Restrict LDAP users on ZENworks Reporting

I like using ZENworks Reporting to generate custom reports for ZENworks Configuration Management or for ZENworks Service Desk but there has been one thing I found very annoying, the ability to manage LDAP users and the Roles within ZENworks Reporter. The ZENworks Reporter appliance configuration makes it very easy to add an LDAP source to give users access but with that there are two problems:

  • If a user logs in to the system it will create a Role for every group that user is a member of within the LDAP usersource, in a production environment this will generate a huge amount of Roles.

  • As soon as a LDAP User Source is defined, all users from that user source are able to login to the Reporting Server. These users won’t have any rights to do anything but most customers prefer to only allow specific users to be able to login.

Both of these issues can easily be resolved with some customization of the configuration files on the server. Before you make these modifications make sure you’ve got the LDAP User Source configured on the appliance, if you make changes to the LDAP User Source later it will remove any customization you have made.

On the Reporting Appliance the file that contains the LDAP configuration is:

(Note, if you search for the filename there will be different files showing up, the path above is the correct path to use)

Let’s first have a look at restricting the group import. In my environment I’ve got a group zrs-users and a group zrs-powerusers, I would only like to get only these groups imported as a Role within ZENworks Reporter. Within the LDAP configuration file the groupSearchFilter can be configured to limit the import of groups. In my example I only want the groups with a name that start with zrs to be used so for this the groupSearchFilter needs to be modified by adding (cn=zrs*).

This is how the groupSearchFilter now looks:

Second change is to restrict the users that can log in to ZENworks Reporting, for this we need change the userSearch. Again we can change this by adding a LDAP filter, in my example only the members of the zrs-users groups should get access so for this I have added: (memberOf=cn=zrs-users,ou=Groups,dc=zendemo,dc=com).

This is how the LDAP Filter within the userSearch looks like in my environment:

After changing the LDAP configuration make sure you restart the reporting service to make the changes effective.


How To-Best Practice
Comment List