Autocreated LDAP users get created as Zabbix Administrators

XMLWordPrintable

    • Type: Defect (Security)
    • Resolution: Won't fix
    • Priority: Major
    • None
    • Affects Version/s: 2.4.7
    • Component/s: Frontend (F)

      I am using LDAP authentication.

      When a user logs into Zabbix using their LDAP credentials, a Zabbix user is autocreated for them via /usr/share/zabbix/include/classes/api/services/CUser.php lines 987 onwards.

      Line 1002 states

      $ldapUser['usrgrps']            = 7;

      Which means that all auto-created users are created as Zabbix Administrators. This is not desirable as it allows all auto-created users full access to change the configuration of Zabbix - including the ability to change the authentication configuration.

      The user groups that auto-created users get added to should be made configurable via the LDAP authentication configuration.

      A strong argument could be made that the default should not be to add the auto-created users to the Zabbix Administrators group.

            Assignee:
            Unassigned
            Reporter:
            Mike Griffiths
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: