Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-22597

Just in time user provisioning: User group membership attribute can be only lowercase

    XMLWordPrintable

Details

    • Team C
    • Sprint 99 (Apr 2023)
    • 0.125

    Description

      Steps to reproduce:

      1. Follow instructions from this blogpost https://blog.zabbix.com/just-in-time-user-provisioning-explained/
      2. Login with username 'user1' and 'password'.

      Result:
      Login fails.
      Zabbix user with username user1 is not created

      Expected:
      Login succeeds.
      Zabbix user with username user1 is created with proper role and group membership.

       

      Turns out when LDAP server has at least one capital letter in attribute name that defines users LDAP group membership JIT functionality breaks. OpenLDAP server by default has this attribute named "memberOf" thus it is broken.

      Following patch fixes the issue:

      --- ./include/classes/ldap/CLdap.php    2023-03-28 02:48:53.207893069 +0000
      +++ /CLdap.php  2023-03-28 02:49:51.954490133 +0000
      @@ -426,7 +426,7 @@
                      $user['medias'] = $provisioning->getUserMedias($idp_user, false);
       
                      if ($config['group_membership'] !== '') {
      -                       $group_key = strtolower($config['group_membership']);
      +                       $group_key = $config['group_membership'];
       
                              if (array_key_exists($group_key, $idp_user) && is_array($idp_user[$group_key])) {
                                      $ldap_groups = $idp_user[$group_key]; 

      Attachments

        Issue Links

          Activity

            People

              gcalenko Gregory Chalenko
              BGmot Evgeny Yurchenko
              Votes:
              4 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: