From 83f990797a1e78134a6adf72d8b9f3a16a3e1cab Mon Sep 17 00:00:00 2001 From: "root@zabbix.znil.net" Date: Tue, 14 Apr 2020 17:25:59 +0200 Subject: [PATCH] Readme and more --- README.md | 209 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ config.sh | 8 +-- mytest.sh | 3 - 3 files changed, 213 insertions(+), 7 deletions(-) delete mode 100755 mytest.sh diff --git a/README.md b/README.md index c24b1f6..10ce9fd 100644 --- a/README.md +++ b/README.md @@ -1 +1,210 @@ # zabbix-ldap-sync-bash +This is a pure bash-script for syncing a Actice-Directory Group via LDAP with a Zabbix-Group + +**Changelog:** 2020-04-14 V1.1 => first public version + +## Features: + + - Pure Bash Skript for Linux + - LDAP and LDAPS Support (ignoring SSL possible) + - Zabbix API via http / https (ignoring SLL per default) + - Zabbix 3.x and 4.x tested + - Multiple config-files possible for multiple groups and multiple domains + - Create needed users in Zabbix as User, Admin or SuperAdmin, Email + - Disable removed users + - user- or group names with spaces are no problem + +## How to Use +### 1. Prepare Active Directory + - Check if LDAP or LDAPS will be used + - Create a special User for the LDAP Access. User need no special rights but should be Domain-User + - Avoid special chars in username and password like `äöü!?>$%` and spaces + - After creating get the ***distinguished name*** of this user. You can query the name on a doamin controller with + `dsquery user -samid ` + Output should something like + `CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local` + where ***ldapSearch*** is the example-user + +Create one or more Active Directory Groups and add Members. Empty Groups are allowed (then all members in Zabbix will be removed from Group and disabled). +I suggest Groups for + - Zabbix Super Admin + - Zabbix Admin + - Zabbix User +as needed. The users must be direct members, do not use nested groups. +In the examples i am using the groupname `Zabbix-Super-Admin` + +### 2. Install Prerequisites on Linux +Yes, i am using pure bash to avoid any prerequisites but we need a program for accessing LDAP and some other tools. All of them should be available in the standard repositories: +**Debian/Ubuntu** +`apt install ldap-utils` +**Red Hat/CentOs/SuSe** +`yum install openldap-clients` +The other needed programs are +`curl sed dirname readlink` +which should be already installed + +### 3. Create Zabbix-User for API Access +It should be a non LDAP user with **Frontend acccess** `internal` (defined by Group Membership). +The User must have the **User type** `Zabbix Super Admin` for creating new users and changing group memberships. +Also avoid special chars in username and password. +In the examples i am using the username `zabbixapiuser` + +### 4. Create Zabbix Target Groups +At least 2 groups are required: +**Target Group for Users:** +This Group must have **Frontend access** `LDAP ` +and should be enabled. +In the examples i am using the groupname`Zabbix-Super-Admin` +**Target Group for Disabled Users:** +The build-in Group **Disabled** can be used. +Or create a new group which is **not** enabled (remove checkox) and **Frontend access** `Disabled` +In the examples i am using the groupname`LDAP-Disabled` + +### 5. Check Zabbix LDAP-Settings +Check the Settings for LDAP: + + Administration => Authentication => LDAP settings +I suggest to uncheck the **Case sensitive login** checkbox. The script compares the Windows `SAMAccountnames` and the Zabbix `Alias` case insensitive. +With this settings, the user can log in with `manfred`, `Manfred`and `MaNfReD`and the sync script will find and use the existing user. + +### 6. Clone the script +I installed the script on the Zabbix-Server in a separate folder. +Login to Zabbix-Server and move to the root path of the `ExternalScripts` and `AlertScriptsPath` folder, +the default path is (Debian/Ubuntu/CentOS) + + cd /usr/lib/zabbix/ +Clone this repository, it will create a new folder named `zabbix-ldap-sync-bash`: + + git clone https://github.com/BernhardLinz/zabbix-ldap-sync-bash.git +Change to the new directory: + + cd zabbix-ldap-sync-bash +Make the two `*.sh`scripts executeable: + + chmod +x *.sh + + +### 7. Configure the Script +The script `zabbix-ldap-sync.sh`is looking for the `config.sh`in the same folder. +Open the file `config.sh`with an editor and set the needed values: + + nano config .sh + +#### LDAP_Source_URL + LDAP_Source_URL="ldaps://172.16.0.10" +Should be `ldap`or `ldaps`, use name or IP-Address of a domain controller. + +#### LDAP_Ignore_SSL_Certificate + LDAP_Ignore_SSL_Certificate="true" +If set to `true`the SSL-Certificate for LDAPS will be ignored. Set to `false`to validate the certificates. + + + +#### LDAP_Bind_User_DN + LDAP_Bind_User_Password + LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local" + LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq" +The distinguished name for the user which was created in Step *1. Prepare Active Directory* + +#### LDAP_SearchBase + LDAP_SearchBase="DC=exampledomain,DC=local" +The domain name or organisation unit + +#### LDAP_Groupname_for_Sync + ZABBIX_Groupname_for_Sync + LDAP_Groupname_for_Sync="Zabbix-Super-Admin" + ZABBIX_Groupname_for_Sync="LDAP-SuperAdmin" +Change `Zabbix-Super-Admin`to your Active Directory-Groupname and `LDAP-SuperAdmin`to the target Zabbix-Groupname. + + +#### ZABBIX_Disabled_User_Group + ZABBIX_Disabled_User_Group="LDAP-Disabled" +Name of the Group for Disabled Users. The Group must have the ***Enabled*** checkbox unchecked or the group will not found. Every user who is removed from the group ***ZABBIX_Groupname_for_Sync*** becomes a member of this group. The reason is that a user must always be a member of at least one group in Zabbix. + +#### ZABBIX_API_URL + ZABBIX_API_User + ZABBIX_API_Password + ZABBIX_API_URL="http://localhost/api_jsonrpc.php" + ZABBIX_API_User="zabbixapiuser" + ZABBIX_API_Password="strongpassword73#" +The **ZABBIX_API_URL** is path to the Zabbix webinterface. Can be `http://` or `https://`, the certificate validation will be ignored. +Depending on the Zabbix installation, `/api_jsonrpc.php` or `/zabbix/api_jsonrpc.php` must be used. + +#### ZABBIX_UserType_User + ZABBIX_UserType_User=3 +Type of user if new one must created. +1 = Zabbix User +2 = Zabbix Admin +3 = Zabbix Super Admin +The script will not update existing users. + +#### ZABBIX_MediaTypeID + ZABBIX_MediaTypeID="1" +1 is Email at new installations. Will be used for new created users if the **mail** property is not empty (Microsoft Exchange will fill theses property automatically with the sender-address). +You can check the ID of the MediaType in the webinterface + + Administration => Media types => click the name of the Media +At the end of the URL you see `mediatypeid=1` with the needed ID +### 8. Test the script + ./zabbix-ldap-sync.sh +You should get some output like this: + + --------------------------------------------------------------------------- + zabbix-ldap-sync.sh (Version V1.1 (2020-04-14)) startup + Checking prerequisites ............................................... done + Searching config file ................................................ done + Reading "/usr/lib/zabbix/zabbix-ldap-sync/config-znil.sh" ............ done + Check all needed Settings ............................................ done + STEP 1: Getting all Members from Active Directory / LDAP Group ....... done + Query sAMAccountName, sn, givenName and primary Email-Address ........ done + Login at Zabbix API .................................................. done + STEP 2: Get Members of Zabbix-LDAP Groups ............................ checking + determine UsrGrpID of "LDAP-SuperAdmin" .............................. done + determine UsrGrpID of "LDAP-Disabled" ................................ done + determine alias and userid for Members of "LDAP-SuperAdmin" .......... done + STEP 3: Compare Groups for changes ................................... checking + Check 1: Number of Users LDAP ........................................ 4 + Check 1: Number of Users Zabbix ...................................... 2 + Check 1: Number of Users ............................................. not equal + STEP 4: Get all Zabbix Users with alias and userid ................... done + STEP 5: Compare LDAP user with existing Zabbix User .................. must create 1 new + ser + STEP 6: Create needed 1 new Zabbix-User .............................. done + STEP 7: Replace Members of Group LDAP-SuperAdmin ..................... done + STEP 8: Get List of all disabled user in Group LDAP-Disabled ......... done + STEP 9: Remove active user, add inactive user ........................ done + STEP 10: Replace Members of Group LDAP-Disabled ...................... done + STEP 11: Replace Members of Group LDAP-SuperAdmin (2. Time) .......... done + Logout Zabbix API .................................................... done +If there is an error with Login to LDAP or Zabbix an Error Message will be displayed. Check Output for more. +## Advanced Debugging +Try + + ./zabbix-ldap-sync.sh -v +for verbose mode with a lot of Output. You will see all `ldapsearch` and `curl` calls with parameter. Passwords are hidden with Stars. +If you want to see the passwords also try + + ./zabbix-ldap-sync.sh -v -p + +## Possible commandline parameter + -c | -C | --config use a specific configuration file instead config.sh + -v | -V | --verbose Display debugging information, include all commands + -p | -P | --ShowPassword Show the passwords in the verbose output + -s | -S | --silent Hide all Output except errors. Usefull with crontab + +## Syncing Multiple Groups +Just create a separate config file for each group combination: + + - copy the working `config.sh`to a new name like `zabbix-readonly.conf`(the extension doesn't matter) + - change the groupnames in the new file and the ZABBIX_UserType_User value + - run the script like this + + ./zabbix-ldap-sync.sh -c zabbix-readonly.conf +Do not sync different LDAP-Groups with the same Zabbix-Group! The last sync will win! +Make the users only to a member of one of these groups. If the user is removed from one of the groups, the user will be disabled. + +## Sync automatically +Test the sync in the shell with full paths like + + /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf + Just add the line to crontab like + + */10 * * * * /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-ldap-sync.sh -c /usr/lib/zabbix/zabbix-ldap-sync-bash/zabbix-readonly.conf -s + for syncing every 10 minutes + diff --git a/config.sh b/config.sh index 48dd40e..b1aaa87 100644 --- a/config.sh +++ b/config.sh @@ -21,7 +21,7 @@ LDAP_Ignore_SSL_Certificate="true" # Bind user for accessing, # to get the Distinguished Name of the User run the following command on a domain controller (replace ldapsearch with your Username): # dsquery user -samid ldapSearch -LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=mydomain,DC=local" +LDAP_Bind_User_DN="CN=ldapSearch,OU=MyUsers,DC=exampledomain,DC=local" # the passwort og the user (should be marked as never changed) # Please avoid special chars which were use in bash like $`´'"\/<>()[]^ LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq" @@ -29,18 +29,18 @@ LDAP_Bind_User_Password="9qA3XB1r##Xr27c1HPpq" LDAP_SearchBase="DC=exampledomain,DC=local" # Name of Groups in LDAP (Active-Directory) and in Zabbix for Sync with Zabbix -ZABBIX_Groupname_for_Sync="Zabbix-Super-Admin" +LDAP_Groupname_for_Sync="Zabbix-Super-Admin" ZABBIX_Groupname_for_Sync="LDAP-SuperAdmin" # When you remove an user from the LDAP-Group, the user will moved in this group which is "Not enabled" = Disabled and Frontend access is "disabled" -ZABBIX_Disabled_User_Group="Disabled" +ZABBIX_Disabled_User_Group="LDAP-Disabled" # Configuration Zabbix API Connection (Tested with Zabbix 4.4) # if https:// is used, per default ssl checks will be ignored #ZABBIX_API_URL="http://localhost/zabbix/api_jsonrpc.php" ZABBIX_API_URL="http://localhost/api_jsonrpc.php" -ZABBIX_API_User="API-User" +ZABBIX_API_User="zabbixapiuser" ZABBIX_API_Password="strongpassword73#" # Zabbix User type for new created Users: diff --git a/mytest.sh b/mytest.sh deleted file mode 100755 index 545ce89..0000000 --- a/mytest.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -mytemp=`ls -l /root >/dev/null 2>&1 | grep manfred` -echo "Exitcode: $?"