Details
-
Problem report
-
Resolution: Fixed
-
Trivial
-
6.4.1rc1
-
Team C
-
Sprint 99 (Apr 2023)
-
0.125
Description
Steps to reproduce:
- Follow instructions from this blogpost https://blog.zabbix.com/just-in-time-user-provisioning-explained/
- Login with username 'user1' and 'password'.
Result:
Login fails.
Zabbix user with username user1 is not created
Expected:
Login succeeds.
Zabbix user with username user1 is created with proper role and group membership.
Turns out when LDAP server has at least one capital letter in attribute name that defines users LDAP group membership JIT functionality breaks. OpenLDAP server by default has this attribute named "memberOf" thus it is broken.
Following patch fixes the issue:
--- ./include/classes/ldap/CLdap.php 2023-03-28 02:48:53.207893069 +0000 +++ /CLdap.php 2023-03-28 02:49:51.954490133 +0000 @@ -426,7 +426,7 @@ $user['medias'] = $provisioning->getUserMedias($idp_user, false); if ($config['group_membership'] !== '') { - $group_key = strtolower($config['group_membership']); + $group_key = $config['group_membership']; if (array_key_exists($group_key, $idp_user) && is_array($idp_user[$group_key])) { $ldap_groups = $idp_user[$group_key];
Attachments
Issue Links
- caused by
-
ZBXNEXT-276 LDAP authentication with groups support
-
- Closed
-
- is duplicated by
-
-
- Closed
-
- mentioned in
-
Page Loading...