Apr 10, 2013 10:43 AM
Added LDAP and now users can't see events
-
Like (0)
I recently configured LDAP authentication on my zenoss instance. I mapped the "domain admin" AD group to the Manager role in zenoss. When the user logs in to zenoss, they don't see any of the events that are already there.
More about my environment... I use zenoss for the event console. Specifically as an SNMP trap receiver and presenter. As opposed to a device manager. I don't have any devices defined, but I do have a lot of event classes in use.
Shouldn't the manager role see "everything"?
Can I give the manager role (or other role) access to all events somehow?
Thanks,
Scott
I have the same issue with radius authentication.
I added the pas_radius_plugin but users logged in with radius account can't see the events.
I recently upgraded from v3 to v4.2.0, in v3 this wasn't an issue.
One thing I learned from playing around...
Go to Advanced -> Settings -> Users. The select one of the groups (in my case "Domain Admins"), go to Administered Objects, then add the / device class permission. The users in the group will then be able to go to Infrastructure -> devices -> Details -> events and see the current events. However, they will not be able to see events in the Events tab which is where I want them to appear.
Its a bit closer to a solution, but not sure its all the way there... Anybody have more information on how to add permissions to groups? How do I permission a group to see active events in the events tab versus the Infrastructure tab?
Nice, I can now see the events the way scott describes (adding the / device class to administered objects).
However the events window stays blank.
Looking at the documentation and the GUI the only thing I can give groups permission to (that I can use to influence what events they can see) are deviceclasses. Personally, I would like to see a request for enhancement here so that I can permission on event class as well. That would be a great feature.
Given that I can only use deviceClasses for permissioning (I plan to have multiple groups each with access to different events) I looked at playing with transforms to influence the DeviceClasses. I learned a few things:
* First, you can't set the DeviceClass in an event transform. It lets you do it, and shows it as changed, but it will always put the event in the same deviceclass that the device the event is from comes to. I tested this by setting the deviceclass to an abitrary class in my tree and the event didn't appear in the proper class.
* Second, the only way to influence the deviceclass is to create devices in the infrastucture view. The events will follow where that device lives. This forces me into a model where Zenoss wants to probe the devices for status. I don't want to use zenoss for that. I want to use it as a trap and event receiver and not as a probe. As I add more and more devices into my network, a central zenoss server does not scale as well as a distributed model where the devices with issues tell zenoss their problems. AT MOST, all I want Zenoss to do is make sure the device is still alive (right now I have Nagios configured for that).
* Third, only my admin user can add devices. Apparently when I add a device as an LDAP user it ignores the device and doesn't create a task for it.
So, back to the questions...
* Why can't my LDAP users see events in the events view, but CAN see events in the Infrastructure view? Is this a Zenoss Core limitation or something with LDAP permissions?
* What is the best way to configure this?
I would love any and all feedback from people. I'm leveraging the forums to encourage communication, but the only person responding has the same issue as me and no solutions on how to move forward either... Is there a better way to raise issues with the Zenoss developers?
Thanks,
Scott
So, I tried something else... I created a new "local" (nonLDAP) user. I set up its Administered objects to be / and that user was able to see everything in the Events tab. So, I think I can safely conclude that because my user is LDAP based, that is the reason it can't see anything in the Events tab.
So I have a choice... Leverage LDAP authentication and lose the events tab, or manage users locally and have the events tab. I'm hoping someone from these forums is able to help out with this... Has anybody gotten LDAP authentication to work in Zenoss Core?
Thanks,
Scott
for some reason, the json query from a user logged in with radius contains a "tags" object with a uid.
This tag comes from a javascript function _managed_objects defined in Products/ZenUI3/security/security.py.
I patched this function to return an empty array and now it works.
65
66 function _managed_objects(){
67 //return %s;
68 return [];
69 }
70
I think the condition "if us.hasNoGlobalRoles():" in getManagedObjectGuids has something to do with it but I am not an expert on zenoss source code
+1 on this problem. We are connecting to AD and cannot see any events. Local users see events just fine.
Zenoss devs?
Thanks,
Rod.
We use LDAP for authentication only (no group membership). What we have found is that when a user first authenticates via LDAP a user is created in zenoss and we have no abilities to modify that users access beyond the default group we assign when initially creating the user. At that point, we delete that users account and re-add the user in zenoss manually. At that point the user can be modified and see the events console depending on his access type + still uses ldap for authentication.
Not sure this is the same issue you guys are seeing -
Rob
I have just setup LDAP with Zenoss Core 4.2.3. I am using open LDAP, not AD. Followed rmatte's instructions here - message/30126#30126 and the base reference here - docs/DOC-2510 .
There are issues with recent versions of LDAPUserFolder so again used help from rmatte with the plugins:
sudo su - zenoss
cd ~
wget -c http://pypi.python.org/packages/source/P/Products.LDAPUserFolder/Products.LDAPUserFolder-2.18.tar.gz
tar zxf Products.LDAPUserFolder-2.18.tar.gz
cd Products.LDAPUserFolder-2.18/Products
mv LDAPUserFolder /opt/zenoss/Products
chown -R zenoss:zenoss /opt/zenoss/Products/LDAPUserFolder
cd
rm -rf Products.LDAPUserFolder*
cd ~
tar zxf Products.LDAPMultiPlugins-1.14.tar.gz
cd Products.LDAPMultiPlugins-1.14/Products
mv LDAPMultiPlugins /opt/zenoss/Products
chown -R zenoss:zenoss /opt/zenoss/Products/LDAPMultiPlugins
cd ~
rm -rf Products.LDAPMultiPlugins*
Had a couple of false starts with configuring the LDAP groups / Zenoss roles. This is what I have ended up with:
If you want to add LDAP groups from Zope then you must have ReadOnly unticked and you must supply the Manager DN and password - I found I couldn't set the Manager DN Usage to Always unless I had this. Most of the other parameters will depend on your LDAP setup.
The one that may affect seeing events and other stuff is the Default User Role. if you leave that at Anonymous then the Anonymous role effectively has no powers. You can see some menus but most of the detail is blank. If you have users that are not in any LDAP group then this is the zenoss role that they will get. It may be what you want but it may not.
Using Zenoss roles locally, the default tends to be ZenUser so I used that as the Default User Roles; that way, users not in a LDAP group can see standard stuff.
I now have users who are not defined locally in Zenoss that can both authenticate to Zenoss for the GUI and get the correct role, depending on the group / role mapping setup.
Cheers,
Jane
Thomas, I tested out your change... I noticed a few things when I did that...
First, I can see all events in the events page. Which is good. But sadly I lose the ability to manage group permissions. Going to Advanced -> settings -> users and looking at the group permissions I see nothing there. That is important if I not only want to authentication users but also do some sort of access control for them.
Second, I started seeing zenoss failure events around handling an empty set. I have to assume its related.
Rob, I'm looking into your idea.. I think its a bit hacky...but its working so far. I'm going to continue to play with it and let y'all know how it works out.
Thanks,
Scott
+1 to this problem. We are using LDAP with zenoss 4.2.4 and non-local users are still unable to see events. We're also unable to add additional devices using non-local accounts.
Mark
Hi!
In mi situation i followed carefully this:
*Full article: http://blogs.oregonstate.edu/sig/2013/03/28/enabling-ldap-authentication-in-zenoss-core-4-2-and-centos-6/
Restricting Zenoss access to a subset of specific users
- Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as
admin
.- Click
acl_users
in the tree view on the left side of the page.- Click
roleManager
.- Click
Add a Role
and enter “ZenNone” for the ID, then save.- Click
acl_users
in the tree view on the left side of the page.- Click your LDAP config.
- Select the
Contents
tab.- Click
acl_users
in the list.- Change Default User Roles to “ZenNone” and apply changes.
- Click
acl_users
in the tree view on the left side of the page.- Click
roleManager
.- Select the
Security
tab.- Check all the checkboxes under Manager, Owner, and ZenManager. (IMPORTANT! If you do not do this step, you will lock your admin account out of the system!)
- Uncheck all the checkboxes under Acquire permission settings?
- Check the checkboxes for “Access contents information” and “View” under ZenUser.
- Click
Save Changes
.When finished, users who are in LDAP are given restricted access (via the ZenNone role) by default, unless they have been granted a different Zenoss role. You can edit Zenoss role assignments via
Zope manager -> acl_users -> roleManager
.
And works great for me, did it at least 3 times for latest zenoss core: 4.2.4
Good luck,
Regards,
Follow Us On Twitter »
|
Latest from the Zenoss Blog » | Community | Products | Services Resources | Customers Partners | About Us | ||
Copyright © 2005-2011 Zenoss, Inc.
|
||||||||