Archived community.zenoss.org | full text search
Skip navigation
3364 Views 12 Replies Latest reply: Dec 4, 2013 8:21 PM by Edgardo Rodriguez RSS
Scott Savarese Rank: White Belt 11 posts since
Mar 29, 2013
Currently Being Moderated

Apr 10, 2013 10:43 AM

Added LDAP and now users can't see events

I recently configured LDAP authentication on my zenoss instance. I mapped the "domain admin" AD group to the Manager role in zenoss. When the user logs in to zenoss, they don't see any of the events that are already there.

 

More about my environment... I use zenoss for the event console. Specifically as an SNMP trap receiver and presenter. As opposed to a device manager. I don't have any devices defined, but I do have a lot of event classes in use.

 

Shouldn't the manager role see "everything"?

Can I give the manager role (or other role) access to all events somehow?

 

Thanks,

Scott

  • Thomas Pollet Rank: White Belt 27 posts since
    Aug 23, 2012
    Currently Being Moderated
    1. Apr 12, 2013 8:52 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    I have the same issue with radius authentication.

    I added the pas_radius_plugin but users logged in with radius account can't see the events.

    I recently upgraded from v3 to v4.2.0, in v3 this wasn't an issue.

  • Thomas Pollet Rank: White Belt 27 posts since
    Aug 23, 2012
    Currently Being Moderated
    3. Apr 12, 2013 10:26 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    Nice, I can now see the events the way scott describes (adding the / device class to administered objects).

    However the events window stays blank.

  • Thomas Pollet Rank: White Belt 27 posts since
    Aug 23, 2012
    Currently Being Moderated
    6. Apr 16, 2013 10:43 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    for some reason, the json query from a user logged in with radius contains a "tags" object with a uid.

     

    This tag comes from a javascript function _managed_objects defined in Products/ZenUI3/security/security.py.

     

    I patched this function to return an empty array and now it works.

     

    65

    66     function _managed_objects(){

    67         //return %s;

    68         return [];

    69     }

    70

     

    I think the condition "if us.hasNoGlobalRoles():" in getManagedObjectGuids has something to do with it but I am not an expert on zenoss source code

  • rtelford Rank: White Belt 11 posts since
    Apr 5, 2011
    Currently Being Moderated
    7. Apr 18, 2013 6:12 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    +1 on this problem. We are connecting to AD and cannot see any events. Local users see events just fine.

     

    Zenoss devs? 

     

    Thanks,

    Rod.

  • Rob Eagle Rank: Green Belt 155 posts since
    Feb 20, 2012
    Currently Being Moderated
    8. Apr 18, 2013 8:47 AM (in response to rtelford)
    Re: Added LDAP and now users can't see events

    We use LDAP for authentication only (no group membership).  What we have found is that when a user first authenticates via LDAP a user is created in zenoss and we have no abilities to modify that users access beyond the default group we assign when initially creating the user.  At that point, we delete that users account and re-add the user in zenoss manually.  At that point the user can be modified and see the events console depending on his access type + still uses ldap for authentication.

    Not sure this is the same issue you guys are seeing -

    Rob

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    9. Apr 18, 2013 2:08 PM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    I have just setup LDAP with Zenoss Core 4.2.3.  I am using open LDAP, not AD.  Followed rmatte's instructions here - message/30126#30126 and the base reference here - docs/DOC-2510 .

     

    There are issues with recent versions of LDAPUserFolder so again used help from rmatte with the plugins:

     

    sudo su - zenoss

     

    cd ~

    wget -c http://pypi.python.org/packages/source/P/Products.LDAPUserFolder/Products.LDAPUserFolder-2.18.tar.gz

    tar zxf Products.LDAPUserFolder-2.18.tar.gz

    cd Products.LDAPUserFolder-2.18/Products

    mv LDAPUserFolder /opt/zenoss/Products

    chown -R zenoss:zenoss /opt/zenoss/Products/LDAPUserFolder

    cd

    rm -rf Products.LDAPUserFolder*

     

    cd ~

    wget -c http://pypi.python.org/packages/source/P/Products.LDAPMultiPlugins/Products.LDAPMultiPlugins-1.14.tar.gz

    tar zxf Products.LDAPMultiPlugins-1.14.tar.gz

    cd Products.LDAPMultiPlugins-1.14/Products

    mv LDAPMultiPlugins /opt/zenoss/Products

    chown -R zenoss:zenoss /opt/zenoss/Products/LDAPMultiPlugins

    cd ~

    rm -rf Products.LDAPMultiPlugins*

     

    Had a couple of false starts with configuring the LDAP groups / Zenoss roles.  This is what I have ended up with:

     

    Configure_ldap_for_zenoss.jpg

     

    If you want to add LDAP groups from Zope then you must have ReadOnly unticked and you must supply the Manager DN and password - I found I couldn't set the Manager DN Usage to Always unless I had this.  Most of the other parameters will depend on your LDAP setup.

     

    The one that may affect seeing events and other stuff is the Default User Role.  if you leave that at Anonymous then the Anonymous role effectively has no powers.  You can see some menus but most of the detail is blank.  If you have users that are not in any LDAP group then this is the zenoss role that they will get.  It may be what you want but it may not.

     

    Using Zenoss roles locally, the default tends to be ZenUser so I used that as the Default User Roles; that way, users not in a LDAP group can see standard stuff.

     

    I now have users who are not defined locally in Zenoss that can both authenticate to Zenoss for the GUI and get the correct role, depending on the group / role mapping setup.

     

    Cheers,

    Jane

  • Mark Matthews Newbie 1 posts since
    Nov 17, 2013
    Currently Being Moderated
    11. Nov 28, 2013 12:36 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    +1 to this problem. We are using LDAP with zenoss 4.2.4 and non-local users are still unable to see events. We're also unable to add additional devices using non-local accounts.

     

    Mark

  • Edgardo Rodriguez Rank: White Belt 22 posts since
    Nov 18, 2013
    Currently Being Moderated
    12. Dec 4, 2013 8:21 PM (in response to Mark Matthews)
    Re: Added LDAP and now users can't see events

    Hi!

     

    In mi situation i followed carefully this:

    *Full article: http://blogs.oregonstate.edu/sig/2013/03/28/enabling-ldap-authentication-in-zenoss-core-4-2-and-centos-6/

     

     

    Restricting Zenoss access to a subset of specific users

    1. Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as admin.
    2. Click acl_users in the tree view on the left side of the page.
    3. Click roleManager.
    4. Click Add a Role and enter “ZenNone” for the ID, then save.
    5. Click acl_users in the tree view on the left side of the page.
    6. Click your LDAP config.
    7. Select the Contents tab.
    8. Click acl_users in the list.
    9. Change Default User Roles to “ZenNone” and apply changes.
    10. Click acl_users in the tree view on the left side of the page.
    11. Click roleManager.
    12. Select the Security tab.
    13. Check all the checkboxes under Manager, Owner, and ZenManager. (IMPORTANT! If you do not do this step, you will lock your admin account out of the system!)
    14. Uncheck all the checkboxes under Acquire permission settings?
    15. Check the checkboxes for “Access contents information” and “View” under ZenUser.
    16. Click Save Changes.

    When finished, users who are in LDAP are given restricted access (via the ZenNone role) by default, unless they have been granted a different Zenoss role. You can edit Zenoss role assignments via Zope manager -> acl_users -> roleManager.

     

     

    And works great for me, did it at least 3 times for latest zenoss core: 4.2.4

     

    Good luck,

     

    Regards,

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points