Readme and more

README.md

@@ -1 +1,210 @@
 # zabbix-ldap-sync-bash
+This is a pure bash-script for syncing a Actice-Directory Group via LDAP with a Zabbix-Group
+
+**Changelog:**		2020-04-14	V1.1 => first public version 
+
+## Features:
+
+ - Pure Bash Skript for Linux
+ - LDAP and LDAPS Support (ignoring SSL possible)
+ - Zabbix API via http / https (ignoring SLL per default)
+ - Zabbix 3.x and 4.x tested
+ - Multiple config-files possible for multiple groups and multiple domains
+ - Create needed users in Zabbix as User, Admin or SuperAdmin, Email 
+ - Disable removed users
+ - user- or group names with spaces are no problem
+
+## How to Use
+### 1. Prepare Active Directory
+ - Check if LDAP or LDAPS will be used
+ - Create a special User for the LDAP Access. User need no special rights but should be Domain-User
+ - Avoid special chars in username and password like `äöü!?>$%` and spaces
+ - After creating get the ***distinguished name*** of this user. You can query the name on a doamin controller with
+ `dsquery user -samid <username>`
+ Output should something like
+ `CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local`
+ where ***ldapSearch*** is the example-user
+ 
+Create one or more Active Directory Groups and add Members. Empty Groups are allowed (then all members in Zabbix will be removed from Group and disabled).
+I suggest Groups for
+ - Zabbix Super Admin
+ - Zabbix Admin
+ - Zabbix User
+as needed. The users must be direct members, do not use nested groups.
+In the examples i am using the groupname `Zabbix-Super-Admin`
+ 
+### 2. Install Prerequisites on Linux
+Yes, i am using pure bash to avoid any prerequisites but we need a program for accessing LDAP and some other tools. All of them should be available in the standard repositories:
+**Debian/Ubuntu**
+`apt install ldap-utils`
+**Red Hat/CentOs/SuSe**
+`yum install openldap-clients`
+The other needed programs are
+`curl sed dirname readlink`
+which should be already installed
+
+### 3. Create Zabbix-User for API Access
+It should be a non LDAP user with **Frontend acccess** `internal` (defined by Group Membership).
+The User must have the **User type** `Zabbix Super Admin` for creating new users and changing group memberships.
+Also avoid special chars in username and password.
+In the examples i am using the username `zabbixapiuser`
+
+### 4. Create Zabbix Target Groups
+At least 2 groups are required:
+**Target Group for Users:**
+This Group must have **Frontend access** `LDAP `
+and should be enabled. 
+In the examples i am using the groupname`Zabbix-Super-Admin`
+**Target Group for Disabled Users:**
+The build-in Group **Disabled** can be used.
+Or create a new group which is **not** enabled (remove checkox) and **Frontend access** `Disabled`
+In the examples i am using the groupname`LDAP-Disabled`
+
+### 5. Check Zabbix LDAP-Settings
+Check the Settings for LDAP:
+
+    Administration => Authentication => LDAP settings
+I suggest to uncheck the **Case sensitive login** checkbox. The script compares the Windows `SAMAccountnames` and the Zabbix `Alias` case insensitive.
+With this settings, the user can log in with `manfred`, `Manfred`and `MaNfReD`and the sync script will find and use the existing user.
+
+### 6. Clone the script
+I installed the script on the Zabbix-Server in a separate folder.
+Login to Zabbix-Server and move to the root path of the `ExternalScripts` and `AlertScriptsPath` folder, 
+the default path is (Debian/Ubuntu/CentOS)
+    
+    cd /usr/lib/zabbix/
+Clone this repository, it will create a new folder named `zabbix-ldap-sync-bash`:
+    
+    git clone https://github.com/BernhardLinz/zabbix-ldap-sync-bash.git
+Change to the new directory:
+    
+    cd zabbix-ldap-sync-bash
+Make the two `*.sh`scripts executeable:
+    
+    chmod +x *.sh
+
+
+### 7. Configure the Script
+The script `zabbix-ldap-sync.sh`is looking for the `config.sh`in the same folder.
+Open the file `config.sh`with an editor and set the needed values:
+
+    nano config .sh
+
+#### LDAP_Source_URL
+    LDAP_Source_URL="ldaps://172.16.0.10"
+Should be `ldap`or `ldaps`, use name or IP-Address of a domain controller.
+
+#### LDAP_Ignore_SSL_Certificate
+    LDAP_Ignore_SSL_Certificate="true"
+If set to `true`the SSL-Certificate for LDAPS will be ignored. Set to `false`to validate the certificates.
+
+
+
+#### LDAP_Bind_User_DN + LDAP_Bind_User_Password
+    LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local"
+    LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq"
+The distinguished name for the user which was created in Step *1. Prepare Active Directory*
+
+#### LDAP_SearchBase
+    LDAP_SearchBase="DC=exampledomain,DC=local"
+The domain name or organisation unit
+
+#### LDAP_Groupname_for_Sync + ZABBIX_Groupname_for_Sync
+    LDAP_Groupname_for_Sync="Zabbix-Super-Admin"
+    ZABBIX_Groupname_for_Sync="LDAP-SuperAdmin"
+Change `Zabbix-Super-Admin`to your Active Directory-Groupname and `LDAP-SuperAdmin`to the target Zabbix-Groupname.
+
+
+#### ZABBIX_Disabled_User_Group
+    ZABBIX_Disabled_User_Group="LDAP-Disabled"
+Name of the Group for Disabled Users. The Group must have the ***Enabled*** checkbox unchecked or the group will not found.  Every user who is removed from the group ***ZABBIX_Groupname_for_Sync*** becomes a member of this group. The reason is that a user must always be a member of at least one group in Zabbix.
+
+#### ZABBIX_API_URL + ZABBIX_API_User + ZABBIX_API_Password
+    ZABBIX_API_URL="http://localhost/api_jsonrpc.php"
+    ZABBIX_API_User="zabbixapiuser"
+    ZABBIX_API_Password="strongpassword73#"
+The **ZABBIX_API_URL** is path to the Zabbix webinterface. Can be `http://` or `https://`, the certificate validation will be ignored.
+Depending on the Zabbix installation,  `/api_jsonrpc.php` or `/zabbix/api_jsonrpc.php` must be used.
+
+#### ZABBIX_UserType_User
+    ZABBIX_UserType_User=3
+Type of user if new one must created.
+1 = Zabbix User
+2 = Zabbix Admin
+3 = Zabbix Super Admin
+The script will not update existing users.
+
+#### ZABBIX_MediaTypeID
+    ZABBIX_MediaTypeID="1"
+1 is Email at new installations. Will be used for new created users if the **mail** property is not empty (Microsoft Exchange will fill theses property automatically with the sender-address).
+You can check the ID of the MediaType in the webinterface 
+
+    Administration => Media types => click the name of the Media
+At the end of the URL you see `mediatypeid=1` with the needed ID
+### 8. Test the script
+    ./zabbix-ldap-sync.sh
+You should get some output like this:
+    
+    ---------------------------------------------------------------------------
+    zabbix-ldap-sync.sh (Version V1.1 (2020-04-14)) startup
+    Checking prerequisites ............................................... done
+    Searching config file ................................................ done
+    Reading "/usr/lib/zabbix/zabbix-ldap-sync/config-znil.sh" ............ done
+    Check all needed Settings ............................................ done
+    STEP 1: Getting all Members from Active Directory / LDAP Group ....... done
+    Query sAMAccountName, sn, givenName and primary Email-Address ........ done
+    Login at Zabbix API .................................................. done
+    STEP 2: Get Members of Zabbix-LDAP Groups ............................ checking
+    determine UsrGrpID of "LDAP-SuperAdmin" .............................. done
+    determine UsrGrpID of "LDAP-Disabled" ................................ done
+    determine alias and userid for Members of "LDAP-SuperAdmin" .......... done
+    STEP 3: Compare Groups for changes ................................... checking
+    Check 1: Number of Users LDAP ........................................ 4
+    Check 1: Number of Users Zabbix ...................................... 2
+    Check 1: Number of Users ............................................. not equal
+    STEP 4: Get all Zabbix Users with alias and userid ................... done
+    STEP 5: Compare LDAP user with existing Zabbix User .................. must create 1 new 
+    ser
+    STEP 6: Create needed 1 new Zabbix-User .............................. done
+    STEP 7: Replace Members of Group LDAP-SuperAdmin ..................... done
+    STEP 8: Get List of all disabled user in Group LDAP-Disabled ......... done
+    STEP 9: Remove active user, add inactive user ........................ done
+    STEP 10: Replace Members of Group LDAP-Disabled ...................... done
+    STEP 11: Replace Members of Group LDAP-SuperAdmin (2. Time) .......... done
+    Logout Zabbix API .................................................... done
+If there is an error with Login to LDAP or Zabbix an Error Message will be displayed. Check Output for more.
+## Advanced Debugging
+Try
+
+    ./zabbix-ldap-sync.sh -v
+for verbose mode with a lot of Output. You will see all `ldapsearch` and `curl` calls with parameter. Passwords are hidden with Stars.
+If you want to see the passwords also try
+
+    ./zabbix-ldap-sync.sh -v -p
+
+## Possible commandline parameter
+    -c | -C | --config			use a specific configuration file instead config.sh
+    -v | -V | --verbose 		Display debugging information, include all commands
+    -p | -P | --ShowPassword	Show the passwords in the verbose output
+    -s | -S | --silent			Hide all Output except errors. Usefull with crontab
+
+## Syncing Multiple Groups
+Just create a separate config file for each group combination:
+
+ - copy the working `config.sh`to a new name like `zabbix-readonly.conf`(the extension doesn't matter)
+ - change the groupnames in the new file and the ZABBIX_UserType_User value
+ - run the script like this
+     
+       ./zabbix-ldap-sync.sh -c zabbix-readonly.conf
+Do not sync different LDAP-Groups with the same Zabbix-Group! The last sync will win!
+Make the users only to a member of one of these groups. If the user is removed from one of the groups, the user will be disabled.
+
+## Sync automatically
+Test the sync in the shell with full paths like
+     
+     /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf
+ Just add the line to crontab like
+     
+     */10 * * * * /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf -s
+ for syncing every 10 minutes
+

config.sh

@@ -21,7 +21,7 @@ LDAP_Ignore_SSL_Certificate="true"
 # Bind user for accessing,
 # to get the Distinguished Name of the User run the following command on a domain controller (replace ldapsearch with your Username):
 # dsquery user -samid ldapSearch
-LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=mydomain,DC=local"
+LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local"
 # the passwort og the user (should be marked as never changed)
 # Please avoid special chars which were use in bash like $`´'"\/<>()[]^
 LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq"
@@ -29,18 +29,18 @@ LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq"
 LDAP_SearchBase="DC=exampledomain,DC=local"
 
 # Name of Groups in LDAP (Active-Directory) and in Zabbix for Sync with Zabbix
-ZABBIX_Groupname_for_Sync="Zabbix-Super-Admin"
+LDAP_Groupname_for_Sync="Zabbix-Super-Admin"
 ZABBIX_Groupname_for_Sync="LDAP-SuperAdmin"
 
 # When you remove an user from the LDAP-Group, the user will moved in this group which is "Not enabled" = Disabled and Frontend access is "disabled"
-ZABBIX_Disabled_User_Group="Disabled"
+ZABBIX_Disabled_User_Group="LDAP-Disabled"
 
 
 # Configuration Zabbix API Connection (Tested with Zabbix 4.4)
 # if https:// is used, per default ssl checks will be ignored
 #ZABBIX_API_URL="http://localhost/zabbix/api_jsonrpc.php"
 ZABBIX_API_URL="http://localhost/api_jsonrpc.php"
-ZABBIX_API_User="API-User"
+ZABBIX_API_User="zabbixapiuser"
 ZABBIX_API_Password="strongpassword73#"
 
 # Zabbix User type for new created Users:

mytest.sh

@@ -1,3 +0,0 @@
-#!/bin/bash
-mytemp=`ls -l /root >/dev/null 2>&1 | grep manfred`
-echo "Exitcode: $?"