Zabbix and FreeIPA

If you’re like me and you’ve linked many, many applications to FreeIPA, you probably have a pretty good sense of how to go about it, and in some cases you can use an app’s authentication subsection without even consulting the Great Oracle Of Grand, Legitimate Experience.

At least, this is usually the case with me.

Not so much with Zabbix. The interface was so deceptively simple that it threw me off.

Here’s what I discovered. Some from forums, some from less-than-obvious documentation, and some from twiddling knobs.

  1. To even get an LDAP configuration to pass a test and authenticate a user, the bind user needs to be described in a full DN. This isn’t completely out of left field, I’ve seen a few implementations require this, although I prefer just providing a username and password.
  2. You also need to add “cn=compat” preceding your base dn in the LDAP configuration page.
  3. Here’s where it screwed me. I expected, after passing a test, that if I switched to LDAP authentication it would just work. Not so. There’s a brief mention of it in the docs: “Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.” So here I was trying to authenticate an LDAP user after switching to LDAP authentication, and wondering why it doesn’t work. It’s because this implementation doesn’t sync users.
  4. Also the internal Admin user no longer works after you switch to LDAP. I went through a couple rounds of resetting it by MySQL (“update config set authentication_type =0 where configid=1;”) before the light bulb turned on — just uncheck “Case sensitive login” and you can use your LDAP admin user. At that point I created local users to match my LDAP users, and gave them the rights I needed. In the end, it seems like the Zabbix implementation is only using LDAP for authentication. Nothing as fancy as something like Zammad’s LDAP implentation, which maps LDAP groups to roles in the application.
  5. One more thing when creating a user, the UI says the password is optional when it’s an external user. This isn’t exactly true. Maybe it won’t be used, but it wouldn’t let me complete the form without a password. So make it a strong one.

Anyhow, I hope this helps someone someday. I found precious little online, and if I had it spelled out for me like this when I was looking, I would have been finished much faster.