Archived community.zenoss.org | full text search
Skip navigation
Up to Discussions in zenoss-users
3365 Views 12 Replies Latest reply: Dec 4, 2013 8:21 PM by Edgardo Rodriguez RSS
Scott Savarese Rank: White Belt
Scott Savarese
11 posts since
Mar 29, 2013
Currently Being Moderated

Apr 10, 2013 10:43 AM

Added LDAP and now users can't see events

I recently configured LDAP authentication on my zenoss instance. I mapped the "domain admin" AD group to the Manager role in zenoss. When the user logs in to zenoss, they don't see any of the events that are already there.

 

More about my environment... I use zenoss for the event console. Specifically as an SNMP trap receiver and presenter. As opposed to a device manager. I don't have any devices defined, but I do have a lot of event classes in use.

 

Shouldn't the manager role see "everything"?

Can I give the manager role (or other role) access to all events somehow?

 

Thanks,

Scott

Tags: ldap, event, access, active_directory, 4.2
  • Thomas Pollet Rank: White Belt
    Thomas Pollet
    27 posts since
    Aug 23, 2012
    Currently Being Moderated
    1. Apr 12, 2013 8:52 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    I have the same issue with radius authentication.

    I added the pas_radius_plugin but users logged in with radius account can't see the events.

    I recently upgraded from v3 to v4.2.0, in v3 this wasn't an issue.

  • Scott Savarese Rank: White Belt
    Scott Savarese
    11 posts since
    Mar 29, 2013
    Currently Being Moderated
    2. Apr 12, 2013 10:19 AM (in response to Thomas Pollet)
    Re: Added LDAP and now users can't see events

    One thing I learned from playing around...

     

    Go to Advanced -> Settings -> Users. The select one of the groups (in my case "Domain Admins"), go to Administered Objects, then add the / device class permission. The users in the group will then be able to go to Infrastructure -> devices -> Details -> events and see the current events. However, they will not be able to see events in the Events tab which is where I want them to appear.

     

    Its a bit closer to a solution, but not sure its all the way there... Anybody have more information on how to add permissions to groups? How do I permission a group to see active events in the events tab versus the Infrastructure tab?

  • Thomas Pollet Rank: White Belt
    Thomas Pollet
    27 posts since
    Aug 23, 2012
    Currently Being Moderated
    3. Apr 12, 2013 10:26 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    Nice, I can now see the events the way scott describes (adding the / device class to administered objects).

    However the events window stays blank.

  • Scott Savarese Rank: White Belt
    Scott Savarese
    11 posts since
    Mar 29, 2013
    Currently Being Moderated
    4. Apr 13, 2013 11:52 AM (in response to Thomas Pollet)
    Re: Added LDAP and now users can't see events

    Looking at the documentation and the GUI the only thing I can give groups permission to (that I can use to influence what events they can see) are deviceclasses. Personally, I would like to see a request for enhancement here so that I can permission on event class as well. That would be a great feature.

     

    Given that I can only use deviceClasses for permissioning (I plan to have multiple groups each with access to different events) I looked at playing with transforms to influence the DeviceClasses. I learned a few things:

    * First, you can't set the DeviceClass in an event transform. It lets you do it, and shows it as changed, but it will always put the event in the same deviceclass that the device the event is from comes to. I tested this by setting the deviceclass to an abitrary class in my tree and the event didn't appear in the proper class.

    * Second, the only way to influence the deviceclass is to create devices in the infrastucture view. The events will follow where that device lives. This forces me into a model where Zenoss wants to probe the devices for status. I don't want to use zenoss for that. I want to use it as a trap and event receiver and not as a probe. As I add more and more devices into my network, a central zenoss server does not scale as well as a distributed model where the devices with issues tell zenoss their problems. AT MOST, all I want Zenoss to do is make sure the device is still alive (right now I have Nagios configured for that).

    * Third, only my admin user can add devices. Apparently when I add a device as an LDAP user it ignores the device and doesn't create a task for it.

     

    So, back to the questions...

    * Why can't my LDAP users see events in the events view, but CAN see events in the Infrastructure view? Is this a Zenoss Core limitation or something with LDAP permissions?

    * What is the best way to configure this?

     

    I would love any and all feedback from people. I'm leveraging the forums to encourage communication, but the only person responding has the same issue as me and no solutions on how to move forward either... Is there a better way to raise issues with the Zenoss developers?

     

    Thanks,

    Scott

  • Scott Savarese Rank: White Belt
    Scott Savarese
    11 posts since
    Mar 29, 2013
    Currently Being Moderated
    5. Apr 14, 2013 7:46 PM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    So, I tried something else... I created a new "local" (nonLDAP) user. I set up its Administered objects to be / and that user was able to see everything in the Events tab. So, I think I can safely conclude that because my user is LDAP based, that is the reason it can't see anything in the Events tab.

     

    So I have a choice... Leverage LDAP authentication and lose the events tab, or manage users locally and have the events tab. I'm hoping someone from these forums is able to help out with this... Has anybody gotten LDAP authentication to work in Zenoss Core?

     

    Thanks,

    Scott

  • Thomas Pollet Rank: White Belt
    Thomas Pollet
    27 posts since
    Aug 23, 2012
    Currently Being Moderated
    6. Apr 16, 2013 10:43 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    for some reason, the json query from a user logged in with radius contains a "tags" object with a uid.

     

    This tag comes from a javascript function _managed_objects defined in Products/ZenUI3/security/security.py.

     

    I patched this function to return an empty array and now it works.

     

    65

    66     function _managed_objects(){

    67         //return %s;

    68         return [];

    69     }

    70

     

    I think the condition "if us.hasNoGlobalRoles():" in getManagedObjectGuids has something to do with it but I am not an expert on zenoss source code

  • rtelford Rank: White Belt
    rtelford
    11 posts since
    Apr 5, 2011
    Currently Being Moderated
    7. Apr 18, 2013 6:12 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    +1 on this problem. We are connecting to AD and cannot see any events. Local users see events just fine.

     

    Zenoss devs? 

     

    Thanks,

    Rod.

  • Rob Eagle Rank: Green Belt
    Rob Eagle
    155 posts since
    Feb 20, 2012
    Currently Being Moderated
    8. Apr 18, 2013 8:47 AM (in response to rtelford)
    Re: Added LDAP and now users can't see events

    We use LDAP for authentication only (no group membership).  What we have found is that when a user first authenticates via LDAP a user is created in zenoss and we have no abilities to modify that users access beyond the default group we assign when initially creating the user.  At that point, we delete that users account and re-add the user in zenoss manually.  At that point the user can be modified and see the events console depending on his access type + still uses ldap for authentication.

    Not sure this is the same issue you guys are seeing -

    Rob

  • jcurry ZenossMaster
    jcurry
    1,021 posts since
    Apr 15, 2008
    Currently Being Moderated
    9. Apr 18, 2013 2:08 PM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    I have just setup LDAP with Zenoss Core 4.2.3.  I am using open LDAP, not AD.  Followed rmatte's instructions here - message/30126#30126 and the base reference here - docs/DOC-2510 .

     

    There are issues with recent versions of LDAPUserFolder so again used help from rmatte with the plugins:

     

    sudo su - zenoss

     

    cd ~

    wget -c http://pypi.python.org/packages/source/P/Products.LDAPUserFolder/Products.LDAPUserFolder-2.18.tar.gz

    tar zxf Products.LDAPUserFolder-2.18.tar.gz

    cd Products.LDAPUserFolder-2.18/Products

    mv LDAPUserFolder /opt/zenoss/Products

    chown -R zenoss:zenoss /opt/zenoss/Products/LDAPUserFolder

    cd

    rm -rf Products.LDAPUserFolder*

     

    cd ~

    wget -c http://pypi.python.org/packages/source/P/Products.LDAPMultiPlugins/Products.LDAPMultiPlugins-1.14.tar.gz

    tar zxf Products.LDAPMultiPlugins-1.14.tar.gz

    cd Products.LDAPMultiPlugins-1.14/Products

    mv LDAPMultiPlugins /opt/zenoss/Products

    chown -R zenoss:zenoss /opt/zenoss/Products/LDAPMultiPlugins

    cd ~

    rm -rf Products.LDAPMultiPlugins*

     

    Had a couple of false starts with configuring the LDAP groups / Zenoss roles.  This is what I have ended up with:

     

    Configure_ldap_for_zenoss.jpg

     

    If you want to add LDAP groups from Zope then you must have ReadOnly unticked and you must supply the Manager DN and password - I found I couldn't set the Manager DN Usage to Always unless I had this.  Most of the other parameters will depend on your LDAP setup.

     

    The one that may affect seeing events and other stuff is the Default User Role.  if you leave that at Anonymous then the Anonymous role effectively has no powers.  You can see some menus but most of the detail is blank.  If you have users that are not in any LDAP group then this is the zenoss role that they will get.  It may be what you want but it may not.

     

    Using Zenoss roles locally, the default tends to be ZenUser so I used that as the Default User Roles; that way, users not in a LDAP group can see standard stuff.

     

    I now have users who are not defined locally in Zenoss that can both authenticate to Zenoss for the GUI and get the correct role, depending on the group / role mapping setup.

     

    Cheers,

    Jane

  • Scott Savarese Rank: White Belt
    Scott Savarese
    11 posts since
    Mar 29, 2013
    Currently Being Moderated
    10. May 3, 2013 8:04 AM (in response to jcurry)
    Re: Added LDAP and now users can't see events

    Thomas, I tested out your change... I noticed a few things when I did that...

     

    First, I can see all events in the events page. Which is good. But sadly I lose the ability to manage group permissions. Going to Advanced -> settings -> users and looking at the group permissions I see nothing there. That is important if I not only want to authentication users but also do some sort of access control for them.

    Second, I started seeing zenoss failure events around handling an empty set. I have to assume its related.

     

    Rob, I'm looking into your idea.. I think its a bit hacky...but its working so far. I'm going to continue to play with it and let y'all know how it works out.

     

    Thanks,

    Scott

  • Mark Matthews Newbie
    Mark Matthews
    1 posts since
    Nov 17, 2013
    Currently Being Moderated
    11. Nov 28, 2013 12:36 AM (in response to Scott Savarese)
    Re: Added LDAP and now users can't see events

    +1 to this problem. We are using LDAP with zenoss 4.2.4 and non-local users are still unable to see events. We're also unable to add additional devices using non-local accounts.

     

    Mark

  • Edgardo Rodriguez Rank: White Belt
    Edgardo Rodriguez
    22 posts since
    Nov 18, 2013
    Currently Being Moderated
    12. Dec 4, 2013 8:21 PM (in response to Mark Matthews)
    Re: Added LDAP and now users can't see events

    Hi!

     

    In mi situation i followed carefully this:

    *Full article: http://blogs.oregonstate.edu/sig/2013/03/28/enabling-ldap-authentication-in-zenoss-core-4-2-and-centos-6/

     

     

    Restricting Zenoss access to a subset of specific users

    1. Go to https://YOUR_ZENOSS_SERVER/zport/manage and log in as admin.
    2. Click acl_users in the tree view on the left side of the page.
    3. Click roleManager.
    4. Click Add a Role and enter “ZenNone” for the ID, then save.
    5. Click acl_users in the tree view on the left side of the page.
    6. Click your LDAP config.
    7. Select the Contents tab.
    8. Click acl_users in the list.
    9. Change Default User Roles to “ZenNone” and apply changes.
    10. Click acl_users in the tree view on the left side of the page.
    11. Click roleManager.
    12. Select the Security tab.
    13. Check all the checkboxes under Manager, Owner, and ZenManager. (IMPORTANT! If you do not do this step, you will lock your admin account out of the system!)
    14. Uncheck all the checkboxes under Acquire permission settings?
    15. Check the checkboxes for “Access contents information” and “View” under ZenUser.
    16. Click Save Changes.

    When finished, users who are in LDAP are given restricted access (via the ZenNone role) by default, unless they have been granted a different Zenoss role. You can edit Zenoss role assignments via Zope manager -> acl_users -> roleManager.

     

     

    And works great for me, did it at least 3 times for latest zenoss core: 4.2.4

     

    Good luck,

     

    Regards,

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points