I have done some searches here and on the internet at large, and I keep seeing this question asked over and over again without any satisfactory answers for many users. However, most of these posts are AT LEAST 2 years old, so I will bump it again here and see if there is any progress.
What we are trying to do is use Active Directory to manage who has what accesses in Zabbix. This is a very common workflow in the Windows AD world yet seems very foreign in the *nix world in general. Ideally, LDAP integration in Zabbix would look like this:
You direct the LDAP connection to the AD Server (or servers - multiple domains/forests would be supported in this ideal setup).
You identify as part of the connection the group or groups that will be identified in Zabbix.
Zabbix User Groups Authorizations would still apply, but it would be AD groups rather than individual Users that would be member of those User Groups
Individual user rights would be able to be added, deleted, changed, etc. through AD by simply changing the groups they are members of.
On the Zabbix Side, it would treat anyone in the group as authorized to the level of the group and would do authentication via LDAP authentication against the AD LDAP service that the group is part of. (This would be how multiple forests/domains would be supported for authentication as well as authorization). Windbind, for it's part, goes a long way in accomplishing this, but I haven't seen anywhere that implies this would even work with Zabbix, and if so, how that integration might work.
Is there ANY kind of movement, plan, or even active request around getting anywhere near this type of integration? This would be particularly useful to primarily Windows shops or Large Organizations that work primarily through AD.
For our current use, current LDAP authentication workflows provide only VERY limited value to Zabbix over internal authentication. It isn't just about password authentication, but about user management, and the Zabbix User Management is, so far, still a very manual process.
What we are trying to do is use Active Directory to manage who has what accesses in Zabbix. This is a very common workflow in the Windows AD world yet seems very foreign in the *nix world in general. Ideally, LDAP integration in Zabbix would look like this:
You direct the LDAP connection to the AD Server (or servers - multiple domains/forests would be supported in this ideal setup).
You identify as part of the connection the group or groups that will be identified in Zabbix.
Zabbix User Groups Authorizations would still apply, but it would be AD groups rather than individual Users that would be member of those User Groups
Individual user rights would be able to be added, deleted, changed, etc. through AD by simply changing the groups they are members of.
On the Zabbix Side, it would treat anyone in the group as authorized to the level of the group and would do authentication via LDAP authentication against the AD LDAP service that the group is part of. (This would be how multiple forests/domains would be supported for authentication as well as authorization). Windbind, for it's part, goes a long way in accomplishing this, but I haven't seen anywhere that implies this would even work with Zabbix, and if so, how that integration might work.
Is there ANY kind of movement, plan, or even active request around getting anywhere near this type of integration? This would be particularly useful to primarily Windows shops or Large Organizations that work primarily through AD.
For our current use, current LDAP authentication workflows provide only VERY limited value to Zabbix over internal authentication. It isn't just about password authentication, but about user management, and the Zabbix User Management is, so far, still a very manual process.
Comment