Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-22597

Just in time user provisioning: User group membership attribute can be only lowercase

XMLWordPrintable

    • Sprint 99 (Apr 2023)
    • 0.125

      Steps to reproduce:

      1. Follow instructions from this blogpost https://blog.zabbix.com/just-in-time-user-provisioning-explained/
      2. Login with username 'user1' and 'password'.

      Result:
      Login fails.
      Zabbix user with username user1 is not created

      Expected:
      Login succeeds.
      Zabbix user with username user1 is created with proper role and group membership.

       

      Turns out when LDAP server has at least one capital letter in attribute name that defines users LDAP group membership JIT functionality breaks. OpenLDAP server by default has this attribute named "memberOf" thus it is broken.

      Following patch fixes the issue:

      --- ./include/classes/ldap/CLdap.php    2023-03-28 02:48:53.207893069 +0000
      +++ /CLdap.php  2023-03-28 02:49:51.954490133 +0000
      @@ -426,7 +426,7 @@
                      $user['medias'] = $provisioning->getUserMedias($idp_user, false);
       
                      if ($config['group_membership'] !== '') {
      -                       $group_key = strtolower($config['group_membership']);
      +                       $group_key = $config['group_membership'];
       
                              if (array_key_exists($group_key, $idp_user) && is_array($idp_user[$group_key])) {
                                      $ldap_groups = $idp_user[$group_key]; 

            gcalenko Gregory Chalenko
            BGmot Evgeny Yurchenko
            Team C
            Votes:
            4 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: