2 LDAP

    Overview

    Zabbix LDAP authentication works at least with Microsoft Active Directory and OpenLDAP.

    If only LDAP sign-in is configured, then the user must also exist in Zabbix, however, its Zabbix password will not be used. If authentication is successful, then Zabbix will match a local username with the username attribute returned by LDAP.

    User provisioning

    It is possible to configure JIT (just-in-time) user provisioning for LDAP users. In this case, it is not required that a user already exists in Zabbix. The user account can be created when the user logs into Zabbix for the first time.

    When an LDAP user enters their LDAP login and password, Zabbix checks the default LDAP server if this user exists. If the user exists and does not have an account in Zabbix yet, a new user is created in Zabbix and the user is able to log in.

    If JIT provisioning is enabled, a user group for deprovisioned users must be specified in the Authentication tab.

    LDAP JIT provisioning is available only when LDAP is configured to use “anonymous” or “special user” for binding. For direct user binding, provisioning will be made only for user login action, because logging in user password is used for such type of binding.

    Multiple servers

    Several LDAP servers can be defined, if necessary. For example, a different server can be used to authenticate a different user group. Once LDAP servers are configured, in configuration it becomes possible to select the required LDAP server for the respective user group.

    If a user is in multiple user groups and multiple LDAP servers, the first server in the list of LDAP servers sorted by name in ascending order will be used for authentication.

    Configuration

    Configuration parameters:

    LDAP server configuration

    LDAP server configuration parameters:

    To configure an LDAP server for direct user binding, append an attribute uid=%{user} to the Base DN parameter (for example,uid=%{user},dc=example,dc=com) and leave BindDN and Bind password parameters empty. When authenticating, a placeholder %{user} will be replaced by the username entered during login.

    The following fields are specific to “groupOfNames” as the Group configuration method:

    2 LDAP - 图3

    In case of trouble with certificates, to make a secure LDAP connection (ldaps) work you may need to add a TLS_REQCERT allow line to the /etc/openldap/ldap.conf configuration file. It may decrease the security of connection to the LDAP catalog.

    Testing access

    The Test button allows to test user access: