Readme and more
This commit is contained in:
parent
cd128aee46
commit
83f990797a
209
README.md
209
README.md
@ -1 +1,210 @@
|
||||
# zabbix-ldap-sync-bash
|
||||
This is a pure bash-script for syncing a Actice-Directory Group via LDAP with a Zabbix-Group
|
||||
|
||||
**Changelog:** 2020-04-14 V1.1 => first public version
|
||||
|
||||
## Features:
|
||||
|
||||
- Pure Bash Skript for Linux
|
||||
- LDAP and LDAPS Support (ignoring SSL possible)
|
||||
- Zabbix API via http / https (ignoring SLL per default)
|
||||
- Zabbix 3.x and 4.x tested
|
||||
- Multiple config-files possible for multiple groups and multiple domains
|
||||
- Create needed users in Zabbix as User, Admin or SuperAdmin, Email
|
||||
- Disable removed users
|
||||
- user- or group names with spaces are no problem
|
||||
|
||||
## How to Use
|
||||
### 1. Prepare Active Directory
|
||||
- Check if LDAP or LDAPS will be used
|
||||
- Create a special User for the LDAP Access. User need no special rights but should be Domain-User
|
||||
- Avoid special chars in username and password like `äöü!?>$%` and spaces
|
||||
- After creating get the ***distinguished name*** of this user. You can query the name on a doamin controller with
|
||||
`dsquery user -samid <username>`
|
||||
Output should something like
|
||||
`CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local`
|
||||
where ***ldapSearch*** is the example-user
|
||||
|
||||
Create one or more Active Directory Groups and add Members. Empty Groups are allowed (then all members in Zabbix will be removed from Group and disabled).
|
||||
I suggest Groups for
|
||||
- Zabbix Super Admin
|
||||
- Zabbix Admin
|
||||
- Zabbix User
|
||||
as needed. The users must be direct members, do not use nested groups.
|
||||
In the examples i am using the groupname `Zabbix-Super-Admin`
|
||||
|
||||
### 2. Install Prerequisites on Linux
|
||||
Yes, i am using pure bash to avoid any prerequisites but we need a program for accessing LDAP and some other tools. All of them should be available in the standard repositories:
|
||||
**Debian/Ubuntu**
|
||||
`apt install ldap-utils`
|
||||
**Red Hat/CentOs/SuSe**
|
||||
`yum install openldap-clients`
|
||||
The other needed programs are
|
||||
`curl sed dirname readlink`
|
||||
which should be already installed
|
||||
|
||||
### 3. Create Zabbix-User for API Access
|
||||
It should be a non LDAP user with **Frontend acccess** `internal` (defined by Group Membership).
|
||||
The User must have the **User type** `Zabbix Super Admin` for creating new users and changing group memberships.
|
||||
Also avoid special chars in username and password.
|
||||
In the examples i am using the username `zabbixapiuser`
|
||||
|
||||
### 4. Create Zabbix Target Groups
|
||||
At least 2 groups are required:
|
||||
**Target Group for Users:**
|
||||
This Group must have **Frontend access** `LDAP `
|
||||
and should be enabled.
|
||||
In the examples i am using the groupname`Zabbix-Super-Admin`
|
||||
**Target Group for Disabled Users:**
|
||||
The build-in Group **Disabled** can be used.
|
||||
Or create a new group which is **not** enabled (remove checkox) and **Frontend access** `Disabled`
|
||||
In the examples i am using the groupname`LDAP-Disabled`
|
||||
|
||||
### 5. Check Zabbix LDAP-Settings
|
||||
Check the Settings for LDAP:
|
||||
|
||||
Administration => Authentication => LDAP settings
|
||||
I suggest to uncheck the **Case sensitive login** checkbox. The script compares the Windows `SAMAccountnames` and the Zabbix `Alias` case insensitive.
|
||||
With this settings, the user can log in with `manfred`, `Manfred`and `MaNfReD`and the sync script will find and use the existing user.
|
||||
|
||||
### 6. Clone the script
|
||||
I installed the script on the Zabbix-Server in a separate folder.
|
||||
Login to Zabbix-Server and move to the root path of the `ExternalScripts` and `AlertScriptsPath` folder,
|
||||
the default path is (Debian/Ubuntu/CentOS)
|
||||
|
||||
cd /usr/lib/zabbix/
|
||||
Clone this repository, it will create a new folder named `zabbix-ldap-sync-bash`:
|
||||
|
||||
git clone https://github.com/BernhardLinz/zabbix-ldap-sync-bash.git
|
||||
Change to the new directory:
|
||||
|
||||
cd zabbix-ldap-sync-bash
|
||||
Make the two `*.sh`scripts executeable:
|
||||
|
||||
chmod +x *.sh
|
||||
|
||||
|
||||
### 7. Configure the Script
|
||||
The script `zabbix-ldap-sync.sh`is looking for the `config.sh`in the same folder.
|
||||
Open the file `config.sh`with an editor and set the needed values:
|
||||
|
||||
nano config .sh
|
||||
|
||||
#### LDAP_Source_URL
|
||||
LDAP_Source_URL="ldaps://172.16.0.10"
|
||||
Should be `ldap`or `ldaps`, use name or IP-Address of a domain controller.
|
||||
|
||||
#### LDAP_Ignore_SSL_Certificate
|
||||
LDAP_Ignore_SSL_Certificate="true"
|
||||
If set to `true`the SSL-Certificate for LDAPS will be ignored. Set to `false`to validate the certificates.
|
||||
|
||||
|
||||
|
||||
#### LDAP_Bind_User_DN + LDAP_Bind_User_Password
|
||||
LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local"
|
||||
LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq"
|
||||
The distinguished name for the user which was created in Step *1. Prepare Active Directory*
|
||||
|
||||
#### LDAP_SearchBase
|
||||
LDAP_SearchBase="DC=exampledomain,DC=local"
|
||||
The domain name or organisation unit
|
||||
|
||||
#### LDAP_Groupname_for_Sync + ZABBIX_Groupname_for_Sync
|
||||
LDAP_Groupname_for_Sync="Zabbix-Super-Admin"
|
||||
ZABBIX_Groupname_for_Sync="LDAP-SuperAdmin"
|
||||
Change `Zabbix-Super-Admin`to your Active Directory-Groupname and `LDAP-SuperAdmin`to the target Zabbix-Groupname.
|
||||
|
||||
|
||||
#### ZABBIX_Disabled_User_Group
|
||||
ZABBIX_Disabled_User_Group="LDAP-Disabled"
|
||||
Name of the Group for Disabled Users. The Group must have the ***Enabled*** checkbox unchecked or the group will not found. Every user who is removed from the group ***ZABBIX_Groupname_for_Sync*** becomes a member of this group. The reason is that a user must always be a member of at least one group in Zabbix.
|
||||
|
||||
#### ZABBIX_API_URL + ZABBIX_API_User + ZABBIX_API_Password
|
||||
ZABBIX_API_URL="http://localhost/api_jsonrpc.php"
|
||||
ZABBIX_API_User="zabbixapiuser"
|
||||
ZABBIX_API_Password="strongpassword73#"
|
||||
The **ZABBIX_API_URL** is path to the Zabbix webinterface. Can be `http://` or `https://`, the certificate validation will be ignored.
|
||||
Depending on the Zabbix installation, `/api_jsonrpc.php` or `/zabbix/api_jsonrpc.php` must be used.
|
||||
|
||||
#### ZABBIX_UserType_User
|
||||
ZABBIX_UserType_User=3
|
||||
Type of user if new one must created.
|
||||
1 = Zabbix User
|
||||
2 = Zabbix Admin
|
||||
3 = Zabbix Super Admin
|
||||
The script will not update existing users.
|
||||
|
||||
#### ZABBIX_MediaTypeID
|
||||
ZABBIX_MediaTypeID="1"
|
||||
1 is Email at new installations. Will be used for new created users if the **mail** property is not empty (Microsoft Exchange will fill theses property automatically with the sender-address).
|
||||
You can check the ID of the MediaType in the webinterface
|
||||
|
||||
Administration => Media types => click the name of the Media
|
||||
At the end of the URL you see `mediatypeid=1` with the needed ID
|
||||
### 8. Test the script
|
||||
./zabbix-ldap-sync.sh
|
||||
You should get some output like this:
|
||||
|
||||
---------------------------------------------------------------------------
|
||||
zabbix-ldap-sync.sh (Version V1.1 (2020-04-14)) startup
|
||||
Checking prerequisites ............................................... done
|
||||
Searching config file ................................................ done
|
||||
Reading "/usr/lib/zabbix/zabbix-ldap-sync/config-znil.sh" ............ done
|
||||
Check all needed Settings ............................................ done
|
||||
STEP 1: Getting all Members from Active Directory / LDAP Group ....... done
|
||||
Query sAMAccountName, sn, givenName and primary Email-Address ........ done
|
||||
Login at Zabbix API .................................................. done
|
||||
STEP 2: Get Members of Zabbix-LDAP Groups ............................ checking
|
||||
determine UsrGrpID of "LDAP-SuperAdmin" .............................. done
|
||||
determine UsrGrpID of "LDAP-Disabled" ................................ done
|
||||
determine alias and userid for Members of "LDAP-SuperAdmin" .......... done
|
||||
STEP 3: Compare Groups for changes ................................... checking
|
||||
Check 1: Number of Users LDAP ........................................ 4
|
||||
Check 1: Number of Users Zabbix ...................................... 2
|
||||
Check 1: Number of Users ............................................. not equal
|
||||
STEP 4: Get all Zabbix Users with alias and userid ................... done
|
||||
STEP 5: Compare LDAP user with existing Zabbix User .................. must create 1 new
|
||||
ser
|
||||
STEP 6: Create needed 1 new Zabbix-User .............................. done
|
||||
STEP 7: Replace Members of Group LDAP-SuperAdmin ..................... done
|
||||
STEP 8: Get List of all disabled user in Group LDAP-Disabled ......... done
|
||||
STEP 9: Remove active user, add inactive user ........................ done
|
||||
STEP 10: Replace Members of Group LDAP-Disabled ...................... done
|
||||
STEP 11: Replace Members of Group LDAP-SuperAdmin (2. Time) .......... done
|
||||
Logout Zabbix API .................................................... done
|
||||
If there is an error with Login to LDAP or Zabbix an Error Message will be displayed. Check Output for more.
|
||||
## Advanced Debugging
|
||||
Try
|
||||
|
||||
./zabbix-ldap-sync.sh -v
|
||||
for verbose mode with a lot of Output. You will see all `ldapsearch` and `curl` calls with parameter. Passwords are hidden with Stars.
|
||||
If you want to see the passwords also try
|
||||
|
||||
./zabbix-ldap-sync.sh -v -p
|
||||
|
||||
## Possible commandline parameter
|
||||
-c | -C | --config use a specific configuration file instead config.sh
|
||||
-v | -V | --verbose Display debugging information, include all commands
|
||||
-p | -P | --ShowPassword Show the passwords in the verbose output
|
||||
-s | -S | --silent Hide all Output except errors. Usefull with crontab
|
||||
|
||||
## Syncing Multiple Groups
|
||||
Just create a separate config file for each group combination:
|
||||
|
||||
- copy the working `config.sh`to a new name like `zabbix-readonly.conf`(the extension doesn't matter)
|
||||
- change the groupnames in the new file and the ZABBIX_UserType_User value
|
||||
- run the script like this
|
||||
|
||||
./zabbix-ldap-sync.sh -c zabbix-readonly.conf
|
||||
Do not sync different LDAP-Groups with the same Zabbix-Group! The last sync will win!
|
||||
Make the users only to a member of one of these groups. If the user is removed from one of the groups, the user will be disabled.
|
||||
|
||||
## Sync automatically
|
||||
Test the sync in the shell with full paths like
|
||||
|
||||
/usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf
|
||||
Just add the line to crontab like
|
||||
|
||||
*/10 * * * * /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf -s
|
||||
for syncing every 10 minutes
|
||||
|
||||
|
@ -21,7 +21,7 @@ LDAP_Ignore_SSL_Certificate="true"
|
||||
# Bind user for accessing,
|
||||
# to get the Distinguished Name of the User run the following command on a domain controller (replace ldapsearch with your Username):
|
||||
# dsquery user -samid ldapSearch
|
||||
LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=mydomain,DC=local"
|
||||
LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local"
|
||||
# the passwort og the user (should be marked as never changed)
|
||||
# Please avoid special chars which were use in bash like $`´'"\/<>()[]^
|
||||
LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq"
|
||||
@ -29,18 +29,18 @@ LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq"
|
||||
LDAP_SearchBase="DC=exampledomain,DC=local"
|
||||
|
||||
# Name of Groups in LDAP (Active-Directory) and in Zabbix for Sync with Zabbix
|
||||
ZABBIX_Groupname_for_Sync="Zabbix-Super-Admin"
|
||||
LDAP_Groupname_for_Sync="Zabbix-Super-Admin"
|
||||
ZABBIX_Groupname_for_Sync="LDAP-SuperAdmin"
|
||||
|
||||
# When you remove an user from the LDAP-Group, the user will moved in this group which is "Not enabled" = Disabled and Frontend access is "disabled"
|
||||
ZABBIX_Disabled_User_Group="Disabled"
|
||||
ZABBIX_Disabled_User_Group="LDAP-Disabled"
|
||||
|
||||
|
||||
# Configuration Zabbix API Connection (Tested with Zabbix 4.4)
|
||||
# if https:// is used, per default ssl checks will be ignored
|
||||
#ZABBIX_API_URL="http://localhost/zabbix/api_jsonrpc.php"
|
||||
ZABBIX_API_URL="http://localhost/api_jsonrpc.php"
|
||||
ZABBIX_API_User="API-User"
|
||||
ZABBIX_API_User="zabbixapiuser"
|
||||
ZABBIX_API_Password="strongpassword73#"
|
||||
|
||||
# Zabbix User type for new created Users:
|
||||
|
Loading…
Reference in New Issue
Block a user