GithubHelp home page GithubHelp logo

zabbix-tooling / zabbix-ldap-sync Goto Github PK

View Code? Open in Web Editor NEW

This project forked from dnaeon/zabbix-ldap-sync

49.0 11.0 35.0 295 KB

Sync Zabbix with LDAP directory server

License: BSD 3-Clause "New" or "Revised" License

Python 93.00% Makefile 3.88% Dockerfile 1.13% Shell 2.00%

zabbix-ldap-sync's Introduction

zabbix-ldap-sync -- Sync your Zabbix users with LDAP directory server

The zabbix-ldap-sync script is used for keeping your Zabbix users in sync with an LDAP directory server.

It can automatically import existing LDAP groups and users into Zabbix, thus making it easy for you to keep your Zabbix users in sync with LDAP.

Maintained by Marc Schöchlin [email protected]

This project moved to https://github.com/zabbix-tooling/zabbix-ldap-sync to ease collaboration of developers. You can switchover your current git clone by executing the follwing command:

git remote set-url origin [email protected]:zabbix-tooling/zabbix-ldap-sync.git # or
git remote set-url origin https://github.com/zabbix-tooling/zabbix-ldap-sync.git

Requirements

You also need to have your Zabbix Frontend configured to authenticate against an AD/LDAP directory server. (using http or ldap-auth)

Check the official documentation of Zabbix on how to configure Zabbix to authenticate against an AD/LDAP directory server

Setup virtualenv

  • Clone the git repository 
    git clone https://github.com/zabbix-tooling/zabbix-ldap-sync.git
cd zabbix-ldap-sync
  • Install the basic tools for virtualenv and create one
    • Debian and Ubuntu Systems: 
      sudo apt-get install python-dev virtualenv libpython3.*-dev libldap2-dev libsasl2-dev
virtualenv -p python3 venv
    • CentOS and Redhat Systems: 
      sudo yum install python3-devel openldap-devel
python3 -m venv venv
  • Activate the virtualenv and install the dependencies of the project 
    source venv/bin/activate
pip install -r requirements.txt
  • Run the tool 
    ./zabbix-ldap-sync -h

Configuration

In order to use the zabbix-ldap-sync script we need to create a configuration file describing the various LDAP and Zabbix related config entries.

Config file sections

RECOMMENDATION: Use a ldap client like Apache Directory Studio to test the ldap connection, filters and to inspect available attributes. The flag --verbose helps to get the ldap filters calculated by the script.

[ldap]

  • type - Select type of ldap server, can be activedirectory or openldap
  • uri - URI of the LDAP server, including port
  • base - Base Distinguished Name
  • binduser - LDAP user which has permissions to perform LDAP search
  • bindpass - Password for LDAP user
  • groups - LDAP groups to sync with Zabbix
    • supports wildcard - TESTED ONLY with Active Directory, see Command-line arguments
    • roleids or rolename for the created users can be encoded with groups (<goupname>:<numeric role id/name>)
  • media - Name of the LDAP attribute of user object, that will be used to set Send to property of Zabbix user media. If entry is not used, no media synchronizastion is made. Common value is mail.
  • ignore_tls_errors - If set to true, tls connection problems are ignored (you should use this only for testing)

[ad]

  • filtergroup = The ldap filter to get group in ActiveDirectory mode, by default (&(objectClass=group)(name=%s))
  • filteruser = The ldap filter to get the users in ActiveDirectory mode, by default (objectClass=user)(objectCategory=Person)
  • filterdisabled = The filter to get the disabled user in ActiveDirectory mode, by default (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  • filtermemberof = The filter to get memberof in ActiveDirectory mode, by default (memberOf:1.2.840.113556.1.4.1941:=%s)
  • groupattribute = The attribute used for membership in a group in ActiveDirectory mode, by default member
  • userattribute = The attribute for users in ActiveDirectory mode sAMAccountName

[openldap]

  • type = The storage mode for group and users can be posix or groupofnames
  • filtergroup = The ldap filter to get group in OpenLDAP mode, by default (&(objectClass=posixGroup)(cn=%s))
  • filteruser = The ldap filter to get the users in OpenLDAP mode, by default (&(objectClass=posixAccount)(uid=%s))
  • groupattribute = The attribute used for membership in a group in OpenLDAP mode, by default memberUid
  • userattribute = The attribute for users in openldap mode, by default uid
  • truncatedn - If set to true the distinguished name (DN) will be truncated to the first component (by default false). Group members are usually defined as full-path-DN. If your ldap server just uses the login names to reference group members (i.e. FreeIPA) you can use this functionality to solve problems with broken searches. Example: uid=testuser,cn=users,cn=accounts,dc=example,dc=com cut to uid=testuser

[zabbix]

  • server - Zabbix URL
  • username - Zabbix username. This user must have permissions to add/remove users and groups. Typically, this would be Zabbix Admin account.
  • password - Password for Zabbix user
  • apitoken - Zabbix API token (Available since Zabbix 5.4)
  • auth - can be http (for basic auth), webform (for regular form based login) or token (for API token). If token is used, username and password are ignored. Likewise, apitoken is ignored for http and webform.
  • alldirusergroup - A group in Zabbix where to put all users created from the ldap directory.
    Create this group before using this tool and give members of this group no permissions to your zabbix instance.
    If a user is not available anymore by the directory, the user remains in this single group. This allows us to keep the audit trail of zabbix consistent. If you do not define this property, users are not assigned to that group.
  • ignore_tls_errors - If set to true, tls connection problems are ignored (you should use this only for testing)

[user]

Allows to override various properties for Zabbix users created by script. See User object in Zabbix API documentation for available properties. If section/property doesn't exist, defaults are:

  • role = User role - User numeric role id or role name, for zabbix <= 4.4 use "type" with a suitable value (i.e. "1")
  • show_password - Display passwords. Possible values: true or false

[media]

Allows to override media type and various properties for Zabbix media for users created by script.

  • decription - Description of Zabbix media (Email, Jabber, SMS, etc...). This entry is optional, default value is Email.

You can configure additional properties in this section. See Media object in Zabbix API documentation for available properties. If this section/property doesn't exist, defaults fro additional properties are:

  • active = 0 - Whether the media is enabled. Possible values: 0- enabled; 1 - disabled.
  • period = 1-7,00:00-24:00 - Time when the notifications can be sent as a time period.
  • onlycreate = true - Process media only on newly created users if this is set to true.
  • severity = Disaster,High,Average,Warning - A list of severities to send notifications about, seperated by comma (alternative: the numeric bitmap value).

Configuration file example

See example config file, create a copy of this and modify it according to your needs.

Command-line arguments

Usage: zabbix-ldap-sync [-lsrwdn] [--verbose] -f <config>
   zabbix-ldap-sync -v
   zabbix-ldap-sync -h

Options:
  -h, --help                    Display this usage info
  -v, --version                 Display version and exit
  -l, --ldap-accountids         Do not make changes to ldap account id names
  -s, --skip-disabled           Skip disabled AD users
  -r, --recursive               Resolves AD group members recursively (i.e. nested groups)
  -w, --wildcard-search         Search AD group with wildcard (e.g. R.*.Zabbix.*) - TESTED ONLY with Active Directory
  -d, --delete-orphans          Delete Zabbix users that don't exist in a LDAP group
  -a, --remove-absent           Remove Zabbix users from group that don't exist in a LDAP group
  -n, --no-check-certificate    Don't check Zabbix server certificate
  --verbose                     Print debug message from ZabbixAPI
  --dryrun                      Just simulate zabbix interaction
  -f <config>, --file <config>  Configuration file to use

Importing LDAP users into Zabbix

Now that we have the above mentioned configuration file created, let's import our groups and users from LDAP to Zabbix.

$ ./zabbix-ldap-sync -f /path/to/zabbix-ldap.conf

Once the script completes, check your Zabbix Frontend to verify that users are successfully imported.

To sync different LDAP groups with different options, create separate config file for each group and run zabbix-ldap-sync:

$ ./zabbix-ldap-sync -f /path/to/zabbix-ldap-admins.conf
$ ./zabbix-ldap-sync -f /path/to/zabbix-ldap-users.conf

You would generally be running the above scripts on regular basis, say each day from cron(8) in order to make sure your Zabbix system is in sync with LDAP.

Using Docker Compose

Create the config directory:

$ mkdir config

Copy the config to directory with zabbix-ldap.conf name, example:

$ cp ./zabbix-ldap.conf.example config/zabbix-ldap.conf

You can change the docker-compose volume mount point or config file name on docker-compose.yml

Finally run the docker-compose:

$ docker-compose up

To run on detached mode use the param -d:

$ docker-compose up -d

Open Developent Tasks

This tool works for years now, but from a view of serious software development this piece of code still needs major refactorings. Major refactoring tends to break things which are not available in my testing environment.

Starting from the original implementation, some things have already been improved, extended and simplified. In my busy everyday life, I have unfortunately not yet found time for the following topics.

Contributions are very welcome, especially for the following topics:

  • eliminate the need to pass around configuration values between classes
  • eliminate the need of different configuration sections for ldap 'openldap' and 'ad'
  • isolate configuration logic in lib/zabbixldapconf.py
  • add software tests
  • add azure-ad/graphapi support

zabbix-ldap-sync's People

Contributors

allburov avatar beatcracker avatar blodone avatar craviee avatar dhxgit avatar dnaeon avatar floppy-engineer avatar folti avatar goid1989 avatar jeremybusk avatar jnovak-netsystemcz avatar markkrj avatar ncstate-jksnapp avatar neothematrix avatar peterheja avatar rbm0407 avatar samip5 avatar scoopex avatar svasek avatar ygotame avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

blodone mchugh19 lroellin craviee nitky yousifalkha jnovak-netsystemcz mahdigholipoor btlzdravtech danoe datto-aparrill blka univparis1 xbdba keithpjolley ofbeaton jooni22 pchresta dariodsa flolabinfo arcanitesolutions joshua-snapp g-rd vryzhevsky fujitsu-mcwm folti chang-charlie jeremybusk static302 markkrj floppy-engineer compphy lpolitowski rbm0407 goid1989

zabbix-ldap-sync's Issues

zabbix version value (ValueError)

Hello,

following problem I have. I don't have an idea how to work around this.

./zabbix-ldap-sync -n -f zabbix-ldap-user.conf

2022-05-13 17:36:00 - INFO - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-13 17:36:01 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: http://localhost/zabbix//api_jsonrpc.php
2022-05-13 17:36:01 - INFO - pyzabbix:75 - Zabbix API version is: 5.0.15
2022-05-13 17:36:01 - INFO - ZabbixConn:104 - Connected to Zabbix API Version 5.0.15
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 109, in main
zabbix_conn.connect()
File "/opt/zabbix/zabbix-ldap-sync/lib/zabbixconn.py", line 105, in connect
if float(self.conn.api_version()) > 5.2:
ValueError: could not convert string to float: '5.0.15'
[root@dcfra-vision-vi-zbx-srv1 zabbix-ldap-sync]#

Thanks in advance

Issue with Zabbix 6.0

Hello, while we we're using this solution flawlessly in Zabbix 5.0, as soon as we upgraded to 6.0 it stopped working.

The given error is as follows:

[zabbix_prod@033 ~]$ /opt/sync-ad-ldap/zabbix-ldap-sync -sd -f /opt/sync-ad-ldap/zabbix-ldap.conf

2022-05-02 11:11:59 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: http://10.0.0.23/zabbix//api_jsonrpc.php

2022-05-02 11:11:59 - INFO - pyzabbix:75 - Zabbix API version is: 6.0.3

2022-05-02 11:11:59 - INFO - ZabbixConn:68 - Connected to Zabbix API Version 6.0.3

Traceback (most recent call last):

File "/opt/sync-ad-ldap/zabbix-ldap-sync", line 115, in 

main()

File "/opt/sync-ad-ldap/zabbix-ldap-sync", line 111, in main

zabbix_conn.sync_users()

File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 338, in sync_users

zabbix_all_users = self.get_users()

File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 80, in get_users

users = [user['alias'] for user in result]

File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 80, in 

users = [user['alias'] for user in result]

KeyError: 'alias'

Any ideas on what it could be?

Other media types

This is sort of two issues.

I have set this up to sync from "mail" (AD) to "Email" (zabbix). This works fine.
I tried taking that working config and changing it to use "mobile" (AD) to "Pager" (zabbix custom script media type) but that fails. The error implies that the contents of "mobile" is not an email address - which it is not - it is a phone number.

If I manually add a phone number to Pager for one of the sync'd users and then run the original sync it wipes out the phone number of the user I manually added.

KeyError during update of media

When a user is removed from an LDAP group but orphans are not deleted, the subsequent media update tries to access a user that does not exist:

zabbix-ldap-sync/lib/zabbixconn.py

Line 588 in 02412a9

if self.ldap_conn.get_user_media(ldap_users[each_user], self.ldap_media):

Here, each_user is an element of zabbix_group_users which might contain users who are not present in the LDAP group anymore but have not been deleted before (in

zabbix-ldap-sync/lib/zabbixconn.py

Line 536 in 02412a9

absent_users = set(zabbix_group_users) - set(list(ldap_users.keys()))
).

Error on the 1st login

Hi Team,
I am facing a issue when i try to create/add a new user using the tool.
dashboard appears in a weird way i have updated the screen short on the same.
zabbix version which i am using is 4.0.6. Please help me with issue.

weird_dashboard_2

user config as per below.

[user]
# use "type" for releases prior 5.2
type = 1
# use "roleid" for releases after 5.2
#roleid = 1
#timezone = Europe/Berlin
#rows_per_page = 100

Thanks
Sachin v Gaikwad

[Feature] Add role lookups

The "groups" in "ldap" and the "roleid" use numeric roles.

Since zabbix allows the definition of individual roles, it might be suitable to relsolve id from role names.

ConfigParser issue

First of all thank you for the script. Works like a charm, saving me a lot of time.
I just have one recommendation. I'm using this script on Centos 7.5 and initially I had some issues with ConfigParser. Seems Centos/Red Hat doesn't like how config data being parsed using ConfigParser.

# ./zabbix-ldap-sync --verbose -f zabbix-ldap.conf
'%' must be followed by '%' or '(', found: '%^Geks281%^'
Traceback (most recent call last):
  File "/root/zabbix-ldap-sync/lib/zabbixldapconf.py", line 43, in __init__
    self.ldap_passwd = parser.get('ldap', 'bindpass')
  File "/usr/lib64/python3.6/configparser.py", line 799, in get
    return self._interpolation.before_get(self, section, option, value, d)
  File "/usr/lib64/python3.6/configparser.py", line 394, in before_get
    self._interpolate_some(parser, option, L, value, section, defaults, 1)
  File "/usr/lib64/python3.6/configparser.py", line 444, in _interpolate_some
    "found: %r" % (rest,))
configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(', found: '%^Geks281%^'
Configuration issues detected in zabbix-ldap.conf`

So probably is a good idea changing the way config data beaing parsed with RawConfigParser.

problem with zabbix 4.0,4.4 - script tries to use role instead type

Current config:
...
[ldap]
groups = Support
[user]
type = 1
...

[root@zabbix zabbix-ldap-sync]# ./zabbix-ldap-sync --skip-disabled -f zabbix-ldap.conf --dryrun
2022-05-31 11:16:00 - INFO    - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-31 11:16:00 - INFO    - pyzabbix:68 - JSON-RPC Server Endpoint: https://zabbix-server/zabbix/api_jsonrpc.php
2022-05-31 11:16:00 - INFO    - pyzabbix:75 - Zabbix API version is: 4.0.37
2022-05-31 11:16:00 - INFO    - ZabbixConn:112 - Connected to Zabbix API Version 4.0.37
2022-05-31 11:16:00 - CRITICAL - ZabbixConn:619 - No default role specified

Script tries to use user role instead user type on older zabbix versions.

Add option to trim full DN

Hi!
We using FreeIPA as LDAP Auth Service.
With that line we facing with problem when memberid contains full DN to account

zabbix-ldap-sync/lib/ldapconn.py

Line 112 in bcb898d

memberid = memberid.decode("utf-8")

For quick hack

memberid = memberid.decode("utf-8")
memberid = memberid.split(',')[0]

Config is

[openldap]
type = posix
filtergroup = (&(objectClass=posixGroup)(cn=%s))
filteruser = (&(objectClass=posixAccount)(%s))
groupattribute = member
userattribute = uid

Maybe add some option to choose cut or not ?

Doesn`t work with more than one media type

Cant configure to work with more than one media type, could please anyone share config with working more than 1 medias to sync? (for ex.: Email and SMS).
When I use:

[media]
description = Email, SMS
active = 0
period = 1-7,00:00-24:00
severity = 63
onlycreate = false

I have the result when mobile phones properly inserted as Emails :(

Not working with zabbix 6.0

Hi @blodone , i am getting the below error while trying it with zabbix 6

Seems like the group is created but the users are not.

ldap.FILTER_ERROR: {'result': -7, 'desc': 'Bad search filter', 'ctrls': []}

Multiple media

Hello,
I want to ask if it's possible to implement multiple media per user.
Benefit is only one script for multiple media types.
In config something like:

[ldap]
media1 = mail
media2 = mobile
media3 = mobile

[media1]
name = Email (HTML)
description = Email (HTML)
active = 0

[media2]
name = VoIP
description = VoIP
active = 0

[media3]
name = SMS
description = SMS
active = 0

I have read and tried solution by creating multiple configs with different media as sugested in bug issue #17 and #8 but it doesnt work. Each config file just replace media for created user instead of updating another media.
I have used latest master build. Thx in advance.

Error when script is attempting to remove the user.

We are running the latest Zabbix version 5.2.6. I downloaded and installed the requirements, and I was able to import the users in the Active Directory group. However, when I removed a user and run the sync, I get the following error:

2021-04-15 15:00:52,276 - ZabbixConn - INFO - Connected to Zabbix API Version 5.2.6
2021-04-15 15:00:52,481 - ZabbixConn - INFO - Users in group Zabbix Super Admins which are not found in LDAP group:
2021-04-15 15:00:52,481 - ZabbixConn - INFO - User not in ldap group "werschmannj"
2021-04-15 15:00:52,482 - ZabbixConn - INFO - Update media on all users for group >>>Zabbix Super Admins<<<
2021-04-15 15:00:52,541 - ZabbixConn - INFO - >>> Updating/create user media for "muellervo", update "Email (HTML)"
2021-04-15 15:00:52,757 - ZabbixConn - INFO - >>> Updating/create user media for "hicklc", update "Email (HTML)"
2021-04-15 15:00:52,970 - ZabbixConn - INFO - >>> Updating/create user media for "werschmannj", update "Email (HTML)"
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 102, in <module>
    main()
  File "./zabbix-ldap-sync", line 98, in main
    zabbix_conn.sync_users()
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 436, in sync_users
    if self.ldap_conn.get_user_media(ldap_users[each_user], self.ldap_media):
KeyError: 'werschmannj'`

Is there a setting I missed somewhere?

Zabbix 5.2 replaced user property `type` with `roleid`.

The zabbix-ldap-sync script fails when creating users with Zabbix 5.2 api.

The fix is to change type to roleid in the create_user function within lib/zabbixconn.py and in the user stanza of any configuration files. This change is not backwards compatible with Zabbix versions < 5.2.

Here's more info about the change from type property to roleid in the user object:

USER
Changes:
ZBXNEXT-6148 user.create, user.update, user.get: dropped support of type property.

USER
Changes:
ZBXNEXT-6148 user.create, user.update, user.get: added new property roleid.

User object - 5.2 (diff)

Here's the traceback that occurs as soon as the script tries to create a user:

Traceback (most recent call last):
  File "/opt/zabbix-ldap-sync/zabbix-ldap-sync", line 112, in <module>
    main()
  File "/opt/zabbix-ldap-sync/zabbix-ldap-sync", line 109, in main
    zabbix_conn.sync_users()
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 376, in sync_users
    self.create_user(user, zabbix_grpid, self.user_opt)
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 185, in create_user
    result = self.conn.user.create(user)
  File "/opt/zabbix-ldap-sync/lib/python3.6/site-packages/pyzabbix/__init__.py", line 192, in fn
    args or kwargs
  File "/opt/zabbix-ldap-sync/lib/python3.6/site-packages/pyzabbix/__init__.py", line 169, in do_request
    raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1": unexpected parameter "type".', -32602)

LDAP query returns "empty result" while same query with ldapsearch works

Our (munged) config:

[ldap]
type = activedirectory
uri = ldaps://server01.domain.local:636/
base = dc=domain,dc=local
binduser = DOMAIN\zabbix_ldap
bindpass = <the_pass>
groups = Company Employees

[ad]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (objectClass=user)(objectCategory=Person)
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = sAMAccountName

When I use ldapsearch to query server01.domain.local using the filters as shown above, I get the list of users and groups that I expect (although I don't seem to be able to combine e.g. filteruser and filtermemberof, so I expect those matches are done in code?). Therefore I expect (hope) that the config I'm supplying is correct.

When I run zabbix-ldap-sync in verbose mode, I see:

[ldaps connection success omited]

** ld 0x1d770b0 Connections:
* host: server01.domain.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Apr  2 16:46:11 2019


** ld 0x1d770b0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1d770b0 request count 1 (abandoned 0)
** ld 0x1d770b0 Response Queue:
   Empty
  ld 0x1d770b0 response count 0
ldap_chkResponseList ld 0x1d770b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1d770b0 NULL
ldap_int_select
read1msg: ld 0x1d770b0 msgid 1 all 1
read1msg: ld 0x1d770b0 msgid 1 message type bind
read1msg: ld 0x1d770b0 0 new referrals
read1msg:  mark request completed, ld 0x1d770b0 msgid 1
request done: ld 0x1d770b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree

Since I'm not that good at Python.. At which step can I add a "print" to see the query that is used?

Media issues with zabbix 4.0 API

2019-02-25 16:35:21,832 - INFO - Updating user "Username", adding to group "Group"
2019-02-25 16:35:22,024 - INFO - Add media only on newly created users for group >>>Group <<<
2019-02-25 16:35:22,024 - INFO - Add media only on newly created users for group >>>Group<<<
2019-02-25 16:35:22,024 - INFO - >>> Updating/create user media for "Username", update "Email"
2019-02-25 16:35:22,024 - INFO - >>> Updating/create user media for "Username", update "Email"
Traceback (most recent call last):
File "zabbix-ldap-sync", line 92, in
main()
File "zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/lib/zabbixconn.py", line 444, in sync_users
self.update_media(eachUser, self.media_description, sendto, media_opt_filtered)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/lib/zabbixconn.py", line 274, in update_media
result = self.conn.user.update(userid=str(userid), user_medias=[media_defaults])
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/venv/lib/python3.4/site-packages/pyzabbix/init.py", line 157, in fn
args or kwargs
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/venv/lib/python3.4/site-packages/pyzabbix/init.py", line 134, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1/user_medias/1": unexpected parameter "onlycreate".', -32602)

KeyError message during sync on a particular user

Hello,

while running the script, I get an error message when the sync gets to a particular user:

2018-05-29 15:36:15,262 - INFO - >>> Updating/create user media for "user1", update "Email"
2018-05-29 15:36:15,262 - INFO - >>> Updating/create user media for "user1", update "Email"
2018-05-29 15:36:15,664 - INFO - Remove other exist media from user user2 (type=Email)
2018-05-29 15:36:15,664 - INFO - Remove other exist media from user user2 (type=Email)
2018-05-29 15:36:15,810 - INFO - >>> Updating/create user media for "user3", update "Email"
2018-05-29 15:36:15,810 - INFO - >>> Updating/create user media for "user3", update "Email"
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/home/.../zabbix-ldap-sync-master/lib/zabbixconn.py", line 419, in sync_users
sendto = self.ldap_conn.get_user_media(ldap_users[eachUser], self.ldap_media).decode("utf8")
KeyError: 'user3'

Can anybody help me?

ZabbixConn class not instantiated

I've been working on getting our users inputted into Zabbix. However, whenever I run the script, the LDAPConn class fires, I'll paste the output below. What I can't figure out is after the zabbix-ldap-sync script is ran, it doesn't seem to get to the ZabbixConn part. I've already confirmed that I can successfully make API calls, the script queries LDAP.. But it just doesn't seem to make it to the point of actually creating the users in Zabbix.

Any help would be amazing!

Thanks!

LDAPConn output:

2021-01-27 15:36:09,563 - LDAPConn - DEBUG - Searching LDAP with filter >>>(&(&(objectClass=user)(sAMAccountName=%s)))<<<
ldap_search_ext
put_filter: "(&(&(objectClass=user)(sAMAccountName=%s)))"
put_filter: AND
put_filter_list "(&(objectClass=user)(sAMAccountName=%s))"
put_filter: "(&(objectClass=user)(sAMAccountName=%s))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=%s)"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=%s)"
put_filter: simple
put_simple_filter: "sAMAccountName=%s"
ldap_build_search_req ATTRS: sAMAccountName
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55a7da0307d0 msgid 47
wait4msg ld 0x55a7da0307d0 msgid 47 (infinite timeout)
wait4msg continue ld 0x55a7da0307d0 msgid 47 all 1
** ld 0x55a7da0307d0 Connections:
* host: $(ldapserver).$(domain).com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Jan 27 15:36:09 2021


** ld 0x55a7da0307d0 Outstanding Requests:
 * msgid 47,  origid 47, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55a7da0307d0 request count 1 (abandoned 0)
** ld 0x55a7da0307d0 Response Queue:
   Empty
  ld 0x55a7da0307d0 response count 0
ldap_chkResponseList ld 0x55a7da0307d0 msgid 47 all 1
ldap_chkResponseList returns ld 0x55a7da0307d0 NULL
ldap_int_select
read1msg: ld 0x55a7da0307d0 msgid 47 all 1
read1msg: ld 0x55a7da0307d0 msgid 47 message type search-result
read1msg: ld 0x55a7da0307d0 0 new referrals
read1msg:  mark request completed, ld 0x55a7da0307d0 msgid 47
request done: ld 0x55a7da0307d0 msgid 47
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 47, msgid 47)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

API Connection:

2021-01-27 15:38:32,513 - pyzabbix - DEBUG - Sending: {
    "jsonrpc": "2.0",
    "method": "usergroup.get",
    "params": {
        "status": 0,
        "output": "extend"
    },
    "id": 2,
    "auth": "0994ff5fcd5eb4350fa1973319ac5c6a"
}

Media always defaulting to "Pushover"

While implementing this script we noticed that the media type of the user was always defaulting to "Pushover". This happend in the get_media_typeid function. When we do the call, we can see in the description of the json output that the value is set to "Email" for media Email. When changing the filter to 'Name' in the function it seems to work.

Also, wildcard for OpenLDAP not working.

Zabbix version 4.4.6

Script adds users to random group

@vryzhevsky: With the relatively new "alldirusergroup" flag, the script adds all found users reproducible to the same, but unconfigured group.
(https://github.com/zabbix-tooling/zabbix-ldap-sync/pull/33/files)

Config example:

[ldap]
type = activedirectory
uri = ldaps://adds.yoloapp.de:636/
base =  DC=yoloapp,DC=de
binduser = [email protected]
bindpass = sdkfjhksjdfkjkkkkjhkjh
groups = org_yolo_sre_regular:3,org_yolo_software_development_regular:1,org_yolo_software_development_srelight:3,org_yolo_customer_success_regular:6,org_yolo_finance_regular:6,org_yolo_+product_regular:6,org_yolo_marketing_regular:6
media = mail
ignore_tls_errors = true

[activedirectory]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (&(objectClass=user)(objectCategory=Person))
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = userPrincipalName

[zabbix]
server = https://zabbix.yolo.de
username = Admin
password = sdfskjdhfkjshdfkjsdfkkKHJKHKJKKKJHKJHKJH
auth = webform
alldirusergroup = yolo synced users
ignore_tls_errors = false

[user]
roleid = 6
timezone = Europe/Berlin
rows_per_page = 100
# display password when creating new users
show_password = true

[media]
name = Email (HTML) - Sendgrid
period = 1-7,06:30-22:00
# 1=disabled, 0=enabled
active = 1
severity = Disaster,High,Average
onlycreate = true

wildcard groups and zabbix 4.4

My configuration:

[ldap]
groups = DEV*

[user]
role = Zabbix user

Hi. I'm getting the following error when I try to use wildcard-search option with activedirectory based on samba:

Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 110, in main
zabbix_conn.create_missing_groups()
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 396, in create_missing_groups
name, _ = self._get_group_spec(group_spec)
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 602, in _get_group_spec
role_id = int(self._get_role_id(self.user_opt['role']))
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 68, in _get_role_id
for g in self._get_roles():
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 192, in _get_roles
result = self.conn.role.get(output='extend')
File "/opt/zabbix-ldap-sync-0.13/venv/lib64/python3.6/site-packages/pyzabbix/init.py", line 219, in fn
args or kwargs
File "/opt/zabbix-ldap-sync-0.13/venv/lib64/python3.6/site-packages/pyzabbix/init.py", line 196, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Incorrect API "role".', -32602)

--deleteorphans does not work without alldirusergroup

When trying to use the older behavior of --delete-orphans without setting alldirusergroup, the script still attempts to create a group and fails:

(venv) root@host:~/zabbix-ldap-sync# /root/zabbix-ldap-sync/zabbix-ldap-sync --delete-orphans -f /root/zabbix-ldap-sync/zabbix-ldap.conf
2022-02-09 10:13:49 - INFO    - pyzabbix:68 - JSON-RPC Server Endpoint: https://1.2.3.4/api_jsonrpc.php
2022-02-09 10:13:49 - INFO    - pyzabbix:75 - Zabbix API version is: 5.4.1
2022-02-09 10:13:50 - INFO    - ZabbixConn:105 - Connected to Zabbix API Version 5.4.1
2022-02-09 10:13:50 - INFO    - ZabbixConn:406 - Creating Zabbix group None
Traceback (most recent call last):
  File "/root/zabbix-ldap-sync/zabbix-ldap-sync", line 115, in <module>
    main()
  File "/root/zabbix-ldap-sync/zabbix-ldap-sync", line 110, in main
    zabbix_conn.create_missing_groups()
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 408, in create_missing_groups
    grpid = self.create_group(eachGroup)
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 226, in create_group
    result = self.conn.usergroup.create(name=group)
  File "/root/zabbix-ldap-sync/venv/lib/python3.7/site-packages/pyzabbix/__init__.py", line 219, in fn
    args or kwargs
  File "/root/zabbix-ldap-sync/venv/lib/python3.7/site-packages/pyzabbix/__init__.py", line 196, in do_request
    raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1/name": a character string is expected.', -32602)

zabbix version check problem

Hi.
Script output on latest version:

2022-05-09 09:05:14 - INFO    - pyzabbix:75 - Zabbix API version is: 4.4.10
2022-05-09 09:05:14 - INFO    - ZabbixConn:104 - Connected to Zabbix API Version 4.4.10
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 115, in <module>
    main()
  File "./zabbix-ldap-sync", line 109, in main
    zabbix_conn.connect()
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 105, in connect
    if float(self.conn.api_version()) > 5.2:

Please also reopen my previous issue: #44

Adding media to newly created user fails

We've noticed an issue with Zabbix Server 5.0.8 and ldap-sync where a newly created user won't get the specified media entry added.

Error in question;

2021-04-21 15:48:00,967 - INFO - pyzabbix:65 - JSON-RPC Server Endpoint: https://zabbix.url/api_jsonrpc.php
2021-04-21 15:48:01,084 - INFO - ZabbixConn:69 - Connected to Zabbix API Version 5.0.8
2021-04-21 15:48:01,118 - INFO - ZabbixConn:309 - Creating Zabbix group ZabbixGroup
2021-04-21 15:48:01,155 - INFO - ZabbixConn:312 - Group ZabbixGroup created with groupid 41
2021-04-21 15:48:01,288 - INFO - ZabbixConn:393 - Updating user "[email protected]", adding to group "ZabbixGroup"
2021-04-21 15:48:03,480 - INFO - ZabbixConn:376 - Created user [email protected] and membership of Zabbix group >>ZabbixGroup<<
2021-04-21 15:48:04,095 - INFO - ZabbixConn:423 - Add media only on newly created users for group >>>ZabbixGroup<<<
2021-04-21 15:48:04,096 - INFO - ZabbixConn:440 - >>> Updating/create user media for "[email protected]", update "Email (HTML)"
Traceback (most recent call last):
File "zabbix-ldap-sync", line 103, in
main()
File "zabbix-ldap-sync", line 99, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 441, in sync_users
self.update_media(each_user, self.media_name, sendto, media_opt_filtered)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 253, in update_media
mediatypeid = self.get_mediatype_id(description)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 99, in get_mediatype_id
raise Exception(f"Ambiguous media found, {len(result)} different medias")
Exception: Ambiguous media found, 0 different medias

configuration file for ldap contains the following;

[media]
description = Email
severity = Disaster, High, Average, Warning
active = 0
period = 1-7,00:00-24:00
onlycreate = true

It seems that the scripts tries to update the first use to be synced, and fails. Also the media type description doesn't seem to match the configured media type description.

Usage instructions for CentOS 8

The recommended OS is CentOS for Zabbix and thus the instructions should be for it too.

What libraries do I need to install?

    gcc -pthread -Wno-unused-result -Wsign-compare -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DHAVE_SASL -DHAVE_TLS -DHAVE_LIBLDAP_R -DHAVE_LIBLDAP_R -DLDAPMODULE_VERSION=3.3.1 -DLDAPMODULE_AUTHOR=python-ldap project -DLDAPMODULE_LICENSE=Python style -IModules -I/home/sm/zabbix-ldap-sync/venv/include -I/usr/include/python3.6m -c Modules/LDAPObject.c -o build/temp.linux-x86_64-3.6/Modules/LDAPObject.o
    In file included from Modules/LDAPObject.c:3:
    Modules/common.h:15:10: fatal error: lber.h: No such file or directory
     #include <lber.h>
              ^~~~~~~~
    compilation terminated.
    error: command 'gcc' failed with exit status 1

Correct LDAP Credentials and Validated but getting error ldap.INVALID_CREDENTIALS

Hello,
I was able to install all dependencies and ran my first sync how error, I am getting an invalid credentials error. I know that the credential is correct since I used it to create the LDAP bind on Zabbix portal. Is there a restriction as to what type of characters are allowed on the ldap password entry?

Full STDERR:
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 107, in main
ldap_conn.connect()
File "/home/myuser/zabbix-ldap-sync/lib/ldapconn.py", line 57, in connect
self.conn.simple_bind_s(self.ldap_user, self.ldap_pass)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 249, in simple_bind_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 546, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 553, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563'}

Creating user in zabbix from AD when surname is empty

When an user in AD has empty surname, the program generate an AttributeError:

Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 369, in sync_users
user['surname'] = self.ldap_conn.get_user_sn(ldap_users[eachUser]).decode('utf8')
AttributeError: 'NoneType' object has no attribute 'decode'

`--dry-run` does Zabbix interaction anyway

I'm not sure how official that parameter is yet, since it's only in the usage but not in the README.

Anyway, it doesn't seem to have an effect for me. It created the groups happily anyway :)

Is this expected?

alldirusergroup

I was running your excellent script fine until just recently it complained (after an update):

No option 'alldirusergroup' in section: 'zabbix'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/configparser.py", line 789, in get
    value = d[option]
  File "/usr/lib64/python3.6/collections/__init__.py", line 883, in __getitem__
    return self.__missing__(key)            # support subclasses that define __missing__
  File "/usr/lib64/python3.6/collections/__init__.py", line 875, in __missing__
    raise KeyError(key)
KeyError: 'alldirusergroup'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/zabbix-ldap-sync/lib/zabbixldapconf.py", line 75, in __init__
    self.zbx_alldirusergroup = parser.get('zabbix', 'alldirusergroup')
  File "/usr/lib64/python3.6/configparser.py", line 792, in get
    raise NoOptionError(option, section)
configparser.NoOptionError: No option 'alldirusergroup' in section: 'zabbix'
Configuration issues detected in /data/.zbx-ldap-conf/CYC_Admins.cfg

Looking at the git, it seems a new parameter "alldirusergroup" has been added and is required, but I am not sure why it is there, why it is mandatory or indeed what it does.
I created the required "catch all" group in my Zabbix implementation and of course it works but personally I would rather not have such a group; if I delete users I want them deleted for security purposes not lingering in an unusable Zabbix group - is it possible to give more explanation of this parameter and more importantly can it be bypassed\made optional?

Many thanks.

STEVE

Exception: Ambiguous media 'Email' found, 7 different medias

On some accounts I got error message like above. When I run script again there is no error.

2022-05-31 14:57:30 - INFO    - ZabbixConn:592 - >>> Updating/create user media for "[email protected]", update "Email"
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 115, in <module>
    main()
  File "./zabbix-ldap-sync", line 111, in main
    zabbix_conn.sync_users()
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 593, in sync_users
    self.update_media(each_user, self.media_name, sendto, media_opt_filtered)
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 353, in update_media
    mediatypeid = self.get_mediatype_id(description)
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 154, in get_mediatype_id
    raise Exception(f"Ambiguous media '{name}' found, {len(result)} different medias")
Exception: Ambiguous media 'Email' found, 7 different medias

Zabbix server version: 4.0
Media configuration:

[media]
name = Email
severity = Disaster,High,Average,Warning
period = 1-7,00:07-22:00
# 1=disabled, 0=enabled
active = 0
onlycreate = true

zabbix-ldap-sync : command not found

can't run the script with
zabbix-ldap-sync -f /home/user/zabbix-ldap-sync-master/zabbix-ldap.conf
get an error of zabbix-ldap-sync : command not found

Unable to delete users from group if 'alldirusergroup' option isn't set.

We don't care about "audit" trail and left the alldirusergroup option out of our configuration. This causes an issue because there's a check against zabbix_alldirusergroup_users when looking for accounts to delete. In this case, it will never delete any users that no longer exist in the AD group. Which in turn causes other issues downsteam, for example then trying to do media sync.

Basically the error below is a downstream consequence, because the user doesn't exist in the LDAP group anymore but hasn't been removed prior to the media sync.

Traceback (most recent call last):
File "/var/lib/zabbix/zabbix-ldap-sync/zabbix-ldap-sync", line 115, in
main()
File "/var/lib/zabbix/zabbix-ldap-sync/zabbix-ldap-sync", line 111, in main
zabbix_conn.sync_users()
File "/data00/zabbix/zabbix-ldap-sync/lib/zabbixconn.py", line 590, in sync_users
if self.ldap_conn.get_user_media(ldap_users[each_user], self.ldap_media):
KeyError: 'cwalls'

I was able to work around this issue by commenting out lines 540 and 541 in lib/zabbixconn.py; see screen shot below. There's should probably be a better long term option, which is why I'm opening this issue. This at least allows me to automatically clean up deleted users as expected.

image

Typo in README | Severity attribute type

Current

[media]
description = Email
active = 0
period = 1-5,07:00-22:00
severity = Disaster, High, Average, Warning, Information, Not Classified
onlycreate = true

Expected

[media]
description = Email
active = 0
period = 1-5,07:00-22:00
severity = 63
#Disaster, High, Average, Warning, Information, Not Classified
onlycreate = true

Zabbix 5.4 API change

Hello,
I am trying to configure ldap-sync but i get error:

2021-06-02 09:46:39,489 - INFO - pyzabbix:65 - JSON-RPC Server Endpoint: http://myzabbixserver/zabbix/api_jsonrpc.php
2021-06-02 09:46:39,539 - INFO - ZabbixConn:69 - Connected to Zabbix API Version 5.4.0
Traceback (most recent call last):
File "/etc/zabbix/zabbix-ldap-sync-master/zabbix-ldap-sync", line 103, in
main()
File "/etc/zabbix/zabbix-ldap-sync-master/zabbix-ldap-sync", line 99, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 355, in sync_users
zabbix_all_users = [x.lower() for x in self.get_users()]
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 81, in get_users
users = [user['alias'] for user in result]
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 81, in
users = [user['alias'] for user in result]
KeyError: 'alias'

When i tried to debug this i found new change in zabbix API 5.4 release notes.
Can you please make fix for this.

Changed field "alias" into "username"
https://support.zabbix.com/browse/ZBXNEXT-1215
https://support.zabbix.com/browse/ZBXNEXT-6474

Problem with Zabbix 6.4

Hello,
I am using your script on Zabbix server 6.4. I found problem with API change: https://support.zabbix.com/browse/ZBX-17955
In update media function there needs to be version check. I am not programmer but this works for me:

if self.get_api_minor_version() >= 5.2:
result = self.conn.user.update(userid=str(userid), medias=[media_defaults])
if self.get_api_minor_version() > 3.2 and self.get_api_minor_version() < 5.2:
result = self.conn.user.update(userid=str(userid), user_medias=[media_defaults])
else:
self.delete_media_by_description(user, description)
result = self.conn.user.updatemedia(users=[{"userid": str(userid)}], medias=media_defaults)

I have tested this on 6.4 and 6.2.9.
Please implement this.

hardcoded .lower() for usernames in zabbixconn.py

Subject.
May be for some reason, but in this case option "--lowercase" is obsolete and confusing.
In fact all usernames synced from ldap are lowercased, which leads to a problems when doing some automation utilizing some third party tools matching real ldap sAMAccountName with usernames (aliases) in zabbix.
If it's done as it done just because lack of time - may be it will be better to leave usernames "as is" by default?

Unable to add the same user to multiple groups

Noticing that this should now be working, I tried to add a user to multiple groups. I am receiving the following error:

2021-04-15 15:07:36,146 - ZabbixConn - INFO - Connected to Zabbix API Version 5.2.6
2021-04-15 15:07:36,357 - ZabbixConn - INFO - Updating user "hicklc", adding to group "Zabbix ePC Operators"
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 102, in <module>
    main()
  File "./zabbix-ldap-sync", line 98, in main
    zabbix_conn.sync_users()
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 395, in sync_users
    self.update_user(each_user, zabbix_group_id)
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 222, in update_user
    userid = self.get_user_id(user['alias'])
TypeError: string indices must be integers

We are running the latest version of Zabbix (5.2.6) and I installed all requirements. Importing the same user to only 1 group works without issues.

Debian packaging: new release expected soon?

I want to package zabbix-ldap-sync for Debian and noticed that the last release 0.13 has been in Feb. 2022. Is there a release expected soon to incorporate the bugfixes since then?

requests.exceptions.SSLError

Hi ,

thank you for the quick fix last week.
I just enabled https now for the Zabbix API as this is required in our production environment.
Now I get :

[root@servername zabbix-ldap-sync]# ./zabbix-ldap-sync -n -f zabbix-ldap-AD-Group-Name.conf
2022-05-17 15:23:10 - INFO - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-17 15:23:10 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: https://zabbix-server-url/zabbix//api_jsonrpc.php
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 839, in validate_conn
conn.connect()
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 358, in connect
ssl_context=context)
File "/usr/lib/python3.6/site-packages/urllib3/util/ssl.py", line 354, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 776, in init
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='zabbix-server-url', port=443): Max retries exceeded with url: /zabbix//api_jsonrpc.php (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

Even if I set ignore_tls_errors = true , same issue...
I miss the "verify=False" option in the section Zabbix.
I haven't neither a glue how to turn this off on the lower system level.
For ldaps it is ldap.conf but I'm not sure how to do for the API https requests.

Thanks in advance,
Rob

Not able to delete users

Hi,
This project fell a little to the wayside, but now that we have some time to catch our breath, this is still an outstanding issue.
Here is our .conf file

cat zabbix-ldap-superadmins.conf
[ldap]
type = activedirectory
uri = ldap://subdomain.domain.com:389/
base =DC=subdomain,DC=domain,DC=com
binduser = domain\domain.account
bindpass = Password
groups = Zabbix Super Admins
media = mail

[activedirectory]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (objectClass=user)(objectCategory=Person)
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = sAMAccountName

[zabbix]
server = https://zabbix.subdomain.domain.com
username = zabbix.account
password = password
auth = webform

[user]
roleid = 3

[media]
description = Email (HTML)
active = 0
period = 1-5,07:00-22:00
severity = 56

update fails for zabbix4.0

Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/usr/local/zabbix-ldap-sync/lib/zabbixconn.py", line 428, in sync_users
self.update_media(eachUser, self.media_description, sendto, media_opt_filtered)
File "/usr/local/zabbix-ldap-sync/lib/zabbixconn.py", line 263, in update_media
result = self.conn.user.updatemedia(users=[{"userid": str(userid)}], medias=media_defaults)
File "/usr/lib/python3.6/site-packages/pyzabbix/init.py", line 157, in fn
args or kwargs
File "/usr/lib/python3.6/site-packages/pyzabbix/init.py", line 134, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Incorrect method "user.updatemedia".', -32602)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.