

    * Click “acl_users� (under LDAP)

    * Change the “Default User Roles� to “ZenNone� at the bottom of the page

    * Click “Apply Changes�

    Remove "Acquire Permission Settings"

    * Go to the “Manage� page - i.e. http://your-server.com:8080/zport/manage

    * Click “acl_users�

    * Click “roleManager�

    * Click the Security tab at the top right

    * Remove the “Acquire Permission Settings� from all the users

    * Add all permissions to “Manager�, “Owner� “ZenManager�

    * Check off “Access contents information� and “View� for ZenUser

    * Add ZenNone to the view at the bottom of the page where it says “User Defined Roles�

    * Make sure that ZenNone has no permissions

    * Save Changes

    (After performing the above steps, any LDAP user not defined in one of the Zenoss groups will be granted the default ZenNone role and will not be able to view/change anything on the Zenoss servers).

    Note: If you accidentally click save after unchecking the “Acquire Permissions Settings� checkboxes, but before actually applying permissions to any of the roles you will lose access to the roleManager object. You will need to login to the Zope management interface using the standard Zenoss admin account. After you are logged in, connect to the management interface on a different Zenoss server, put a checkmark next to the roleManager object and click Import/Export, use the “Save to file on server� option and click the “Export� button. Login to the server via SSH as root and navigate to /usr/local/zenoss/zenoss/var. You should see a roleManager.zexp file there. Copy the file to the original server. SSH in to the original server, become root (sudo su), then become the zenoss user (su zenoss). Once you are the Zenoss user, navigate to $ZENHOME/import. Copy the file from it's current location to the import directory. Once this is done, go to the management interface on that server, put a checkmark in the checkbox next to the roleManager object and click on the “Delete� button. Once the object has been deleted, click on the Import/Export button. Select roleManager.zexp in the “Import file name� dropdown and click the “Import� button. Once the import is completed you should now have access to the roleManager item once again. Once you have verified that you have access to the object, delete the .zexp files from the various locations.

    Regards,
    Ryan Matte
    Nova Networks
  • Ryan Matte ZenossMaster 653 posts since
    Mar 26, 2009
    Currently Being Moderated
    11. Jun 9, 2009 12:30 PM (in response to Ryan Matte)
    Just as a side note...
    As a side note, please provide your feedback on the process that I have described above. If you find any additional tips which could be included or run in to any form of difficulties please post them here.
  • Ryan Matte ZenossMaster 653 posts since
    Mar 26, 2009
    Currently Being Moderated
    13. Jun 9, 2009 4:34 PM (in response to dragonf)
    RE: Not yet
    Unfortunately I have no experience with configuring this on Active Directory. When I created the LDAP groups for Zenoss I had to do it through a Zenoss instance and it created a strange type of group (unlike our standard LDAP groups that we had already created). I can't use the "smbldap-groupmod -m" command to add users to the Zenoss LDAP groups (but I can do it with all other LDAP groups). I instead have to go and manually add them to the groups with WEBMIN. It's a bit messy but it happens to work for us. We are however not using Active Directory. I suspect that this may be part of the problem that you are experiencing. Perhaps someone who has actually gotten the authentication to work with Active Directory could be of further assistance if they happen to come across this thread.
  • Ryan Matte ZenossMaster 653 posts since
    Mar 26, 2009
    Currently Being Moderated
    14. Jun 9, 2009 4:39 PM (in response to Ryan Matte)
    RE: Not yet
    Just asked about this in #zenoss:

    <CamargoBP> You have to manually add a user to a role, can't map roles to AD
    <CamargoBP> I spent weeks trying to get it working
    <CamargoBP> Works with openldap but not AD
    <CamargoBP> I don't know why

    Looks like you might be out of luck with AD. You might look in to setting up an OpenLDAP server and having it sync up with AD. Then use that to map the roles. It may or may not be possible.
1 2 Previous Next