-
Change Request
-
Resolution: Fixed
-
Trivial
-
None
-
None
-
Sprint 35, Sprint 36, Sprint 37, Sprint 38, Sprint 39, Sprint 40, Sprint 41, Sprint 42, Sprint 43
-
8
User stories
When Apache Auth directives are configured for all Zabbix frontend pages:
- As a Zabbix user, after migration from Zabbix 3.X with HTTP enabled, I want it still be impossible to login using Internal/LDAP password without signing in with Apache first.
When Apache Auth directives are configured only to login_http.php page:
- As a Zabbix user, I can login with HTTP(using Kerberos or others types) or using Internal/LDAP passwords
- As a Zabbix admin, I can choose whether to redirect unauthorized users to HTTP login or Zabbix login form
Acceptance
- If HTTP auth is enabled:
- Any zabbix users, regardless of their user groups, can sign in with HTTP auth if their alias match
- It's still must be possible to sign in using standard zabbix login page using Internal or LDAP passwordif web server is setup accordingly)
- HTTP auth and standard zabbix login pages must have separate URLs directly accessible.
- If HTTP auth is globally disabled, then HTTP auth page must redirect to Internal auth page
- It must be possible to remove domain part of the username received from web server. i.e. username@ADNAME becomes just username
- causes
-
ZBX-18942 CControllerAuthenticationUpdate controller is not protected by a CSRF token (CVE-2021-27927)
-
- Closed
-
-
ZBX-15353 API login asks for password with HTTP authentication enabled
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- depends on
-
ZBXNEXT-407 Fallback login option for LDAP
-
- Open
-
-
-
- Open
-
-
ZBX-14774 Page is recursively included into itself if it contains tabs and was opened by link with username and password in the URL.
-
- Open
-
-
-
- Closed
-
