An ldap account is required to actually do the lookups (bind account), i suggest you use a functional account for this, not a personal.

In order to enable LDAP authentication, the GUI forces you to 'use' (logged in as) a valid username to test that you will not lockout yourself. This last username/password (where the username is shown as a pulldown) will not be stored.
Of course, you shouldn't use the 'Admin' account for this, as it's best practice to configure this account (before you enable LDAP) to use internal authentication.

Hi xs-,

I don't really understand you or may be I didn't correctly explain myself (english is not my 1st language). But I've done a little test and I think that I saw your point. I post that message just to clarify to other people.

I DO have used an special user to bind to the LDAP server. This user is used to connect to the LDAP server and it's labeled as "Bind DN".
Then next it tried to check a user+password with the "test feature" in order to check that:
1.- my zabbix server can talk to the LDAP server
2.- my binding user is ok (Bind DN + Bind password)
3.- the parameter to look up for a user and test its password (Base DN + search attribute + Test Login user + Test password)

Everything went ok but once I did the test, I realized that the "test login user" was somehow stored and that I couldn't change it anymore. The point is that it's NOT stored, it's in fact allways pre-filled with the same user that is in that very moment connected and accessing that page. The purpose is in fact to check your regular username to see that you are not going to be locked out of your Zabbix server once you activate LDAP authentication.

I hope it'll help.

I have noticed this as well. It must be a bug. I cannot change the test user from 'Admin'. I have a dedicated bind dn & pass, but although I put the details in - the Admin user is greyed out in the box and cannot be changed.

Is there any reason why there needs to be a dedicated user to bind with? Why not bind with the details submitted by the user?

If super admin changes zabbix authentication to LDAP, we must sure that this user REALLY can login via LDAP. You can select others user to check if your own user account authentication method is set to internal.

I noticed that when i log in with a user account that is in LDAP, the test user then becomes the user you log in with - only then you can then make the changes, as the test succeeds.

I still think it would be better to bind with user credentials that is trying to login.

Ehhh....I've read these 2 lines over 10 times, but I still can't find out what you're trying to say here...


How would you deal with a nice ldap tree? You really need a functional account, to have 'read'-access on all branches with user information on some level. I can imagine many situations, where you do not want the situation where any personal account can read in all branches... (just as an example)

Let me clarify what I am saying. If you install Zabbix, log in with the admin account and then go to setup LDAP authentication - there is no way that you can test the ldap connectivity unless you have an account in LDAP that is named 'Admin'. That is the fail. What you must do is create an account in Zabbix that matches the same as an account in LDAP - give that account admin rights and then do the ldap setup. Then log back in with admin and remove the rights you just gave the account to do the LDAP setup.

This actually is not a bug - just poor implementation of ldap authentication

As to your read access on all branches.. Even though I feel it should not be down to Zabbix how the LDAP security is configured - Limit what can be searched for anonymously. Most LDAP servers configured for this type of use will allow anonymous searches for searching for uid/username etc, but will limit what can be seen anonymously. I understand that this is the prerogative of the LDAP admin - but at least Zabbix should have the option of anonymous bind...

Anonymous bind to find user -> rebind with credentials -> extract useful information such as group association, contact info, notification preferences etc.

We do not create zabbix users from ldap, we just provide possibility for existing zabbix user to login via ldap. Zabbix user MUST exist and it should be created from frontend or API. You cannot login to zabbix if such user exists only on ldap side.
Reasons:
1. User must have at least 1 readable host
2. It must be configured (status, gui access, api access e.t.c)
3. Storing profiles
4. User medias
e.t.c.

And you still may synchronize ldap users with zabbix by simple script that checks ldap users and implements it to zabbix by zabbix API.

A little late on a response to this message, but this really isn't related to the ldap user per se because I can make the ldap user test work fine, however, when I try to save those settings I get an error message saying "Incorrect host group". I look through my host groups and am not sure what exactly it's referring to as an incorrect host group.

I'm responding in this message because I figure people will receive emails when it gets updated.

Thanks!
Chris