Documentation
Table of Contents
> User directory object
The following objects are directly related to the userdirectory API.
User directory
The user directory object has the following properties.
| Property | Type | Description |
|---|---|---|
| userdirectoryid | string | ID of the user directory. If a user directory is deleted, the related value for a user userdirectoryid will be set to "0".Property behavior: - read-only - required for update operations |
| idp_type | integer | Type of IdP. Only one user directory of type SAML can exist. Possible values: 1 - User directory of type LDAP; 2 - User directory of type SAML. Property behavior: - required for create operations |
| name | string | Unique name of the user directory. Property behavior: - required if idp_type is set to "User directory of type LDAP" |
| provision_status | integer | User directory provisioning status. Possible values: 0 - (default) Provisioning of users created by this user directory is disabled; 1 - Provisioning of users created by this user directory is enabled. Additionally, the authentication status of all LDAP or SAML provisioning ( ldap_jit_status or saml_jit_status) should be enabled. |
| user_username | string | LDAP/SAML attribute name to use for users.name field when user is provisioned. |
| user_lastname | string | LDAP/SAML attribute name to use for users.surname field when user is provisioned. |
| user_ref_attr | string | LDAP user object attribute name. Will be set instead of the placeholder %{ref} in group_filter string. |
| description | string | User directory description. |
| group_membership | string | LDAP property containing groups of user. Example: memberOf. |
| group_basedn | string | LDAP groups path in LDAP tree to search for groups data. Used to configure user membership check in openLDAP. Ignored when provisioning a user if group_membership is configured.Property behavior: - required if group_membership is not set |
| group_name | string | LDAP/SAML attribute name to get group name for group mapping between Zabbix and IdP. Used to configure user membership check in openLDAP. Ignored when provisioning a user if group_membership is set. |
| group_member | string | LDAP tree attribute name containing group name received with group_filter query.Used to configure user membership check in openLDAP. Ignored when provisioning a user if group_membership is set. |
| group_filter | string | LDAP search filter to select groups when searching for specific user groups. Used to configure user membership check in openLDAP. Ignored when provisioning a user if group_membership is set.Default: (%{groupattr}=%{user}) |
| bind_password | string | LDAP bind password. Can be empty for anonymous binding. |
| search_filter | string | LDAP custom filter string when authenticating user in LDAP. Supported search_filter placeholders:%{attr} - search attribute name (uid, sAMAccountName); %{user} - username value. Default: (%{attr}=%{user}) |
| start_tls | integer | LDAP startTLS option. It cannot be used with ldaps:// protocol hosts.Possible values: 0 - (default) disabled; 1 - enabled. |
| provision_media | array | Array of the IdP media type mappings objects. |
| provision_groups | array | Array of the IdP provisioning groups mappings objects. |
The following properties are required if idp_type is set to "User directory of type LDAP", and not accepted if idp_type is set to "User directory of type SAML".
| Property | Type | Description |
|---|---|---|
| host | string | LDAP server host name, IP or URI. URI should contain schema, host and port (optional). |
| port | integer | LDAP server port. |
| search_attribute | string | LDAP attribute name to identify user by username in Zabbix database. |
| base_dn | string | LDAP base distinguished name string. |
| bind_dn | string | LDAP bind distinguished name string. Can be empty for anonymous binding. |
The following properties are required if idp_type is set to "User directory of type SAML", and not accepted if idp_type is set to "User directory of type LDAP".
| Property | Type | Description |
|---|---|---|
| idp_entityid | string | SAML URI that identifies the IdP in SAML messages. |
| sp_entityid | string | SAML SP entity ID. |
| sso_url | string | SAML URL of the IdP's SAML SSO service, to which Zabbix will send SAML authentication requests. |
| slo_url | string | SAML IdP service endpoint URL to which Zabbix will send SAML logout requests. |
| username_attribute | string | SAML username attribute to be used in comparison with Zabbix user.username value when authenticating. |
| nameid_format | string | SAML SP name ID format. |
| scim_status | integer | Whether the SCIM provisioning for SAML is enabled or disabled. Possible values: 0 - (default) SCIM provisioning is disabled; 1 - SCIM provisioning is enabled. |
| encrypt_nameid | integer | SAML encrypt name ID. Possible values: 0 - (default) Do not encrypt name ID; 1 - Encrypt name ID. |
| encrypt_assertions | integer | SAML encrypt assertions. Possible values: 0 - (default) Do not encrypt assertions; 1 - Encrypt assertions. |
| sign_messages | integer | SAML sign messages. Possible values: 0 - (default) Do not sign messages; 1 - Sign messages. |
| sign_assertions | integer | SAML sign assertions. Possible values: 0 - (default) Do not sign assertions; 1 - Sign assertions. |
| sign_authn_requests | integer | SAML sign AuthN requests. Possible values: 0 - (default) Do not sign AuthN requests; 1 - Sign AuthN requests. |
| sign_logout_requests | integer | SAML sign logout requests. Possible values: 0 - (default) Do not sign logout requests; 1 - Sign logout requests. |
| sign_logout_responses | integer | SAML sign logout responses. Possible values: 0 - (default) Do not sign logout responses; 1 - Sign logout responses. |
Media type mappings
The media type mappings object has the following properties.
| Property | Type | Description |
|---|---|---|
| name | string | Visible name in the list of media type mappings. Property behavior: - required |
| mediatypeid | string | ID of the media type to be created. Used as the value for the mediatypeid field.Property behavior: - required |
| attribute | string | Attribute name. Used as the value for the sendto field.If present in data received from IdP and the value is not empty, will trigger media creation for the provisioned user. Property behavior: - required |
Provisioning groups mappings
The provisioning groups mappings has the following properties.
| Property | Type | Description |
|---|---|---|
| name | string | IdP group full name. Supports the wildcard character "*". Unique across all provisioning groups mappings. Property behavior: - required |
| roleid | string | User role to assign to the user. Note that if multiple provisioning groups mappings are matched, the role of the highest user type will be assigned to the user. If there are multiple roles with the same user type, the first role (sorted in alphabetical order) will be assigned to the user. Property behavior: - required |
| user_groups | array | Array of Zabbix user group ID objects. Each object has the following properties: usrgrpid - (integer) ID of Zabbix user group to assign to the user.Note that if multiple provisioning groups mappings are matched, Zabbix user groups of all matched mappings will be assigned to the user. Property behavior: - required |