I think it's not possible. At least I've tried to build an LDAP filter with the field Attribute without success.

I suppect the problem is here: Zabbix construct the LDAP query combining the Attribute field and the user that's doing the authentication
(in Zabbix 1.8.2, in file $ZABBIX_HOME/zabbix/include/classes/class.cldap.php with that PHP sentence: 'userfilter'=> '(%{attr}=%{user})',

That implies that in the attribute field you CAN ONLY put the LDAP attribute where the user name is stored. I believe there is no way to build that filter with the attribute field.

I've been thinking about and maybe it makes sense if Zabbix interpret LDAP as just a way of doing the authentication, and the authorization is done at Zabbix level itself because, if the user is not in the Zabbix database and in a group it cannot loggin even if it can authenticate.


May be someone from Zabbix Development Team could put a little light here and confirm or suggest a way of doing it.