Discussion:
Active Directory Intergration w/Zenoss Core 4.2
Hrast
2012-09-05 21:45:19 UTC
Permalink
Hrast [http://community.zenoss.org/people/Hrast] created the discussion

"Active Directory Intergration w/Zenoss Core 4.2"

To view the discussion, visit: http://community.zenoss.org/message/68415#68415

--------------------------------------------------------------
I've been through just about every Active Directory authetication document I can find, and I just can't seem to get things quite working.

When I try to change  /zport/acl_users/ActiveDirectory/acl_users, User ID Attribute and RDN Attribute to Windows Login Name (sAMAccountName) I get the following error when I hit update:

Type: <class 'ldap.INVALID_CREDENTIALS'>
Value: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}

Traceback (most recent call last):
  File "/opt/zenoss/lib/python/ZPublisher/Publish.py", line 126, in publish
    request, bind=1)
  File "/opt/zenoss/lib/python/ZPublisher/mapply.py", line 77, in mapply
    if debug is not None: return debug(object,args,context)
  File "/opt/zenoss/lib/python/ZPublisher/Publish.py", line 46, in call_object
    result=apply(object,args) # Type s<cr> to step into published object.
  File "/opt/zenoss/Products/LDAPUserFolder/LDAPUserFolder.py", line 464, in manage_edit
    connection = self._delegate.connect()
  File "/opt/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 262, in connect
    raise e
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}

The user I'm using as the Manager DN, is tested and working via ldapsearch on the the same system.  I've tried the Manager DN with the "@domain.com" format and without, no change.

I'm using the Zenoss Core v4.2 appliance, that I then ran yum update on.

I've extracted/copied:

Products.LDAPMultiPlugins-1.14.tar.gz
Products.LDAPUserFolder-2.23.tar.gz

into /opt/zenoss/Products

I installed python-ldap-2.3.13 as the zenoss user.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/68415#68415]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Hrast
2012-09-06 20:42:11 UTC
Permalink
Hrast [http://community.zenoss.org/people/Hrast] created the discussion

"Re: Active Directory Intergration w/Zenoss Core 4.2"

To view the discussion, visit: http://community.zenoss.org/message/68441#68441

--------------------------------------------------------------
I reverted to LDAPMultiPlugins-1.7.tar.gz and LDAPUserFolder-2.21.tar.gz.  I moved the orginal ones out and replaced them with the extracted ones with Zenoss down.  Still not able to change the User ID Attribute and RDN Attribute to Windows Login Name (sAMAccountName).  I've included the entry from the event log:


2012-09-06T16:37:53 CRITICAL event.LDAPDelegate Failure connecting, last attempted server: ldap://10.7.254.252:389 ({'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'})
Traceback (most recent call last):
  File "/opt/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 233, in connect
    , op_timeout=server['op_timeout']
  File "/opt/zenoss/Products/LDAPUserFolder/LDAPDelegate.py", line 335, in _connect
    connection.simple_bind_s(user_dn, user_pwd)
  File "/opt/zenoss/lib/python/ldap/ldapobject.py", line 781, in simple_bind_s
    return SimpleLDAPObject.simple_bind_s(self,*args,**kwargs)
  File "/opt/zenoss/lib/python/ldap/ldapobject.py", line 207, in simple_bind_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/opt/zenoss/lib/python/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/opt/zenoss/lib/python/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/opt/zenoss/lib/python/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/opt/zenoss/lib/python/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}
------
2012-09-06T16:37:53 ERROR Zope.SiteErrorLog 1346963873.720.151947597578 http://zenoss-core4.skylist.net:8080/zport/acl_users/ActiveDirectory/acl_users/manage_edit http://zenoss-core4.skylist.net:8080/zport/acl_users/ActiveDirectory/acl_users/manage_edit
Traceback (innermost last):
  Module ZPublisher.Publish, line 126, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 46, in call_object
  Module Products.LDAPUserFolder.LDAPUserFolder, line 441, in manage_edit
  Module Products.LDAPUserFolder.LDAPDelegate, line 258, in connect
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece', 'desc': 'Invalid credentials'}
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/68441#68441]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Alan Milligan
2012-09-07 13:59:39 UTC
Permalink
Alan Milligan [http://community.zenoss.org/people/milligana] created the discussion

"Re: Active Directory Intergration w/Zenoss Core 4.2"

To view the discussion, visit: http://community.zenoss.org/message/68442#68442

--------------------------------------------------------------
I think you've two issues; the first being that you need to edit your AD read user credentials such that members can then be discovered/authenticated against it; but secondly, it appears that you need to have appropriate 'Change user folder' permissions in the ZMI to actually perform this task (that's what this second trace is telling you).

I would have expected that you must have at least *one* admin user (most probably in your source_users), and that this plugin is also 'active' in your 'Authentication Plugins' - otherwise you'll be locked out of your Zope.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/68442#68442]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Hrast
2012-09-08 02:05:49 UTC
Permalink
Hrast [http://community.zenoss.org/people/Hrast] created the discussion

"Re: Active Directory Intergration w/Zenoss Core 4.2"

To view the discussion, visit: http://community.zenoss.org/message/68461#68461

--------------------------------------------------------------
I went and revisited the user I was using for the Manager DN.  I set it back to the one I knew had been used on the other system, and lo and behold everything worked.

So, I guess lesson learned from this is to use the same versions of LDAPMultiPlugins and LDAPUserFolder that are verified working with 3.x with 4.2.

Thanks.

M.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/68461#68461]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Alan Milligan
2012-09-08 03:37:32 UTC
Permalink
Alan Milligan [http://community.zenoss.org/people/milligana] created the discussion

"Re: Active Directory Intergration w/Zenoss Core 4.2"

To view the discussion, visit: http://community.zenoss.org/message/68449#68449

--------------------------------------------------------------
Good stuff. 

But note that Zenoss Inc. did not invent the Zope2 application server environment - which is the (stable) core of your compatibility issue.  I am pretty sure that the latest LDAP product versions do work with Zope 2.13.x (check out the versions we ship with BastionLinux at http://linux.last-bastion.net/LBN/up2date/plope/13 http://linux.last-bastion.net/LBN/up2date/plope/13).

The only concern for you is that you may not be able to get the eggs for py2.7 directly of pypi - but then you did a source tarball install of these which would have avoided that.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/68449#68449]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Hrast
2012-09-08 13:37:58 UTC
Permalink
Hrast [http://community.zenoss.org/people/Hrast] created the discussion

"Re: Active Directory Intergration w/Zenoss Core 4.2"

To view the discussion, visit: http://community.zenoss.org/message/68450#68450

--------------------------------------------------------------
Yeah, this is my first admin experience with a Zope core-ed application, so its been a learning experience.  Now that I have a working configuration, I can start to tinker with it since I know I can return to a working baseline.  Thanks for the info.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/68450#68450]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...