AD LDAP auth with direct bind does not work with group mapping

XMLWordPrintable

    • Type: Problem report
    • Resolution: Won't fix
    • Priority: Trivial
    • None
    • Affects Version/s: 7.4.2
    • Component/s: Frontend (F)
    • Environment:
      RHEL 9

      When using MS AD LDAP with direct binding for auth, the user credentials are verified but groups are never mapped.

      After some debugging, in "ui/include/classes/ldap/CLdap.php" function "getUserAttributes" the user password appears to always be null so it is incorrectly returning an empty list (line 344). The bind call fails due to having a null password while the bind_type is BIND_DNSTRING (line 226).

      Not sure what the appropriate fix would be. My current workaround was removing that bind call on line 344 as the connection is already bound from a previous credential check anyways.

      Steps to reproduce:

      1. Configure LDAP authentication against MS AD using direct binding ("%{user}" in the Base DN & empty Bind DN/password)
      2. Enable JIT provisioning & add LDAP user group mapping
      3. Test login with any valid user. No LDAP groups will be mapped

      Result:
      User authentication is successful but group mapping is not working
      Expected:
      LDAP user groups should be mapped to Zabbix groups based on the user group mapping patterns

            Assignee:
            Zabbix Support Team
            Reporter:
            Rafael Simioni
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: