|
tomas.hermanek can you please set "User group membership attribute" to "memberof" (all letters should be in lowercase) and check does it helps?
As for group mapping, the asterisk group mapping means any or no group, therefor it will work as long as user is able to supply correct login and password.
|
|
Hi Gregory,
it not help. What i also found no user is created at all. We are using wildcards now.
Tested with memberOf and memberof.
|
|
We found working setting with AD (Little bit confusing)
Group name attribute - CN
User group membership attribute - memberof (yes lower case)
I give you update after is first user created by zabbix JIT. Now we are waiting for first run.
|
|
Users is created fine after first login, also provisioning works fine, but after som using we found some problems.
1) User is created with different user setting like manual created user have. With this setting after 15 min i have message about "you don't have permission to this object. (BTW If i try login again i need to do this twice first try give me error message - SAML)
I'm expecting this default setting like local created user (if you can create some section in Administration>General it be great):
Provisioned users have this default (i think Auto-logout is is our problems here):
 
2) What i found next it is problem with SCIM provisioning. I found your new API for this. I create super user admin and API token but API give me error 500. Im testing this with Azure AD provisioning. FIXED ZBX-22014
https://SERVER/zabbix/api_scim.php
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Argument 4 passed to CLocalApiClient::callMethod() must be of the type array, null given, called in \/usr\/share\/zabbix\/include\/classes\/scim\/API.php on line 46","status":500}
3) Another maybe feature request is possibility to manual change in media for users.
This columns:
| When active |
Use if severity |
Status |
4) On picture you can also see i need disable SMS media. Our sms number have space(correct sync from AD or Azure AD). Can you also do some check and repair for this phone number format like you already have for email? For example +420 123 123 123 change in to +420123123123 or another 420 (123) 123 123 in to this 420123123123.
Tom
|
|
tomas.hermanek thank you for details, SCIM authentication error is fixed in ZBX-22014. As for SAML error, when logging in after auto logout - it will be fixed in ZBX-21975.
|
|
1) User "Auto-logout" and "Auto-login" difference for manually created user and user created by provisioning will be fixed in ZBX-22008.
|
|
3) For editable properties of provisioned user media please register feature request.
|
|
4) Provisioning will not create email user media when value supplied in mapped field do not pass email validation. For media type SMS there are no such validation therefor any non empty value is used to create user media. Additional code to filter out values only for SMS type of media is not planned, at least for now.
|
|
Hi Gregory,
2) Thank you for update, i can confirm SCIM is fixed now. Thank you
3) I already create ZBXNEXT-8147 for - Add possibilities to edit some user media properties.
4) I understand, i can work with this information - Thank you for update
|
|
This is related to ZBX-22254, as `Group Name Attribute` is used in a regex to match the mapping group, in CLdap.php, line 375. Regex with this ticket original config would start with `cn`, which does not match `CN` (the regex is case-sensitive). But the issue is better described in ZBX-22254, as CN in this config field is actually a RDN (Relative Distinguished Name) which constitutes the DN (Distinguished Name). IMO, for using a user's attribute to match groups (memberOf, for example), the attribute must be used as is, to not cause confusion. Zabbix even allows users to use wildcards, so the only change for users is that instead of specifying "CN" in its own field, they would need to specify "CN=MyGroup*" in the group mapping field itself.
|
|
/off My 2 cents Zabbix Team, the official documentation mentions "memberOf" instead of "memberof", it's confusing 
|
|
Thanks to all for the comments and updates...
Lost an hour or two on this before stumbling on this site and finding the solution.
|
|
So in case that the group member attribute in LDAP contains just the group's short name, we're F**** ?!
I see that after trying for several days to make it work.
|
|
I managed to fix it by adding an extra condition at the end in "include/classes/ldap/CLdap.php" in function getGroupPatternsFromDns before the last return $groups;
In my case $group_dns results just in an array of group names and a count key. The fix is not elegant yet but is a workaround.
if ($group_name_key == "" && empty($groups) === true){
unset($group_dns['count]']);
return $group_dns;
}
|
|
bo83snap can you describe what you want to achieve (user/group DN example would help too)? Group configuration "memberOf" is basic configuration, to fine tune you should use "groupOfNames".
|
|
the problem is the our memberOf contains just the simple group name and not full dn.
The script is checking and works only with a full dn but fails if it's not. First check is, does the returned value contain "="? if not then just skip.
memberOf = "group_A", memberOf = "group_B" is not going to work.
it expects memberOf="cn=group_A,ou=groups,dc=example,dc=com"
|
|
Yes it expects DN strings, this is described on documentation page for LDAP, please see documentation for "User group membership attribute" configuration field. For Custom configuration i would suggest to use "groupOfNames".
|
|
Well you're not exactly right.
Specify the attribute that contains information about the groups that the user belongs to (e.g. memberOf).
For example, the memberOf attribute may hold information like this: memberOf=cn=zabbix-admin,ou=Groups,dc=example,dc=com
This field is available only for the memberOf method.
Nowhere is specified that the memberOf attribute in ldap or AD has to have a value in the form of a full DN string.
This is only expected by the code because that's how it was coded.
It doesn't matter if it's memberOf or groupOfNames, the php code still expects a full DN formatted string, which is .... can we call it what it is?
Now imagine us having to alter all the ldap/AD to reformat that.
Take an example from ProxmoxVE, they don't have this issue. ** Even Moodle has an option "Member attribute uses dn?" Yes/No
I mean, using simply the array of group names seems the easiest way to go. Not going for:
- hey ... is there any "=" sign in the string?
- no? too bad, bye.
- Yes? well, is there any "cn", or "," or whatever in the string so i can do more work?
- No? Bye!
- There is? Let me split and cut and whatever so in the end i get to the same array of strings/group names that he gets in the first place and you just have to sanitize as you do it anyway after the previous steps, and move on.
Do you understand what I mean?
|
|
Attribute search in DN string is done to simplify "User group mapping" configuration. Also "*" meta character in "User group mapping" would be useless in some cases when user group entry will be not attribute value but DN string.
|
|
Hi.
Any ideas with manual changing severity for provisioned users for informative reporting? Or maybe AD attribute for it (for example 8bit reverse 0111000 => hex, means DHA reporting)?
|
|
You need to upgrade on 7.0 LTS. Released today, here is feature for it.
|
|
|
Generated at Thu Jun 19 07:22:15 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.
Media.png
