Table 30.1. LDAP Authentication Prerequisites
Prerequisite | Restriction |
---|---|
Zenoss Version | Zenoss Version 2.2 or higher |
Required ZenPacks | ZenPacks.zenoss.LDAPAuthenticator |
Before configuring LDAP authentication you must gather the following information from your LDAP or Active Directory administrator. Here is a list of the required information:
Hostname or IP address of an Active Directory global catalog server. (Active Directory authentication only)
Hostname or IP address of an LDAP server. (other LDAP server authentication only)
Users base Distinguished Name (DN). For example, if your domain was ad.zenoss.com your user's base DN might be:
cn=users,dc=ad,dc=zenoss,dc=com
Manager DN. It is the DN (distinguished name) of a user in the domain administrators group. An example that follows the user's base DN above would be:
cn=Administrator,cn=users,dc=ad,dc=zenoss,dc=com
Optional: Active Directory groups to map to Zenoss roles. You can choose to control user roles within the Zenoss web interface using Active Directory groups instead of controlling the roles directly from within Zenoss. If you do choose to do this you should create the following groups within Active Directory.
Zenoss Managers
Zenoss Users
It is recommended making sure that your LDAP server requires at least four successive failures to lock an account. Due to how the authentication code, each login to Zenoss goes through three different web pages. Each one of these pages requests a user authentication which ends up making a single call to the LDAP backend. Thus, if the user makes one mistake and the LDAP server locks the account on three successive failures, the user's account will be locked even though they specified the password once.