In version 4.0 it looks like "Frontend access: Disabled" has changed in the way it works just a bit.  I think this is related to ZBXNEXT-4573.

In 3.4 and prior when using LDAP as the authentication mechanism "Disabled" worked as expected by still authenticating API users with frontend access disabled against LDAP instead of the internal database.

Now that it seems both internal and LDAP can be used at the same time Disabled seems to ignore LDAP even if it's the default and it only looks at the internal user database for authentication.

I propose one of three fixes:

• Adjust "Disabled" to read from the default authentication mechanism as it did <4.0.
• Adjust "Disabled" to read more like "Disabled (internal)"
• Create a second "Disabled" option so there's one for internal, and one for LDAP

The latter is the preferred method as it provides the most flexibility and keeps the functionality that many like myself are used to present.

As it stands, anyone using LDAP that upgrades to 4.0 that's doing anything via the API will face authentication failures which can be a very big deal.