you should be able to make users in some groups to use local auth (see group properties), but that wold not be a fallback-like approach

Thanks!

I was about to reply and ask what exactly you're talking about, but I found it:
The "GUI Access" option within a group can be set to "Internal", which will force Internal Zabbix authentication rather than the default system access (in my case, LDAPS). So, if necessary (e.g. if LDAP goes down), all users can be quickly added to a group with empty permissions that forces Internal GUI Access.

What I've done:
- Setup LDAPS (with Active Directory) authentication
- Setup all users and appropriate permissions in their respective groups, using system default GUI access
- Setup a fallback Zabbix administrator (shared admin account)
- Setup an Internal Auth group, which forces Local GUI access
- Assigned the fallback Zabbix administrator to the Internal Auth group

This allows me to have LDAPS authentication for normal users and an emergency local account.

You could also add other non-emergency users which may not have LDAP/AD accounts this way. Simply assign the user permissions/groups as normal. Then add them to the Internal Auth Local GUI Access group. This group overrides other group settings (unless they are in a group which disables access).

I've tested adding other users (which are on AD) to the Internal Auth group, and everything runs great (assuming they have a password set internally as well).

Thanks!