The Users → Authentication section allows to specify the global user authentication method to Zabbix and internal password requirements. The available methods are internal, HTTP, LDAP, and SAML authentication.
By default, Zabbix uses internal Zabbix authentication for all users. It is possible to change the default method to LDAP system-wide or enable LDAP authentication only for specific user groups.
To set LDAP as default authentication method for all users, navigate to the LDAP tab and configure authentication parameters, then return to the Authentication tab and switch Default authentication selector to LDAP.
Note that the authentication method can be fine-tuned on the user group level. Even if LDAP authentication is set globally, some user groups can still be authenticated by Zabbix. These groups must have frontend access set to Internal. Vice versa, if internal authentication is used globally, LDAP authentication details can be specified and used for specific user groups whose frontend access is set to LDAP. If a user is included into at least one user group with LDAP authentication, this user will not be able to use internal authentication method.
The Authentication tab allows to set the default authentication method, specify a group for deprovisioned users and set password complexity requirements for Zabbix users.
|Default authentication||Select the default authentication method for Zabbix - Internal or LDAP.|
|Deprovisioned users group||Specify a user group for deprovisioned users. This setting is required only for JIT provisioning, regarding users that were created in Zabbix from LDAP or SAML systems, but no longer need to be provisioned.
A disabled user group must be specified.
|Minimum password length||By default, the minimum password length is set to 8. Supported range: 1-70. Note that passwords longer than 72 characters will be truncated.|
|Password must contain||Mark one or several checkboxes to require usage of specified characters in a password:
- an uppercase and a lowercase Latin letter
- a digit
- a special character
Hover over the question mark to see a hint with the list of characters for each option.
|Avoid easy-to-guess passwords||If marked, a password will be checked against the following requirements:
- must not contain user's name, surname, or username
- must not be one of the common or context-specific passwords.
The list of common and context-specific passwords is generated automatically from the list of NCSC "Top 100k passwords", the list of SecLists "Top 1M passwords" and the list of Zabbix context-specific passwords. Internal users will not be allowed to set passwords included in this list as such passwords are considered weak due to their common use.
Changes in password complexity requirements will not affect existing user passwords, but if an existing user chooses to change a password, the new password will have to meet current requirements. A hint with the list of requirements will be displayed next to the Password field in the user profile and in the user configuration form accessible from the Users → Users menu.