Discussion:
Added LDAP and now users can't see events
Scott Savarese
2013-04-10 14:43:36 UTC
Permalink
Scott Savarese [http://community.zenoss.org/people/scottsavarese] created the discussion

"Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72767#72767

--------------------------------------------------------------
I recently configured LDAP authentication on my zenoss instance. I mapped the "domain admin" AD group to the Manager role in zenoss. When the user logs in to zenoss, they don't see any of the events that are already there.

More about my environment... I use zenoss for the event console. Specifically as an SNMP trap receiver and presenter. As opposed to a device manager. I don't have any devices defined, but I do have a lot of event classes in use.

Shouldn't the manager role see "everything"?
Can I give the manager role (or other role) access to all events somehow?

Thanks,
Scott
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72767#72767]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-04-12 12:53:01 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72797#72797

--------------------------------------------------------------
I have the same issue with radius authentication.
I added the pas_radius_plugin but users logged in with radius account can't see the events.
I recently upgraded from v3 to v4.2.0, in v3 this wasn't an issue.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72797#72797]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Scott Savarese
2013-04-12 14:19:50 UTC
Permalink
Scott Savarese [http://community.zenoss.org/people/scottsavarese] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72810#72810

--------------------------------------------------------------
One thing I learned from playing around...

Go to Advanced -> Settings -> Users. The select one of the groups (in my case "Domain Admins"), go to Administered Objects, then add the / device class permission. The users in the group will then be able to go to Infrastructure -> devices -> Details -> events and see the current events. However, they will not be able to see events in the Events tab which is where I want them to appear.

Its a bit closer to a solution, but not sure its all the way there... Anybody have more information on how to add permissions to groups? How do I permission a group to see active events in the events tab versus the Infrastructure tab?
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72810#72810]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-04-12 14:27:04 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72799#72799

--------------------------------------------------------------
Nice, I can now see the events the way scott describes (adding the / device class to administered objects).
However the events window stays blank.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72799#72799]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Scott Savarese
2013-04-13 15:52:55 UTC
Permalink
Scott Savarese [http://community.zenoss.org/people/scottsavarese] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72814#72814

--------------------------------------------------------------
Looking at the documentation and the GUI the only thing I can give groups permission to (that I can use to influence what events they can see) are deviceclasses. Personally, I would like to see a request for enhancement here so that I can permission on event class as well. That would be a great feature.

Given that I can only use deviceClasses for permissioning (I plan to have multiple groups each with access to different events) I looked at playing with transforms to influence the DeviceClasses. I learned a few things:
* First, you can't set the DeviceClass in an event transform. It lets you do it, and shows it as changed, but it will always put the event in the same deviceclass that the device the event is from comes to. I tested this by setting the deviceclass to an abitrary class in my tree and the event didn't appear in the proper class.
* Second, the only way to influence the deviceclass is to create devices in the infrastucture view. The events will follow where that device lives. This forces me into a model where Zenoss wants to probe the devices for status. I don't want to use zenoss for that. I want to use it as a trap and event receiver and not as a probe. As I add more and more devices into my network, a central zenoss server does not scale as well as a distributed model where the devices with issues tell zenoss their problems. AT MOST, all I want Zenoss to do is make sure the device is still alive (right now I have Nagios configured for that).
* Third, only my admin user can add devices. Apparently when I add a device as an LDAP user it ignores the device and doesn't create a task for it.

So, back to the questions...
* Why can't my LDAP users see events in the events view, but CAN see events in the Infrastructure view? Is this a Zenoss Core limitation or something with LDAP permissions?
* What is the best way to configure this?

I would love any and all feedback from people. I'm leveraging the forums to encourage communication, but the only person responding has the same issue as me and no solutions on how to move forward either... Is there a better way to raise issues with the Zenoss developers?

Thanks,
Scott
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72814#72814]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Scott Savarese
2013-04-14 23:46:50 UTC
Permalink
Scott Savarese [http://community.zenoss.org/people/scottsavarese] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72821#72821

--------------------------------------------------------------
So, I tried something else... I created a new "local" (nonLDAP) user. I set up its Administered objects to be / and that user was able to see everything in the Events tab. So, I think I can safely conclude that because my user is LDAP based, that is the reason it can't see anything in the Events tab.

So I have a choice... Leverage LDAP authentication and lose the events tab, or manage users locally and have the events tab. I'm hoping someone from these forums is able to help out with this... Has anybody gotten LDAP authentication to work in Zenoss Core?

Thanks,
Scott
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72821#72821]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-04-16 14:21:33 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72866#72866

--------------------------------------------------------------
It works for me now, I don't know how I did it however lol. I just noticed it worked after restarting zenoss.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72866#72866]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Thomas Pollet
2013-04-16 14:40:17 UTC
Permalink
Thomas Pollet [http://community.zenoss.org/people/Thomax] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72867#72867

--------------------------------------------------------------
for some reason, the json query from a user logged in with radius contains a "tags" object with a uid.

This tag comes from a javascript function _managed_objects defined in Products/ZenUI3/security/security.py.

I patched this function to return an empty array and now it works.

65
66     function _managed_objects(){
67         //return %s;
68         return [];
69     }
70
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72867#72867]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
jcurry
2013-04-18 18:08:29 UTC
Permalink
jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72891#72891

--------------------------------------------------------------
I have just setup LDAP with Zenoss Core 4.2.3.  I am using open LDAP, not AD.  Followed rmatte's instructions here - http://community.zenoss.org/message/30126#30126 http://community.zenoss.org/message/30126#30126 and the base reference here - http://community.zenoss.org/docs/DOC-2510 http://community.zenoss.org/docs/DOC-2510 .

There are issues with recent versions of LDAPUserFolder so again used help from rmatte with the plugins:

sudo su - zenoss

cd ~
wget -c http://pypi.python.org/packages/source/P/Products.LDAPUserFolder/Products.LDAPUserFolder-2.18.tar.gz http://pypi.python.org/packages/source/P/Products.LDAPUserFolder/Products.LDAPUserFolder-2.18.tar.gz
tar zxf Products.LDAPUserFolder-2.18.tar.gz
cd Products.LDAPUserFolder-2.18/Products
mv LDAPUserFolder /opt/zenoss/Products
chown -R zenoss:zenoss /opt/zenoss/Products/LDAPUserFolder
cd
rm -rf Products.LDAPUserFolder*

cd ~
wget -c http://pypi.python.org/packages/source/P/Products.LDAPMultiPlugins/Products.LDAPMultiPlugins-1.14.tar.gz http://pypi.python.org/packages/source/P/Products.LDAPMultiPlugins/Products.LDAPMultiPlugins-1.14.tar.gz
tar zxf Products.LDAPMultiPlugins-1.14.tar.gz
cd Products.LDAPMultiPlugins-1.14/Products
mv LDAPMultiPlugins /opt/zenoss/Products
chown -R zenoss:zenoss /opt/zenoss/Products/LDAPMultiPlugins
cd ~
rm -rf Products.LDAPMultiPlugins*

Had a couple of false starts with configuring the LDAP groups / Zenoss roles.  This is what I have ended up with:

Loading Image... Loading Image...

If you want to add LDAP groups from Zope then you must have ReadOnly unticked and you must supply the Manager DN and password - I found I couldn't set the Manager DN Usage to Always unless I had this.  Most of the other parameters will depend on your LDAP setup.

The one that may affect seeing events and other stuff is the Default User Role.  if you leave that at Anonymous then the Anonymous role effectively has no powers.  You can see some menus but most of the detail is blank.  If you have users that are not in any LDAP group then this is the zenoss role that they will get.  It may be what you want but it may not.

Using Zenoss roles locally, the default tends to be ZenUser so I used that as the Default User Roles; that way, users not in a LDAP group can see standard stuff.

I now have users who are not defined locally in Zenoss that can both authenticate to Zenoss for the GUI and get the correct role, depending on the group / role mapping setup.

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72891#72891]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Scott Savarese
2013-05-03 12:04:13 UTC
Permalink
Scott Savarese [http://community.zenoss.org/people/scottsavarese] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/73071#73071

--------------------------------------------------------------
Thomas, I tested out your change... I noticed a few things when I did that...

First, I can see all events in the events page. Which is good. But sadly I lose the ability to manage group permissions. Going to Advanced -> settings -> users and looking at the group permissions I see nothing there. That is important if I not only want to authentication users but also do some sort of access control for them.
Second, I started seeing zenoss failure events around handling an empty set. I have to assume its related.

Rob, I'm looking into your idea.. I think its a bit hacky...but its working so far. I'm going to continue to play with it and let y'all know how it works out.

Thanks,
Scott
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/73071#73071]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
rtelford
2013-04-18 10:12:33 UTC
Permalink
rtelford [http://community.zenoss.org/people/rtelford] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72889#72889

--------------------------------------------------------------
+1 on this problem. We are connecting to AD and cannot see any events. Local users see events just fine.

Zenoss devs? 

Thanks,
Rod.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72889#72889]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Rob Eagle
2013-04-18 12:47:41 UTC
Permalink
Rob Eagle [http://community.zenoss.org/people/reagle] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/72898#72898

--------------------------------------------------------------
We use LDAP for authentication only (no group membership).  What we have found is that when a user first authenticates via LDAP a user is created in zenoss and we have no abilities to modify that users access beyond the default group we assign when initially creating the user.  At that point, we delete that users account and re-add the user in zenoss manually.  At that point the user can be modified and see the events console depending on his access type + still uses ldap for authentication.
Not sure this is the same issue you guys are seeing -
Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/72898#72898]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Mark Matthews
2013-11-28 04:11:31 UTC
Permalink
Mark Matthews [http://community.zenoss.org/people/markmatthews] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/75371#75371

--------------------------------------------------------------
+1 to this problem. We are using LDAP with zenoss 4.2.4 and non-local users are still unable to see events.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75371#75371]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Edgardo Rodriguez
2013-12-05 01:21:13 UTC
Permalink
Edgardo Rodriguez [http://community.zenoss.org/people/echu2013] created the discussion

"Re: Added LDAP and now users can't see events"

To view the discussion, visit: http://community.zenoss.org/message/75406#75406

--------------------------------------------------------------
Hi!

In mi situation i followed carefully this:
*Full article: http://blogs.oregonstate.edu/sig/2013/03/28/enabling-ldap-authentication-in-zenoss-core-4-2-and-centos-6/ http://blogs.oregonstate.edu/sig/2013/03/28/enabling-ldap-authentication-in-zenoss-core-4-2-and-centos-6/
h2. Restricting Zenoss access to a subset of specific users
1. Go to https://your_zenoss_server/zport/manage https://YOUR_ZENOSS_SERVER/zport/manage and log in as admin.
2. Click acl_users in the tree view on the left side of the page.
3. Click roleManager.
4. Click Add a Role and enter “ZenNone” for the ID, then save.
5. Click acl_users in the tree view on the left side of the page.
6. Click your LDAP config.
7. Select the Contents tab.
8. Click acl_users in the list.
9. Change *Default User Roles* to “ZenNone” and apply changes.
10. Click acl_users in the tree view on the left side of the page.
11. Click roleManager.
12. Select the Security tab.
13. Check all the checkboxes under Manager, Owner, and ZenManager. (*IMPORTANT!* If you do not do this step, you will lock your admin account out of the system!)
14. Uncheck all the checkboxes under *Acquire permission settings?*
15. Check the checkboxes for “Access contents information” and “View” under *ZenUser*.
16. Click Save Changes.
When finished, users who are in LDAP are given restricted access (via the ZenNone role) by default, unless they have been granted a different Zenoss role. You can edit Zenoss role assignments via Zope manager -> acl_users -> roleManager.
And works great for me, did it at least 3 times for latest zenoss core: *4.2.4*

Good luck,

Regards,*
*
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/75406#75406]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...