TechQA.

FreeIPA for Zabbix authentication

311 views Asked by At

FreeIPA config for Zabbix auth

I want to use FreeIPA server for authentication in Zabbix, but I don't understand what do I need to write in the fields of the server's configuration on the image. Test login is successful but when I enable LDAP authentication I have an error like wrong password or login or user is being temporarily blocked. I can log in to FreeIPA's accounts on client's computers.

I've tried to enable JIT provisioning, but it seems like it doesn't affect the result.

linux authentication ldap zabbix freeipa
Original Q&A
2

There are 2 answers

2
toro75 On

Zabbix LDAP server parameters

Worked for me. I needed to create a user with the same username as in FreeIPA without password and then use the parameters on the screenshot.

0
PDragon On

I've just set up Zabbix 7.0.0alpha9 (current as of 2024-01-27), and just got LDAP working!

On the Users>Authentication>Authentication page:

  • Default authentication: LDAP
  • Deprovisioned users group: "disabled"

On the Users>Authentication>LDAP settings page:

  • Enable LDAP authentication: yes
  • Enable JIT provisioning: yes
  • One server listed: server1

Click on server1, see these settings:

  • Name: server1 (cosmetic name)
  • Host: ip or hostname of your ldap server
  • Port: 389 (ldap) or 636 (ldaps)
  • Base DN: cn=accounts,dc=example,dc=com
  • Search attribute: uid
  • Bind DN: uid=zabbix-service,cn=users,cn=accounts,dc=example,dc=com
    • This is the Distinguished Name (DN) of a no-privilege account created just for zabbix to do authentication
  • Bind password:
  • Configure JIT provisioning: yes
  • Group configuration: memberOf
  • Group name attribute: cn
  • User group membership attribute: memberOf
    • :warning: THIS field had a faint 'memberOf' in it, but you must type it yourself or it won't work!!!
  • User name attribute: givenName
  • User last name attribute: sn

Click on 'Add' under 'User group mapping'

  • LDAP group pattern: the name of an LDAP group ("*" allowed)
  • User groups: the name(s) of the Zabbix group(s) to add the users to
  • User role: pick the role to assign: Admin/Guest/Super admin/User/etc Click on 'Add' under 'Media type mapping'
  • Name: the name of an LDAP attribute, like 'mail'
  • Media type: which media type (e.g. "Email (HTML)")
  • Attribute: The zabbix attribute to map into, like 'mail'

The equivalent ldapsearch commands (reconstructed from the dirsrv access log on the ldap server) are:

# See if the user exists:
ldapsearch -LL \
 -H ldap://1.2.3.4 \
 -D 'uid=zabbix-service,cn=users,cn=accounts,dc=example,dc=com' \
 -w "$ZABBIX_PW" \
 -b "cn=accounts,dc=netskrt,dc=io" \
  "(uid=$USERNAME)" \
  distinguishedName

# Get the user details:
ldapsearch -LL \
 -H ldap://1.2.3.4 \
 -D 'uid=zabbix-service,cn=users,cn=accounts,dc=example,dc=com' \
 -w "$ZABBIX_PW" \
 -b "cn=accounts,dc=netskrt,dc=io" \
  "(uid=$USERNAME)" \
  mail uid givenName sn

# Check the username+password (binding, sort of):
ldapsearch -LL \
 -H ldap://1.2.3.4 \
 -D 'uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com' \
 -w "$LOGIN_PW" \
 -b "cn=users,cn=accounts,dc=netskrt,dc=io" \
  "(uid=$USERNAME)"

# Get the group memberships (if JIT is set up right!):
ldapsearch -LL \
 -H ldap://1.2.3.4 \
 -D 'uid=$USERNAME,cn=users,cn=accounts,dc=example,dc=com' \
 -w "$LOGIN_PW" \
 -b "cn=users,cn=accounts,dc=netskrt,dc=io" \
  "(uid=$USERNAME)" \
  mail uid memberOf givenName sn

Good luck!

Related Questions in LINUX

Related Questions in AUTHENTICATION

Related Questions in LDAP

Related Questions in ZABBIX

Related Questions in FREEIPA

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions