Ad Widget

Collapse

LDAP JIT group mapping problems

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • freiheit
    Junior Member
    • Dec 2022
    • 11
    #1

    LDAP JIT group mapping problems

    Hello,

    This is a new zabbix 6.4 installation that I'm trying to set up LDAP authentication against AD servers on with the new JIT. Everything else works, but it isn't able to map group info and I can't figure out why or even where to look to get more details.

    Any hints on places to get additional debugging out of this are welcome.

    Using ldapsearch on CLI with same bind user, my own record contains (corp name replaced with "redacted" or "example"):
    Code:
    cn: Eric Eisenhart
sn: Eisenhart
displayName: Eric Eisenhart
memberOf: CN=Senior System Engineer,OU=JobTitles,OU=Redacted Groups,DC=office,DC=redacted,DC=net
mailNickname: eric.eisenhart
sAMAccountName: eric.eisenhart
mail: [email protected]
    JIT portion of LDAP auth config looks like:
    Click image for larger version Name: image.png Views: 3263 Size: 67.1 KB ID: 461934
    But test authentication doesn't map group:
    Click image for larger version Name: image.png Views: 3100 Size: 29.3 KB ID: 461935
    Possibly related to /forum/zabbix-troubleshooting-and-problems/461779-struggling-with-jit-for-azure-ad-saml-v-6-4 ?
    Tags: active directory, jit, ldap active directory, ldap authentication
    • freiheit
      Junior Member
      • Dec 2022
      • 11
      #2
      Looks like this is a bug: https://support.zabbix.com/browse/ZBX-22597

        Comment

        • rofloslav
          Junior Member
          • Apr 2023
          • 2
          #3
          try this:

          Click image for larger version Name: image.png Views: 2519 Size: 13.7 KB ID: 462700

            Comment

            • Arnold Kuehnle
              Junior Member
              • May 2023
              • 5
              #4
              Same Problem with version 6.4.2, User Group Mapping does not work:

              Click image for larger version Name: image.png Views: 2428 Size: 45.7 KB ID: 464488

              Click image for larger version Name: image.png Views: 2459 Size: 17.2 KB ID: 464489​​


              Any idea?

                Comment

                • Arnold Kuehnle
                  Junior Member
                  • May 2023
                  • 5
                  #5
                  Additional Question: are nested Groups processed or only "one level"?

                    Comment

                    • Arnold Kuehnle
                      Junior Member
                      • May 2023
                      • 5
                      #6
                      Click image for larger version Name: Screenshot 2023-05-16 183944.png Views: 2436 Size: 94.9 KB ID: 464517

                      Why does the "Group Name Attribute" destroy the matching .. using cn, sAMAccountName, etc. always does not work. What am i misunderstanding?

                      BTW: Port 636 works fine, too.

                        Comment

                        • Arnold Kuehnle
                          Junior Member
                          • May 2023
                          • 5
                          #7
                          Aftern reading further i found the solution:

                          Using memberOf and leaving the "Group Name Attribute" empty did the job.

                          Tested nested groups: does not work, only direkt membership of the users.

                            Comment

                            • bo83snap
                              #7.1
                              bo83snap commented
                              23-10-2023, 19:36
                              Editing a comment
                              in my case still doesn't. I the group membership attribute in your case returning a full dn from the group or just the short group name?
                              I am trying to look into CLdap.php and figure out if he's even expecting just a simple short name or just looks for full dn to split.
                            • bo83snap
                              Junior Member
                              • Oct 2023
                              • 2
                              #8
                              I'm sorry but for me nothing works!!!! and tried all the combinations!!! For several days. the test gives Login successful but no group mapping.
                              I get media mapping ok even.
                              I tried memberOf and groupOfNames configurations (which wtf are these? do they refer to objectClass? associated with the user's membership). I tried with patching the bug as well.
                              I am really TIRED.

                              All the documentation is very ambiguous to me, explaining various similar terms and attributes. Use the docs, used the blogs and mapping still doesn't work!
                              Enabled the debug but that's useless since doesn't really show what is the search really doing. Searching manually through the ldap works fine.

                              So:
                              • i have ou=people and ou=groups, also ou=users (for posixAccount )
                              • users have xyzMemberOf attribute where each group cn an user is member is listed
                              • groups have memberUid attribute which contains the members' uid

                                Comment

                                • bo83snap
                                  Junior Member
                                  • Oct 2023
                                  • 2
                                  #9
                                  Is the "Search filter" the one used when searching for an user only? (I assume)
                                  Having User group membership attribute = xyzMemberOf and a mapping of ws_admin > zabbix admins > super admin role should be all that is needed. But it's not, apparently.

                                  Is zabbix searching with full dn for groups or users ?

                                    Comment

                                    • FernandoRD
                                      Junior Member
                                      • Jul 2024
                                      • 3
                                      #10
                                      I'm also stuck in this... the only way I managed it to work was putting an * in "LDAP group pattern"

                                        Comment

                                        Previous template Next
                                        Working...