This is actually quite easy because it's built into zabbix.

Step one:

What you need to do is, make sure Zabbix is compiled with LDAP support

e.g. ./configure --prefix=/zabbix --enable-agent --enable-server --with-mysql --with-net-snmp --with-libcurl

Recompile, if this isn't already done. Now under administration you'll find an authentication tab.

Step two:

Create a user in zabbix that shares the same 'samaccountname' as the windows account which administrator privileges.

Step three:

You must create a user that can browse the directory (any default user), I suggest creating one with out an any privileges so you can bind to the AD server using LDAP.

Step four:

Login as the zabbix user you created, go to

1. Administration
2. Authentication

Now you have to fill out the information,

Host: x.x.x.x
BaseDN: ou=blah,dc=blah,dc=com
Searchattribute: By default, it's UID, but I've never found a UID in a windows directory, the parameter that I use is 'samaccountname'
Bind DN: The windows user you created
Bind Pass: Duh
Click enable

Type in your password, if it's successful hit ok, you're all done.

I already got as far as filling in the details into Zabbix (BaseDN... etc). But I got no clue what they should be?

The domain is 3MEN.local and the admin user "noxis". What do I put in?

Well do you have any OU's in your Directory? ou=people, ou=it, or wherever you have the users you want to auth, dc=domain, so yours would be

ou=WHATEVER_YOU_HAVE_HERE,dc=3men,dc=local

for the bind dn, you don't want to use admin, create a user in windows AD for auth.

At this point, if you don't understand the help I've given, you must do a lot reading.

Bind DN is simply a domain administrator account then and its password (in the password bit) ?

bind dn is going to be any user that can log into the domain, not necessary an admin.

IMO, preferably not an admin, because if the system were to be compromised they would have administrative rights to your domain.

Hi

we just switched to LDAP authentication yesterday.

Nonsense. Is is not necessary to compile the server, again. LDAP authentication
has nothing to do with the zabbix_server executable, but just with
the PHP frontend.

If you enable LDAP after using the PHP frontend, you might have to install
a package called php-ldap and its dependencies. But that's it.

The main problem is always to find a suitable BaseDN and BindDN. There is no standard way to implement a AD.
Especially in big companies ...

What did help us was a tool called ldp.zip (AFAIR from Microsoft) to
walk through the AD and find a valid BindDN for a certain user
we decided to use.

As was said earlier in this thread, you should use a non-admin to
read the AD.
Usually the AD can not be read anonymously, but this might be
configured.
So, you'll need a normal AD user to access the domain.
We use sAMAccountName as the search attribute.
You can use the same attribute to search in the AD with the ldp.exe
from ldp.zip.

HTH,

Norbert.

I got it all working! Thanks guys.