Archived community.zenoss.org | full text search
Skip navigation
17505 Views 13 Replies Latest reply: Aug 17, 2010 12:20 PM by chitra RSS
jmp242 ZenossMaster 4,060 posts since
Mar 7, 2007
Currently Being Moderated

Aug 10, 2007 11:17 AM

External Authentication

Has anyone gotten external Kerberos authentication working with Zenoss? How are people doing it?

I've found:
http://www.zope.org/Members/mstrickl/KerberosUserFolder
but it just seems to kill Zenoss logins when added.
  • Jussi Talaskivi Rank: White Belt 21 posts since
    Jul 29, 2007
    Currently Being Moderated
    1. Aug 10, 2007 11:26 AM (in response to jmp242)
    RE: External Authentication
    I haven't tried this one yet but I think apachepas (http://plone.org/products/apachepas/) would be better fit for Kerberos authentication in Zenoss. That is if you are using Apache as a frontend reverse proxy. I consider reverse proxy as mandatory in all web services.
  • kellermg Rank: White Belt 24 posts since
    Jul 19, 2007
    Currently Being Moderated
    2. Aug 10, 2007 11:31 AM (in response to Jussi Talaskivi)
    External Authentication
    I use Apache (albeit not for Kerberos, but I've used mod_auth_kerb in
    other environments, and it's trivial). As long as Zope is has the
    basicAuth handler active (which it does by default) you can have Apache
    frontend it and not deal with the nasty Zope bits for authentication...
    You can also have Apache do the SSL bits, which are a lot easier than in
    Zope as well. Check out the Howto on getting Apache to frontend SSL, and
    add in the necessary auth bits to the same config.

    On Fri, 2007-08-10 at 15:17 +0000, jmp242 wrote:

     

     

    Has anyone gotten external Kerberos authentication working with Zenoss? How are people doing it?

    I've found:
    http://www.zope.org/Members/mstrickl/KerberosUserFolder
    but it just seems to kill Zenoss logins when added.







    _______________________________________________
    zenoss-dev mailing list
    zenoss-dev@zenoss.org
    http://lists.zenoss.org/mailman/listinfo/zenoss-dev


    _______________________________________________
    zenoss-dev mailing list
    zenoss-dev@zenoss.org
    http://lists.zenoss.org/mailman/listinfo/zenoss-dev
  • balav Newbie 4 posts since
    Nov 23, 2007
    Currently Being Moderated
    4. Nov 23, 2007 1:45 AM (in response to jmp242)
    How to use Apachepas with Apache as a reverse-proxy
    I think what you are looking for is using a portal webserver as reverse-proxy and make it to pass the credential after user login to the web interface (using web password)

    I could successfully integrate Zenoss (Zope) with IBM Tivoli Webseal. Since Webseal is a variant of Apache in reverse proxy mode, you could do the same thing with Apache or Siteminder. Here is the configuration steps:

    Create Webseal Junction /zport with following setup:
    • Junction name MUST be /zport
    • Set the junction as Transparent junction to /zport
    • Pass User Id (iv-user parameter)

    Note that Tivoli Webseal sends in HTTP header the login user id as HTTP_IV_USER. Make sure to download the latest Apachepas version that would allow you to configure the HTTP header name to extract the credential.

    • Shutdown Zenoss Service as root
    o #service zenoss stop
    • Logon as zenoss user
    • Expand apachepas.tar.gz file in $ZENHOME/Products folder. It will create $ZENHOME/Products/apachepas folder
    o cd $ZENHOME/Products
    o tar xzvf apachepas.tar.gz
    • Start Zenoss Service as root
    o #service zenoss start
    • Go to Zope Management Console at url:
    o http://your_host:8080/manage
    • Logon as admin user
    • Select "acl_users" link
    • From the Top-Right Dropdown, select "ApachAuthPluginHandler" and click Add button.
    • Give ID, "Apachepas" and Description, "Apache PAS Plugin" and click OK.
    o Now, Apachepas will be listed along with basicAuthHelper, cookieAuthHelper.
    • Click on "Apachepas" link
    • In the Options tab, set the value for "HTTP header containing username" to "HTTP_IV_USER" and click "Save Changes" button.
    • In the Activate tab, make sure to check "Extraction", and "Authentication" checkboxes and click "Update" button.
    • Click on "Extraction" link and move "Apachepas" option to the top of the Active Plugins list.
    o Do the same for Authentication link.
    • Go to Zenoss’ Zope Management Console at url:
    • http://your_host:8080/zport/manage
    • Do the same as above for Zope Management Console
    • Zenoss is now configured for SSO

    Now you can access the portal server URI/zport/dmd to access Zenoss.

    NOTE: Zenoss Logout option is hard-coded redirecting to /zport/dmd. If you want to make it to logout from the portal:
    • Go to $ZENHOME/Products/ZenModel/skins/zenmodel folder
    o cd $ZENHOME/Products/ZenModel/skins/zenmodel
    • Make backup of logoutUser.py file
    o cp logoutUser.py logoutUser.py.orig
    • Edit logoutUser.py file and,
    o Change the line: dest = '/zport/dmd/'
    o To: dest = '/pkmslogout'
    • Restart Zenoss


    -Bala
    • jsosic Rank: White Belt 9 posts since
      Jun 10, 2008
      Currently Being Moderated
      5. Aug 12, 2010 6:47 AM (in response to balav)
      Re: How to use Apachepas with Apache as a reverse-proxy

      hi guys...

       

       

      I'm trying to set up apache authentication, but I'm having problems... First of all I can't find apachepas for download

       

      Next, I tried WebServerAuth written originally for Plone CMS... But I don't know how to configure this module in Zope. I've entered managed area of zope in my browser (localhost:8080/manage), and under zport section (I guess zport is application under ZenOSS) added WebServerAuth module and configured it as extraction module, but authentication is still not working...

    • chitra Rank: White Belt 17 posts since
      Nov 5, 2007
      Currently Being Moderated
      6. Aug 12, 2010 4:58 PM (in response to jsosic)
      Re: How to use Apachepas with Apache as a reverse-proxy

      Apachepas is a Plone component that you can download from http://plone.org/products/apachepas

       

      Once you unpack apachepas to $ZENHOME/Products folder, you can follow the steps above to setup reverse-proxy based SSO.  You should be able to complete the configuration. For e-g., you should be able to select “Apache PAS Plugin” as auth helper.

    • jsosic Rank: White Belt 9 posts since
      Jun 10, 2008
      Currently Being Moderated
      7. Aug 13, 2010 12:19 PM (in response to chitra)
      Re: How to use Apachepas with Apache as a reverse-proxy

      Thank you very much! First mistake I was doing was putting apachepas into $ZENHOME/lib/python/Zope2/utilities/skel/Products/apachepas instead of $ZENHOME/Products. That's why I was unable to see the plugin under the dropdown menu.

       

      Now, I've added it successfully but I still got problems with entering ZenOSS. First of all, here is my apache vhost configuration:

       

      <VirtualHost *:80>
           ServerName myserver.mycompany.com
           RewriteEngine On
           <Location "/">
              Order allow,deny
              Allow from all
              AuthType CAS
              Require valid-user

       

             # Put the login name (stored below) into the HTTP_X_REMOTE_USER
              # request header. This has to be in the <Location> block for
              # some Apache auth modules, such as PubCookie, which don't set
              # REMOTE_USER until very late.
              RequestHeader set X_REMOTE_USER %{remoteUser}e
           </Location>

       

          # Some Linux distributions (e.g., Debian Etch and Red Hat Enterprise
           # Linux AS Release 4) have default settings which prevent the header
           # rewrites below from working. Fix that:
           <Proxy *>
              Order deny,allow
              Allow from all
           </Proxy>

       

          # Do the typical VirtualHostMonster rewrite, adding an E= option
           # that puts the Apache-provided login name into the remoteUser
           # variable.
           RewriteRule ^/(.*)$ http://127.0.0.1:8080/VirtualHostBase/http/%{SERVER_NAME}/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
      </VirtualHost>

       

      Now, when I login through CAS in apache frontend, it redirects me to ZenOSS, but it can't display dashboard and instead I get this error on screen:

      === Server exception ===

      The server reported the following error:

      Unable to connect to the server.

      The system has encountered an error. Please reload the page.

      I can choose dismiss or retry. Retries return this error indefinitely. If I click on dismiss and try to click on dashboard - it returns me back to ZenOSS logon screen. So I guess user is parsed correctly from apache, because I see the username (without '@domain') in the upper right corner of ZenOSS screen. But the problem is I get the same screen no matter if I created user manually in ZenOSS or if the user authenticated in apache doesn't exist. Good thing is I cannot do anything with nonexistent zenoss users, bad thing is I cannot do anything with zenoss accounts I created in zenoss

       

      In the event.log, I found this (in the approx time of login):

      ==> event.log <==
      ------
      2010-08-13T18:06:18 ERROR Zope.SiteErrorLog 1281715578.190.545370311641 http://infra.srce.hr:8080/zport/dmd/messaging_router
      Traceback (innermost last):
        Module ZPublisher.Publish, line 116, in publish
        Module ZPublisher.BaseRequest, line 541, in traverse
      AttributeError: has_key

       

      Any ideas?

    • chitra Rank: White Belt 17 posts since
      Nov 5, 2007
      Currently Being Moderated
      8. Aug 13, 2010 2:27 PM (in response to jsosic)
      Re: How to use Apachepas with Apache as a reverse-proxy

      Delete the existing user and make sure to create user accounts using AD logon id in lowercase.  This is to make sure that you could SSO logon using mixed case for your logon id.

      Hope this helps.

    • chitra Rank: White Belt 17 posts since
      Nov 5, 2007
      Currently Being Moderated
      9. Aug 13, 2010 2:51 PM (in response to chitra)
      Re: How to use Apachepas with Apache as a reverse-proxy

      "Sorry; I had presumed you working with Active Directory! You make sure that you create Zenoss user accounts (by logging into Zenoss using admin account) EXACTLY same like your enterprise SSO account names in *lowercase* -- to make sure that Zenoss can work with accounts in case insensitive manner.
      Please make sure to create local account with appropriate roles BEFORE you let the users access through SSO

      We have seen that the SSO accounts get incorrectly created -- if it were not already provisioned locally in Zenoss

    • jsosic Rank: White Belt 9 posts since
      Jun 10, 2008
      Currently Being Moderated
      10. Aug 16, 2010 5:16 AM (in response to chitra)
      Re: How to use Apachepas with Apache as a reverse-proxy

      But how can I know if the account is incorrectly created? I've tried deleteing my account and creating it manually within Zenoss but it does not help. I tried with Zenoss 3.0.0, 3.0.1 and 2.5.1. No luck at all. Maybe I should try 2.4.x?

       

      Can you please send me your working Apache configuration? Maybe that's where the problem lies...

    • chitra Rank: White Belt 17 posts since
      Nov 5, 2007
      Currently Being Moderated
      11. Aug 16, 2010 5:24 PM (in response to jsosic)
      Re: How to use Apachepas with Apache as a reverse-proxy

      We referred http://plone.org/documentation/kb/plone-with-apache link to setup our environment.  Zenoss already contains virtualhostmonster; you should see entry for Virutal_Hosting in the manage page (http://zenoss_server:8080/manage).

       

      Also, we used reverse-proxy setup with ProxyPass, ProxyPassReverse. I don't see your Apache VirtualHost configuration containing proxy settings.

       

      Our configuration file has the following entries:

      ProxyPass /zport/ http://localhost:8080/zport/
      ProxyPassReverse /zport/ http://localhost:8080/zport/

    • jsosic Rank: White Belt 9 posts since
      Jun 10, 2008
      Currently Being Moderated
      12. Aug 16, 2010 7:41 PM (in response to chitra)
      Re: How to use Apachepas with Apache as a reverse-proxy

      Thank you that helped indeed! Now this is my working Apache configuration:

       

      <VirtualHost *:80>
          ServerName servername.domain

          RewriteEngine On

          <Location "/">
             Order allow,deny
             Allow from all
             AuthType CAS
             Require valid-user
          </Location>

          # Some Linux distributions (e.g., Debian Etch and Red Hat Enterprise
          # Linux AS Release 4) have default settings which prevent the header
          # rewrites below from working. Fix that:
          <Proxy *>
             Order deny,allow
             Allow from all
          </Proxy>

          # use proxy
          ProxyPass        /zport/ http://localhost:8080/zport/
          ProxyPassReverse /zport/ http://localhost:8080/zport/

          # Put the login name (stored below) into the HTTP_X_REMOTE_USER
          # request header. This has to be in the <Location> block for
          # some Apache auth modules, such as PubCookie, which don't set
          # REMOTE_USER until very late.
          RequestHeader set X_REMOTE_USER %{remoteUser}e

          # Do the typical VirtualHostMonster rewrite, adding an E= option
          # that puts the Apache-provided login name into the remoteUser
          # variable.
          RewriteRule ^/(.*)$ http://localhost:8080/VirtualHostBase/http/%{SERVER_NAME}:80/VirtualHostRoot/$1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}]
      </VirtualHost>
      http://localhost:8080/zport/

       

      Hope this configuration helps other guys searching for this too. Thank you once more! I would have not succeeded without your help! Appretiate it!

       

       

      Next problem which is minor I suppose :) is - "sign out" button... Is there any howto on how to fix that button, because user stays logged in forever - as long as browser is up, no matter how many times I click sign out.

    • chitra Rank: White Belt 17 posts since
      Nov 5, 2007
      Currently Being Moderated
      13. Aug 17, 2010 12:20 PM (in response to jsosic)
      Re: How to use Apachepas with Apache as a reverse-proxy

      Good to know that it's working now!

      Please refer to the "NOTE: Zenoss Logout option is hard-coded redirecting to /zport/dmd"section in the initial post to edit logoutUser.py file to fix the logout button.

    More Like This

    • Retrieving data ...