Discussion:
How to prevent rest of the LDAP groups from logging into zenoss
comc49
2013-08-21 17:20:54 UTC
Permalink
comc49 [http://community.zenoss.org/people/comc49] created the discussion

"How to prevent rest of the LDAP groups from logging into zenoss"

To view the discussion, visit: http://community.zenoss.org/message/74430#74430

--------------------------------------------------------------
Hi I want certain groups on my organization's ldap server to login to zenoss and rest to be not even be able to login to Zenoss. I know that there is anonymous option but my company still feels unsecure with anyone from the ldap server being able to login. Is there anyway to make default ldap role to be unauthorized?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74430#74430]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Alan Milligan
2013-08-22 15:07:03 UTC
Permalink
Alan Milligan [http://community.zenoss.org/people/milligana] created the discussion

"Re: How to prevent rest of the LDAP groups from logging into zenoss"

To view the discussion, visit: http://community.zenoss.org/message/74423#74423

--------------------------------------------------------------
Are you really talking about the PAS/LDAPMultiPlugins/LDAPUserFolder??  It's readily set up to do what you want. 

Firstly, you should be the 'Additional user search filter' to genuinely isolate staff who can genuinely access Zenoss.

Then, set an appropriate default user roles (not that the delivered one probably isn't suitable).

Note that the roles that have View access are Manager, Owner, ZenManager, ZenUser so the 'Anonymous' thing is a red herring for you. 

If you actually do wish to look at custom role restrictions then you could/should map LDAP groups to Zope roles and tweak permissions on /zport/manage_access.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74423#74423]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
comc49
2013-08-22 16:08:54 UTC
Permalink
comc49 [http://community.zenoss.org/people/comc49] created the discussion

"Re: How to prevent rest of the LDAP groups from logging into zenoss"

To view the discussion, visit: http://community.zenoss.org/message/74438#74438

--------------------------------------------------------------
I want the default role to not even be able to login to Zenoss
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74438#74438]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Alan Milligan
2013-08-22 16:42:22 UTC
Permalink
Alan Milligan [http://community.zenoss.org/people/milligana] created the discussion

"Re: How to prevent rest of the LDAP groups from logging into zenoss"

To view the discussion, visit: http://community.zenoss.org/message/74442#74442

--------------------------------------------------------------
I thought you were going to say that.  You misunderstand the distinction between authentication and authorisation.

If they've got the correct username/password then they are authenticated.  As I explained above, you should use LDAP search terms to restrict staff appropriately.

As for Authorisation, the out-of-box thing is that you've got View/ZenUser once authenticated.

If you *really* want to do that, then you need to set a different default role, and you need to change the Zope permissions as I explained above.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74442#74442]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
comc49
2013-08-22 16:50:08 UTC
Permalink
comc49 [http://community.zenoss.org/people/comc49] created the discussion

"Re: How to prevent rest of the LDAP groups from logging into zenoss"

To view the discussion, visit: http://community.zenoss.org/message/74439#74439

--------------------------------------------------------------
Where is this user filter? Also there are like over 20k users on our ldap server so do I have to restrict them individually?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74439#74439]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Alan Milligan
2013-08-22 17:02:49 UTC
Permalink
Alan Milligan [http://community.zenoss.org/people/milligana] created the discussion

"Re: How to prevent rest of the LDAP groups from logging into zenoss"

To view the discussion, visit: http://community.zenoss.org/message/74443#74443

--------------------------------------------------------------
Mate, I don't have a clue how you've set up your corporate LDAP. 

Have you discovered /zport/acl_users/<insert ldap name>/acl_users/manage_main ??

If you've got a sensible ou hierarchy, you can just do the correct tree search when defining user base dn.  Otherwise, you should append appropriate attributes and/or be doing groupOfUniqueName searches for appropriately defined roles already exisiting in your ldap tree.  This subsearch would be written into the 'additional user search filter'.

You really need to go and consult with whoever runs and manages your directory services for these answers.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74443#74443]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
comc49
2013-08-22 18:01:05 UTC
Permalink
comc49 [http://community.zenoss.org/people/comc49] created the discussion

"Re: How to prevent rest of the LDAP groups from logging into zenoss"

To view the discussion, visit: http://community.zenoss.org/message/74440#74440

--------------------------------------------------------------
Sorry I don't understand what you are trying to say. I am very new to LDAP and I do not know which settings to fiddle with. Can you just tell me if its possible to kick out the authenticated users with no authorization?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74440#74440]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...