{"id":1377,"date":"2021-11-25T21:24:09","date_gmt":"2021-11-26T02:24:09","guid":{"rendered":"https:\/\/dc540.org\/xxx\/?p=1377"},"modified":"2021-11-25T21:24:10","modified_gmt":"2021-11-26T02:24:10","slug":"zabbix-and-freeipa","status":"publish","type":"post","link":"https:\/\/dc540.org\/xxx\/2021\/11\/zabbix-and-freeipa\/","title":{"rendered":"Zabbix and FreeIPA"},"content":{"rendered":"\n<p>If you&#8217;re like me and you&#8217;ve linked many, many applications to FreeIPA, you probably have a pretty good sense of how to go about it, and in some cases you can use an app&#8217;s authentication subsection without even consulting the Great Oracle Of Grand, Legitimate Experience. <\/p>\n\n\n\n<p>At least, this is usually the case with me. <\/p>\n\n\n\n<p>Not so much with Zabbix. The interface was so deceptively simple that it threw me off.<\/p>\n\n\n\n<p>Here&#8217;s what I discovered. Some from forums, some from less-than-obvious documentation, and some from twiddling knobs.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>To even get an LDAP configuration to pass a test and authenticate a user, the bind user needs to be described in a full DN. This isn&#8217;t completely out of left field, I&#8217;ve seen a few implementations require this, although I prefer just providing a username and password.<\/li><li>You also need to add &#8220;cn=compat&#8221; preceding your base dn in the LDAP configuration page.<\/li><li>Here&#8217;s where it screwed me. I expected, after passing a test, that if I switched to LDAP authentication it would just work. Not so. There&#8217;s a brief mention of it in the docs: &#8220;<em>Note that a user must exist in Zabbix as well, however its Zabbix password will not be used.<\/em>&#8221; So here I was trying to authenticate an LDAP user after switching to LDAP authentication, and wondering why it doesn&#8217;t work. It&#8217;s because this implementation doesn&#8217;t sync users. <\/li><li>Also the internal Admin user no longer works after you switch to LDAP. I went through a couple rounds of resetting it by MySQL (&#8220;update config set authentication_type =0 where configid=1;&#8221;) before the light bulb turned on &#8212; just uncheck &#8220;Case sensitive login&#8221; and you can use your LDAP admin user. At that point I created local users to match my LDAP users, and gave them the rights I needed. In the end, it seems like the Zabbix implementation is only using LDAP for authentication. Nothing as fancy as something like Zammad&#8217;s LDAP implentation, which maps LDAP groups to roles in the application.<\/li><li>One more thing when creating a user, the UI says the password is optional when it&#8217;s an external user. This isn&#8217;t exactly true. Maybe it won&#8217;t be used, but it wouldn&#8217;t let me complete the form without a password. So make it a strong one.<\/li><\/ol>\n\n\n\n<p>Anyhow, I hope this helps someone someday. I found precious little online, and if I had it spelled out for me like this when I was looking, I would have been finished much faster.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you&#8217;re like me and you&#8217;ve linked many, many applications to FreeIPA, you probably have a pretty good sense of how to go about it, and in some cases you &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/dc540.org\/xxx\/2021\/11\/zabbix-and-freeipa\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Zabbix and FreeIPA&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-1377","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts\/1377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/comments?post=1377"}],"version-history":[{"count":1,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts\/1377\/revisions"}],"predecessor-version":[{"id":1378,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/posts\/1377\/revisions\/1378"}],"wp:attachment":[{"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/media?parent=1377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/categories?post=1377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dc540.org\/xxx\/wp-json\/wp\/v2\/tags?post=1377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}