When integrating Zabbix with an internal Active Directory environment, the current solution seems to sweep the AD structure for matching userID's based on the starting base DN that is defined within the configuration. This can work for organizations that have created an OU structure where the AD userID's to be used for Zabbix authentication have been split out into their own OU and don't conflict with other users.

Not all organizations have this type of segregation and may have their Active Directory structure created and maintained by a separate team. One way to use AD for access control in this scenario is to place those users into an AD group and perform a group-match at login - only members of the group are permitted to login. This can be considered a key security option to prevent unauthorized access to Zabbix - especially in an enterprise environment where Zabbix is AD integrated and we may not want unauthorized AD users to login to Zabbix.