Ad Widget

**Aly** · 29-02-2008, 17:27

This patch applies only to users with PHP5.

**Crazy Marty** · 06-03-2008, 18:21

W00t!

Alexei, please promote this feature into 1.6 (and 1.4.5 would be very nice, too)!

Thanks for the patch!

**Crazy Marty** · 06-03-2008, 18:35

Deeper Thought

It would be really nicer, though, if we could rely on the web server to authenticate, so we can then use any mechanism the web server supports (apache, for instance, has a gazillion of 'em). So, Zabbix would have to just trust that if it got invoked, then the server has already authenticated the user (even if only as 'guest').

I don't really understand Zabbix authentication, though, so wiser heads than mine will need to sort out the gory details.

Or am I missing something fundamental here?

**xs-** · 07-03-2008, 16:47

apache's ldap and authnz_ldap modules rely on a bind user to first lookup a user and then authenticate that user, which is the 'official pretty' method.

This method (although the patched class can also do the classic method), which some ppl might call a hack, will try to directly bind to the ldap instance using the entered credentials. If the bind succeeds, the user us authenticated, if it failes . . . you know.

I actually prefer the direct bind method because it doesnt require you to store credentials in a config file, which the apache modules do require.

**AdamLundrigan** · 10-04-2008, 21:23

Here is an alternative implementation I developed for our own use. It does not require PHP5, but does require the php-ldap extension (http://www.php.net/ldap). Instructions are in a text file inside the zip file. Enjoy!

This implementation will qurey the LDAP server, and if it finds a match to the username and password given, will either add a new user record to the Zabbix user table or update an existing record if one exists with the same user ID. User authentication/authorization then continues as in standard Zabbix login.

Attached Files

zabbix_ldap_v144.zip (2.6 KB, 471 views)

**BenP** · 18-04-2008, 10:50

Originally posted by AdamLundrigan

Here is an alternative implementation I developed for our own use. It does not require PHP5, but does require the php-ldap extension (http://www.php.net/ldap). Instructions are in a text file inside the zip file. Enjoy!

This implementation will qurey the LDAP server, and if it finds a match to the username and password given, will either add a new user record to the Zabbix user table or update an existing record if one exists with the same user ID. User authentication/authorization then continues as in standard Zabbix login.

Hi,

Using an account that isn't existing I received an "Undefined offset: 0[/var/www/localhost/htdocs/zabbix/include/ldap.lib.php:34]"

I change the line 34 from :
-if ($result[0])
to:
+if (!empty($result[0]) && $result[0] )

I had to rewrite some part of your code patch to fit in Novell e-dir ldap (because of missing attribute or different value). If somebody is interrested with I will post the patch.

Thank's a lot for your work!

Regards

**AdamLundrigan** · 18-04-2008, 12:41

Thanks for the heads-up. One of the downsides of "borrowing" the LDAP authentication code from ASPN, I guess :P

During this iteration of the development I focused on handling the most common case - a proper login - plus a few alternatives. The code still needs a good bit of tidying up, and some additional error handling, array bounds checking, etc. I'll post an updated patch once that I completed.

**Alexei** · 24-04-2008, 12:59

FYI LDAP authentication will be supported by 1.6.

**BenP** · 25-04-2008, 12:47

Originally posted by Alexei

FYI LDAP authentication will be supported by 1.6.

Great news, Thank's Alexei.

If that's help, there is the minor changes I made to fit in our ldap conf completely based on AdamLundrigan work.
Already compatible with AD - E-dir.

Minor changes on index.php since AdamLundrigan release:

- Existance control via alias, no case sensitive
- Generating uid from cn

Code:

                ## START -- AAL 20080410 -- Mod VIALIS 20080418

                $l_execute_user_query = false;
                if ( $USE_LDAP_AUTH )
                {
                        $result = ldap_authenticate($name,get_request("password",""));
                        if ( is_array($result) && $result['count'] > 0 )
                        {
                                $row = array();

                                // Generate an unique ID from CN
                                $fake_uid=crc32($result['cn'][0]);
                                if (0 > $fake_uid)
                                {
                                    // Implicitly casts i as float, and corrects this sign.
                                    $fake_uid += 0x100000000;
                                }
                                $row['userid'] = $fake_uid;

                                $row['alias'] = $result['cn'][0];
                                $row['name'] = $result['givenname'][0];
                                $row['surname'] = $result['sn'][0];

                                $dbRow = DBFetch(DBSelect("select u.* from users u where LOWER(u.alias)=LOWER(" . zbx_dbstr($row['alias']) .
                                                ') and '. DBin_node('u.userid', $ZBX_LOCALNODEID)));

                                // If the user exists in the database already, update the record
                                if ( $dbRow )
                                {
                                        add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Updated user from LDAP [".$name."]");

                                        DBexecute("update users set alias=LOWER(" . zbx_dbstr($row['alias']) . "), " .
                                                                " userid=" . zbx_dbstr($row['userid']) . ", ".
                                                                " name=" . zbx_dbstr($row['name']) . ", ".
                                                                " surname=" . zbx_dbstr($row['surname']) . ", ".
                                                                " passwd=" . zbx_dbstr($password) .
                                                                " where alias=LOWER(" . zbx_dbstr($row['alias']) . ") limit 1");
                                }
                                else
                                {

                                        add_audit(AUDIT_ACTION_LOGIN,AUDIT_RESOURCE_USER,"Added user from LDAP [".$name."]");

                                        DBexecute("insert into users (userid,alias,name,surname,passwd) VALUES (" .
                                                zbx_dbstr($row['userid']) . ",LOWER(" . zbx_dbstr($row['alias']) . ")," .
                                                zbx_dbstr($row['name']) . "," . zbx_dbstr($row['surname']) . "," .
                                                zbx_dbstr($password) . ");");

                                }
                        }
                        else
                        {
                                $l_execute_user_query = true;
                        }
                }
                else
                {
                        $l_execute_user_query = true;
                }


                if ( $l_execute_user_query )
                {
                        $row = DBfetch(DBselect("select u.userid,u.alias,u.name,u.surname,u.url,u.refresh from users u where".
                                " u.alias=".zbx_dbstr($name)." and u.passwd=".zbx_dbstr($password).
                                ' and '.DBin_node('u.userid', $ZBX_LOCALNODEID)));
                }

                ## END -- AAL 20080410 -- Mod VIALIS 20080418

**Aly** · 25-04-2008, 15:52

Users won't be added automatically to ZABBIX, you will have to create users manually!

Only user's authentication will be through LDAP.

**NOB** · 26-06-2008, 10:36

Originally posted by Aly

Users won't be added automatically to ZABBIX, you will have to create users manually!

Only user's authentication will be through LDAP.

Very good.

One question:

Is it possible to have a mix of users: one authenticates via LDAP and others are just locally authenticated users ?

Reasons:
1. This makes ZABBIX independant of any (not) working LDAP environment, which ZABBIX should be able to monitor, anyway.

2. Not all our users will have an account on the same LDAP server.

Regards

Norbert.

**Aly** · 26-06-2008, 10:56

No, currently it's not implemented.

**NOB** · 26-06-2008, 11:42

Hi Aly

Thanks for the very fast reply.

Originally posted by Aly

No, currently it's not implemented.

OK. But, at least, the hard part is already done

It should not be so difficult to add a simple flag to the user
configuration.

Best regards

Norbert.

**Alexei** · 26-06-2008, 14:43

Security is the main reason why it was implemented this way. I am not happy about users getting authorization from different sources (LDAP, Apache, Kerberos, whatever).

If we use LDAP, it means that ALL users are authorized by the LDAP. So, we can track and manage who got an authorization and when on LDAP side.

Ad Widget

PATCH: LDAP authentication

PATCH: LDAP authentication

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment