Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Zabbix 7 IT Infrastructure Monitoring Cookbook

You're reading from   Zabbix 7 IT Infrastructure Monitoring Cookbook Explore the new features of Zabbix 7 for designing, building, and maintaining your Zabbix setup

Arrow left icon
Product type Paperback
Published in Jul 2024
Publisher Packt
ISBN-13 9781801078320
Length 540 pages
Edition 3rd Edition
Tools
Concepts
Arrow right icon
Authors (2):
Arrow left icon
Nathan Liefting Nathan Liefting
Author Profile Icon Nathan Liefting
Nathan Liefting
Brian van Baekel Brian van Baekel
Author Profile Icon Brian van Baekel
Brian van Baekel
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Chapter 1: Installing Zabbix and Getting Started Using the Frontend 2. Chapter 2: Getting Things Ready with Zabbix User Management FREE CHAPTER 3. Chapter 3: Setting Up Zabbix Monitoring 4. Chapter 4: Working with Triggers and Alerts 5. Chapter 5: Building Your Own Structured Templates 6. Chapter 6: Visualizing Data, Inventory, and Reporting 7. Chapter 7: Using Discovery for Automatic Creation 8. Chapter 8: Setting Up Zabbix Proxies 9. Chapter 9: Integrating Zabbix with External Services 10. Chapter 10: Extending Zabbix Functionality with Custom Scripts and the Zabbix API 11. Chapter 11: Maintaining Your Zabbix Setup 12. Chapter 12: Advanced Zabbix Database Management 13. Chapter 13: Bringing Zabbix to the Cloud with Zabbix Cloud Integration 14. Index 15. Other Books You May Enjoy

OpenLDAP user authentication and JIT user provisioning

Although a lot of people use SAML in combination with Azure Active Directory, that isn’t always the case. There are loads of different methods of running your user authentication.

One of those methods is using LDAP instead of SAML with, for example, an OpenLDAP server. OpenLDAP provides us with a solid open source implementation to set up a user database with LDAP. The great thing about this is that JIT user provisioning doesn’t just work with SAML, but also with LDAP, meaning we can apply JIT user provisioning here as well.

Getting ready

To get things going, we are going to need an OpenLDAP server set up and ready to go. It is recommended to use your own OpenLDAP environment. There are loads of guides available online to do a solid OpenLDAP implementation as well as a quick start guide for the latest version on the official website: https://www.openldap.org/

Another way to go is spin up a test OpenLDAP environment with Docker. We can use the following command:

docker run -p 389:389 -p 636:636 --name openldap-server --detach oicts/openldap:1.0.0
docker run -p 8081:80 -p 4443:443 --name phpldapadmin --hostname phpldapadmin --link openldap-server:ldap-host --env PHPLDAPADMIN_LDAP_HOSTS=ldap-host --detach osixia/phpldapadmin:0.9.0

Please use this for testing only, since the preceding code might not be using the latest versions anymore.

How to do it…

Once OpenLDAP is set up, we can start to create some users and groups in our new OpenLDAP environment. Let’s get started on that first:

  1. We will open the OpenLDAP GUI by navigating to the URL in our browser:
    https://<ip_address_of_server>:4443
  2. After logging in, let’s create some new users. First, click on Login on the left-hand side of the window. The default username and password are as follows:
    Login DN: cn=admin,dc=example,dc=org
    Password: admin
  3. You should see that we have already created some groups and users for you if you are using our Docker images, as you can see in the following screenshot:
Figure 2.42 – OpenLDAP server groups and users

Figure 2.42 – OpenLDAP server groups and users

If you are using your own OpenLDAP environment, make sure to have at least one group and one user for testing.

  1. Let’s use these usernames and groups to set up LDAP authentication with JIT user provisioning.
  2. Move on to the Zabbix frontend and navigate to Users | Users. First, we’ll give ourselves access at any time even if the default authentication method will be switched to LDAP. Switch the Admin user’s default authentication method to internal by adding them to the Internal group.
Figure 2.43 – Zabbix Admin user settings

Figure 2.43 – Zabbix Admin user settings

  1. Click on Update and it should then look like the following screenshot.
Figure 2.44 – Zabbix Admin user with Internal Frontend access

Figure 2.44 – Zabbix Admin user with Internal Frontend access

  1. Then we will go to Users | Authentication and then LDAP settings. Set up the default authentication method to LDAP and the deprovisioned users group as follows.
Figure 2.45 – Zabbix Default authentication method

Figure 2.45 – Zabbix Default authentication method

  1. Next, we’ll click on the LDAP settings tab. This is where we can configure our LDAP server and JIT user provisioning. Let’s start by enabling the ones we would like to use.
Figure 2.46 – Zabbix Default authentication method

Figure 2.46 – Zabbix Default authentication method

When using just LDAP, we will have to create our users manually. By enabling JIT, users will be created and granted the correct permissions automatically.

  1. It’s also possible to add multiple LDAP servers in Zabbix now. Let’s add our OpenLDAP server by clicking on Add at Servers.
  2. Then, fill in the following.
Figure 2.47 – Zabbix LDAP authentication setup

Figure 2.47 – Zabbix LDAP authentication setup

The default Bind password value is password.

  1. If we want, we can also enable JIT provisioning. Enable it and fill in the following.
Figure 2.48 – Zabbix LDAP authentication setup with JIT

Figure 2.48 – Zabbix LDAP authentication setup with JIT

  1. Now, sign out of the currently logged-in account by clicking the Sign out button in the lower left corner of the sidebar.
  2. We should now be able to log in with the user1 LDAP user. The password is password.
Figure 2.49 – Zabbix login window for user1

Figure 2.49 – Zabbix login window for user1

  1. When we log in for the first time, the user will be created with the correct permissions as defined in the JIT user provisioning step. If logged in as a Zabbix super admin, we can see this under Users | Users.
Figure 2.50 – Zabbix LDAP provisioned user

Figure 2.50 – Zabbix LDAP provisioned user

How it works…

As you can see, we can use Zabbix in combination with an LDAP server to make password management easier as a whole. There are two options for us to choose from: using LDAP with or without JIT user provisioning.

When we use Zabbix in combination with an LDAP server, but choose to not use JIT user provisioning, Zabbix will communicate with the LDAP server just to do the password authentication upon pressing the Sign in button.

Figure 2.51 – Zabbix LDAP authentication diagram

Figure 2.51 – Zabbix LDAP authentication diagram

However, since Zabbix 6.4 it is also possible to enable JIT user provisioning. This new feature allows us to also assign Zabbix user groups and roles in line with the user groups on our LDAP server. As such, the whole process with JIT user provisioning included looks something like the following:

Figure 2.52 – Zabbix LDAP JIT authentication diagram

Figure 2.52 – Zabbix LDAP JIT authentication diagram

You have been reading a chapter from
Zabbix 7 IT Infrastructure Monitoring Cookbook - Third Edition
Published in: Jul 2024
Publisher: Packt
ISBN-13: 9781801078320
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image