Problem

After setting up LDAP authentication in Zenoss against an Active Directory domain, logins work, but take the user to a Zenoss error page that says “Site Error”. In the Zenoss “event.log” file the following Python exception is thrown :

2009-05-08T09:37:25 ERROR Zope.SiteErrorLog http://hostname:8080/zport/dmd
Traceback (most recent call last):
  File "/ask/zenoss/zenoss/lib/python/ZPublisher/Publish.py", line 114, in publish
    request, bind=1)
  File "/ask/zenoss/zenoss/lib/python/ZPublisher/mapply.py", line 88, in mapply
    if debug is not None: return debug(object,args,context)
  File "/ask/zenoss/zenoss/lib/python/ZPublisher/Publish.py", line 40, in call_object
    result=apply(object,args) # Type s<cr> to step into published object.
  File "/ask/zenoss/zenoss/Products/ZenModel/ZenModelBase.py", line 64, in __call__
    return self.restrictedTraverse(view)()
  File "/ask/zenoss/zenoss/lib/python/Shared/DC/Scripts/Bindings.py", line 311, in __call__
    return self._bindAndExec(args, kw, None)
  File "/ask/zenoss/zenoss/lib/python/Shared/DC/Scripts/Bindings.py", line 348, in _bindAndExec
    return self._exec(bound_data, args, kw)
  File "/ask/zenoss/zenoss/Products/CMFCore/FSPageTemplate.py", line 195, in _exec
    result = self.pt_render(extra_context=bound_names)
  File "/ask/zenoss/zenoss/Products/CMFCore/FSPageTemplate.py", line 134, in pt_render
    result = FSPageTemplate.inheritedAttribute('pt_render')(
  File "/ask/zenoss/zenoss/lib/python/Products/PageTemplates/PageTemplate.py", line 104, in pt_render
    tal=not source, strictinsert=0)()
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 206, in __call__
    self.interpret(self.program)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 250, in interpret
    handlers[opcode](self, args)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 711, in do_useMacro
    self.interpret(macro)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 250, in interpret
    handlers[opcode](self, args)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 426, in do_optTag_tal
    self.do_optTag(stuff)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 411, in do_optTag
    return self.no_tag(start, program)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 406, in no_tag
    self.interpret(program)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 250, in interpret
    handlers[opcode](self, args)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 711, in do_useMacro
    self.interpret(macro)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 250, in interpret
    handlers[opcode](self, args)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 308, in do_startTag
    ok, name, s = attrAction(self, item)
  File "/ask/zenoss/zenoss/lib/python/TAL/TALInterpreter.py", line 374, in attrAction_tal
    evalue = self.engine.evaluateText(item[3])
  File "/ask/zenoss/zenoss/lib/python/Products/PageTemplates/TALES.py", line 227, in evaluateText
    text = self.evaluate(expr)
  File "/ask/zenoss/zenoss/lib/python/Products/PageTemplates/TALES.py", line 221, in evaluate
    return expression(self)
  File "/ask/zenoss/zenoss/lib/python/Products/PageTemplates/Expressions.py", line 185, in __call__
    return self._eval(econtext)
  File "/ask/zenoss/zenoss/lib/python/Products/PageTemplates/Expressions.py", line 180, in _eval
    return render(ob, econtext.vars)
  File "/ask/zenoss/zenoss/lib/python/Products/PageTemplates/Expressions.py", line 85, in render
    ob = ob()
  File "/ask/zenoss/zenoss/Products/ZenModel/UserSettings.py", line 227, in getUserSettingsUrl
    uf = self.getUserSettings(userid)
  File "/ask/zenoss/zenoss/Products/ZenModel/UserSettings.py", line 189, in getUserSettings
    self._setObject(ufolder.getId(), ufolder)
  File "/ask/zenoss/zenoss/Products/ZenRelations/RelationshipManager.py", line 146, in _setObject
    user, set_owner)
  File "/ask/zenoss/zenoss/Products/ZenRelations/PrimaryPathObjectManager.py", line 101, in _setObject
    return ObjectManager._setObject(self, id, obj, roles, user, set_owner)
  File "/ask/zenoss/zenoss/lib/python/OFS/ObjectManager.py", line 279, in _setObject
    v=self._checkId(id)
  File "/ask/zenoss/zenoss/lib/python/OFS/ObjectManager.py", line 65, in checkValidId
    raise BadRequest, (
BadRequest: The id "/\Du#?$K?/?^X??^Z" contains characters illegal in URLs.

Cause

This is caused by Zope attempting to use a user’s Active Directory “AD Object GUID (objectGUID)” for an ID instead of the user’s “Windows Login Name (sAMAccountName)”.

Solution

This solution assumes that you’ve followed the majority of the instructions here to get LDAP authentication working.

  1. Login to your zenoss zope interface at http://hostname:8080/zport/manage
  2. Navigate in the left-side-frame to “acl_users”… “ActiveDirectory” and click on “acl_users”. This may require expanding the “+” icon next to “ActiveDirectory”
    • http://hostname:8080/zport/acl_users/ActiveDirectory/acl_users/manage_main
  3. Modify these values :

    Field Value Before Value After
    User ID Attribute AD Object GUID (objectGUID) Windows Logon Name (sAMAccountName)
    RDN Attribute Canonical Name (cn) Windows Logon Name (sAMAccountName)

Thanks

Thanks to cluther for coming up with this solution.

Appendix

cluther also suggested doing the following which wasn’t required to fix my problem but may help you

  1. Navigate in the left-side-frame to “acl_users”… “ActiveDirectory” and click on the “Properties” tab. This may require expanding the “+” icon next to “ActiveDirectory”
    • http://hostname:8080/zport/acl_users/ActiveDirectory/manage_propertiesForm
  2. Modify these values :

    Field Value Before Value After
    groupid_attr objectGUID cn