Discussion:
ActiveDirectory with Groups - All or nothing
Joe Lemaire
2011-11-09 20:50:41 UTC
Permalink
Joe Lemaire [http://community.zenoss.org/people/JoeLemaire] created the discussion

"ActiveDirectory with Groups - All or nothing"

To view the discussion, visit: http://community.zenoss.org/message/62541#62541

--------------------------------------------------------------
All,

I am running Zenoss 3.2.1 on Centos 5.7 (i386), and am having an issue with my AD Integration.  I've installed the ActiveDirectory and LDAP multi-plugins, and configured them according to this guide:  http://community.zenoss.org/docs/DOC-2510 http://community.zenoss.org/docs/DOC-2510.  I've got the binding to work with the 'Default User Role' being Anonymous (see attached pic1.png), and have setup my AD Group to map to the Zope Groups (see attached pic2.png). This then lets my Domain Admins into Zenoss with the correct privilege.  However, adding in the AD group seems to also give all AD users, regardless of their membership to the specified AD group, the access specified.  So, per pic2.png, adding in the Domain Admins group as ZopeManagers, gives all users that privilege, not just Domain Admins.  If I remove the group, everyone has anonymous access, as expected.

Any thougths?  Thanks in advance!

~Joe
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/62541#62541]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
dpetzel
2011-11-10 01:09:13 UTC
Permalink
dpetzel [http://community.zenoss.org/people/dpetzel] created the discussion

"Re: ActiveDirectory with Groups - All or nothing"

To view the discussion, visit: http://community.zenoss.org/message/62545#62545

--------------------------------------------------------------
I compared my settings (3.2.1 on RHEL 5.6). My configuration is just a little different than yours and that DOC.  I'm not sure either will matter, but throwing them out just in case.

1) We don't map domain admins --> manager, but instead we use a seperate group which my team is a member of. My team isnt in the domain admins group so I can't test this, but maybe trying creating a new group "Zenoss Admins" and making all the current members of domains admins members of that group, and use that group instead of Domain Admins

2) For "Group mapping (Applies to LDAP group storage only)" I'm set to automatic mapping rather than manual. Not sure if you've tried that already or not, but maybe worth a shot.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/62545#62545]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Joe Lemaire
2011-11-10 12:59:20 UTC
Permalink
Joe Lemaire [http://community.zenoss.org/people/JoeLemaire] created the discussion

"Re: ActiveDirectory with Groups - All or nothing"

To view the discussion, visit: http://community.zenoss.org/message/62567#62567

--------------------------------------------------------------
Hey dpetzel,

Thanks for the response!  Unfortunetly, I tried both, and neither worked.  Any other thoughts?

Thanks,

~Joe
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/62567#62567]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
dpetzel
2011-11-10 14:21:05 UTC
Permalink
dpetzel [http://community.zenoss.org/people/dpetzel] created the discussion

"Re: ActiveDirectory with Groups - All or nothing"

To view the discussion, visit: http://community.zenoss.org/message/62568#62568

--------------------------------------------------------------
I wish I could say I had some other ideas, but I'm afraid I don't.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/62568#62568]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...