Ad Widget

**doesntmatter** · 24-08-2021, 17:40

Ok, i tried with my testing-environment. Do somebody knows how to enable internal-login if default set to LDAP? Only to have one local emergency login if AD breaks?

**cflannigan** · 24-08-2021, 17:56

Hey.
Your user groups determine if it is to use LDAP or internal for logging in.. You will see the below dropdown when you are in one of the groups which will determine how members of that group authenticate or not if its set to disabled.

What i do is create an internal admin group for those emergency accounts like the NOC teams etc..

**doesntmatter** · 25-08-2021, 09:19

Originally posted by cflannigan

Hey.
Your user groups determine if it is to use LDAP or internal for logging in.. You will see the below dropdown when you are in one of the groups which will determine how members of that group authenticate or not if its set to disabled.

What i do is create an internal admin group for those emergency accounts like the NOC teams etc..

very cool. I checked only or Group Zabbix Administrators - there is no possibility for set this information.But for new groups its fine :-)

**johndoe2374** · 25-08-2021, 10:32

Hello.

Zabbix Administrators group is using default system-wide access method, looks like you can't change it for that group.

I do it the next way:

1. Use internal method for default Zabbix Administrator account and maybe some other admins, as they should have access at any time without depending on AD.
2. Create another group "LDAP Users" and set LDAP method for them.
3. Create domain users using their logins and put them into LDAP Users group straightaway, so it would allow you create user without specifying password. Now they will be able to log in using their domain passwords.

I don't think you will be able to allow the same user use internal authentication and LDAP at the same time. Even if it would be possible, there's no point in that, as you'll have to specify some password for internal authentication method anyway.

**doesntmatter** · 25-08-2021, 11:20

cflannigan

Do you now how to login with a given Domaine?

- $Username only => works fine
- $Domain\$Username => Not working
- $Username@$Domain.local => not working

**cflannigan** · 25-08-2021, 11:39

Hey
There is no way to configure this unless you look at the PHP for the web component. As far as i know it looks for the samAccountName or userPrincipalName to authenticate against so you would have to use that for LDAP. Perhaps that could be a feature request where you can configure those parameters if there is not one already.

**doesntmatter** · 25-08-2021, 11:53

Originally posted by cflannigan

Hey
There is no way to configure this unless you look at the PHP for the web component. As far as i know it looks for the samAccountName or userPrincipalName to authenticate against so you would have to use that for LDAP. Perhaps that could be a feature request where you can configure those parameters if there is not one already.

Than I think it's a bug because the samAccountName is outdated since a loooonnng time (pre win 2000)

User Naming Attributes - Win32 apps

https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname

User naming attributes identify user objects, such as logon names and IDs used for security purposes.

=> Where can I create bug reports or feature requests?

**cflannigan** · 25-08-2021, 12:18

Sorry looks like im mistaken you can use the Search attribute section to specify what field to search for for users, i guess for AD it advises to use the sAMAcccountName, but you can always try another filed that is used in your LDAP schema.. As for a bug go to support.zabbix.com and you can create and account and open a bug or feature request.

Search attribute

LDAP account attribute used for search:
uid (for OpenLDAP),
sAMAccountName (for Microsoft Active Directory)

This topic does not exist yet.

https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication

**doesntmatter** · 25-08-2021, 12:19

Originally posted by cflannigan

Sorry looks like im mistaken you can use the Search attribute section to specify what field to search for for users, i guess for AD it advises to use the sAMAcccountName, but you can always try another filed that is used in your LDAP schema.. As for a bug go to support.zabbix.com and you can create and account and open a bug or feature request.

Search attribute

LDAP account attribute used for search:
uid (for OpenLDAP),
sAMAccountName (for Microsoft Active Directory)

This topic does not exist yet.

https://www.zabbix.com/documentation/current/manual/web_interface/frontend_sections/administration/authentication

uid ist not working too, so you are right :-)

**[email protected]** · 26-08-2021, 17:21

Just as an FYI UID is not usually completed in an Active Directory standard user account. Recommendation is the sAMAccountName.

Ad Widget

Zabbix & Ldap

Zabbix & Ldap

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment