This is a pure bash-script for syncing a Actice-Directory Group via LDAP with a Zabbix-Group
Changelog:
- 2020-04-14 V1.1 => first public version
- 2020-04-17 V1.1a => Replace hard coded $2 with push-solution
- 2020-05-05 V1.1b => add ldapsearch parameter
-o ldif-wrap=no
to prevent line breaks after 79 chars - 2020-08-06 V1.1c => add more debbuging for -v when a new user is created (show the full curl command)
- 2021-01-10 V1.2 => add support for Zabbix 5.2 or higher (breaking changes in API) with API-Version check bultin
- 2021-02-06 v1.3.1 => fixed error when user moved to disabled group
- 2022-03-24 v1.3.2 => fixed alias vs username for Zabbix 6.0
- Pure Bash Skript for Linux
- LDAP and LDAPS Support (ignoring SSL possible)
- Zabbix API via http / https (ignoring SLL per default)
- Zabbix 3.x, 4.x, 5.x and 6.0 tested (new User Roles since Version 5.2 are supported, username instead of alias since 6.0)
- Multiple config-files possible for multiple groups and multiple domains
- Create needed users in Zabbix including Email-Address as media
- up to Zabbix 5.0.x as User, Admin or SuperAdmin
- from Zabbix 5.2.x using the User Role (roleid)
- Disable users in Zabbix which are removed from Group
- user- or group names with spaces are no problem
- verbose mode for debugging including curl commands
- Check if LDAP or LDAPS will be used
- Create a special User for the LDAP Access. User need no special rights but should be Domain-User
- Avoid special chars in username and password like
äöü!?>$%
and spaces - After creating get the distinguished name of this user. You can query the name on a domain controller with
dsquery user -samid name_of_the_user
Output should something like
CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local
where ldapSearch is the example-user
Create one or more Active Directory Groups and add Members. Empty Groups are allowed (then all members in Zabbix will be removed from Group and disabled). I suggest Groups for
- Zabbix Super Admin
- Zabbix Admin
- Zabbix User
as needed. The users must be direct members, do not use nested groups.
In the examples i am using the groupname Zabbix-Super-Admin
Yes, i am using pure bash to avoid any prerequisites but we need a program for accessing LDAP and some other tools. All of them should be available in the standard repositories:
Debian/Ubuntu
apt install ldap-utils
Red Hat/CentOs/SuSe
yum install openldap-clients
The other needed programs are
curl
sed
dirname
readlink
which should be already installed
It should be a non LDAP user with Frontend acccess internal
(defined by Group Membership)
The User must have the User type Zabbix Super Admin
for creating new users and changing group memberships.
Also avoid special chars in username and password.
In the examples i am using the username zabbixapiuser
At least 2 groups are required:
Target Group for Users:
This Group must have Frontend access LDAP
and should be enabled.
In the examples i am using the groupname Zabbix-Super-Admin
Target Group for Disabled Users:
The build-in Group Disabled can be used.
Or create a new group which is not enabled (remove checkox) and Frontend access Disabled
In the examples i am using the groupnameLDAP-Disabled
Check the Settings for LDAP:
Administration => Authentication => LDAP settings
I suggest to uncheck the Case sensitive login checkbox. The script compares the Windows SAMAccountnames
and the Zabbix Alias
case insensitive.
With this settings, the user can log in with manfred
, Manfred
and MaNfReD
and the sync script will find and use the existing user.
I installed the script on the Zabbix-Server in a separate folder.
Login to Zabbix-Server and move to the root path of the ExternalScripts
and AlertScriptsPath
folder,
the default path is (Debian/Ubuntu/CentOS)
cd /usr/lib/zabbix/
Clone this repository, it will create a new folder named zabbix-ldap-sync-bash
:
git clone https://github.com/BernhardLinz/zabbix-ldap-sync-bash.git
Change to the new directory:
cd zabbix-ldap-sync-bash
Make the two *.sh
scripts executeable:
chmod +x *.sh
The script zabbix-ldap-sync.sh
is looking for the config.sh
in the same folder (if no config-file is specified).
Just make a copy of the config-example.sh
cp config-example.sh config.sh
Open the file config.sh
with an editor and set the needed values:
nano config .sh
LDAP_Source_URL="ldaps://172.16.0.10"
Should be ldap
or ldaps
, use name or IP-Address of a domain controller.
LDAP_Ignore_SSL_Certificate="true"
If set to true
the SSL-Certificate for LDAPS will be ignored. Set to false
to validate the certificates.
LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local"
LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq"
The distinguished name for the user which was created in Step 1. Prepare Active Directory
LDAP_SearchBase="DC=exampledomain,DC=local"
The domain name or organisation unit
LDAP_Groupname_for_Sync="Zabbix-Super-Admin"
ZABBIX_Groupname_for_Sync="LDAP-SuperAdmin"
Change Zabbix-Super-Admin
to your Active Directory-Groupname and LDAP-SuperAdmin
to the target Zabbix-Groupname.
ZABBIX_Disabled_User_Group="LDAP-Disabled"
Name of the Group for Disabled Users. The Group must have the Enabled checkbox unchecked or the group will not found. Every user who is removed from the group ZABBIX_Groupname_for_Sync becomes a member of this group. The reason is that a user must always be a member of at least one group in Zabbix.
ZABBIX_API_URL="http://localhost/api_jsonrpc.php"
ZABBIX_API_User="zabbixapiuser"
ZABBIX_API_Password="strongpassword73#"
The ZABBIX_API_URL is path to the Zabbix webinterface. Can be http://
or https://
, the certificate validation will be ignored.
Depending on the Zabbix installation, /api_jsonrpc.php
or /zabbix/api_jsonrpc.php
must be used.
ZABBIX_UserType_User=3
up to Zabbix 5.0.x there are 3 bultin Types, 1,2 or 3 from Zabbix 5.2.x there are User Rules. There are 3 predefined user roles which correspond to the pevious user types. but you can define additional user roles in Zabbix and use here The bultin Types (<=5.0.x) or predefined Roles (>=5.2.x) are 1 = Zabbix User 2 = Zabbix Admin 3 = Zabbix Super Admin The script will not update existing zabbix-users. You can check the ID of the RoleId in the webinterface
Administration => User roles => click the name of the role
At the end of the URL you see roleid=1
with the needed ID
ZABBIX_MediaTypeID="1"
1 is Email at new installations. Will be used for new created users if the mail property is not empty (Microsoft Exchange will fill theses property automatically with the sender-address). You can check the ID of the MediaType in the webinterface
Administration => Media types => click the name of the Media
At the end of the URL you see mediatypeid=1
with the needed ID
./zabbix-ldap-sync.sh
You should get some output like this:
---------------------------------------------------------------------------
zabbix-ldap-sync.sh (Version V1.2 (2021-01-10)) startup
Checking prerequisites ............................................... done
Searching config file ................................................ done
Reading "/usr/lib/zabbix/zabbix-ldap-sync-bash/config-znil.sh" ....... done
Check all needed Settings ............................................ done
STEP 1: Getting all Members from Active Directory / LDAP Group ....... done
Query sAMAccountName, sn, givenName and primary Email-Address ........ done
Check Zabbix API Version ............................................. done
Using User mode ...................................................... roleid
Login at Zabbix API .................................................. done
STEP 2: Get Members of Zabbix-LDAP Groups ............................ checking
determine UsrGrpID of "LDAP-SuperAdmin" .............................. done
determine UsrGrpID of "LDAP-Disabled" ................................ done
determine alias and userid for Members of "LDAP-SuperAdmin" .......... done
STEP 3: Compare Groups for changes ................................... checking
Check 1: Number of Users LDAP ........................................ 4
Check 1: Number of Users Zabbix ...................................... 1
Check 1: Number of Users ............................................. not equal
STEP 4: Get all Zabbix Users with alias and userid ................... done
STEP 5: Compare LDAP user with existing Zabbix User .................. must create 3 new user
STEP 6: Create needed 3 new Zabbix-User .............................. done
STEP 7: Replace Members of Group LDAP-SuperAdmin ..................... done
STEP 8: Get List of all disabled user in Group LDAP-Disabled ......... done
STEP 9: Remove active user, add inactive user ........................ done
STEP 10: Replace Members of Group LDAP-Disabled ...................... done
STEP 11: Replace Members of Group LDAP-SuperAdmin (2. Time) .......... done
Logout Zabbix API .................................................... done
If there is an error with Login to LDAP or Zabbix an Error Message will be displayed. Check Output for more.
Try
./zabbix-ldap-sync.sh -v
for verbose mode with a lot of Output. You will see all ldapsearch
and curl
calls with parameter. Passwords are hidden with Stars.
If you want to see the passwords also try
./zabbix-ldap-sync.sh -v -p
-c | -C | --config use a specific configuration file instead config.sh
-v | -V | --verbose Display debugging information, include all commands
-p | -P | --ShowPassword Show the passwords in the verbose output
-s | -S | --silent Hide all Output except errors. Usefull with crontab
Just create a separate config file for each group combination:
-
copy the working
config.sh
to a new name likezabbix-readonly.conf
(the extension doesn't matter) -
change the groupnames in the new file and the ZABBIX_UserType_User value
-
run the script like this
./zabbix-ldap-sync.sh -c zabbix-readonly.conf
Do not sync different LDAP-Groups with the same Zabbix-Group! The last sync will win! Make the users only to a member of one of these groups. If the user is removed from one of the groups, the user will be disabled.
Test the sync in the shell with full paths like
/usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf
Just add the line to crontab like
*/10 * * * * /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf -s
for syncing every 10 minutes Add a line to crontab for each group/configuration you want to sync
Change to the Script folder and just type
git pull
The zabbix-ldap-sync.sh
and the ´config-example.sh´ maybe overwritten with the new versions.
Your existing files will not be touched or deleted.