When an user in AD has empty surname, the program generate an AttributeError:

Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 369, in sync_users
user['surname'] = self.ldap_conn.get_user_sn(ldap_users[eachUser]).decode('utf8')
AttributeError: 'NoneType' object has no attribute 'decode'

First of all thank you for the script. Works like a charm, saving me a lot of time.
I just have one recommendation. I'm using this script on Centos 7.5 and initially I had some issues with ConfigParser. Seems Centos/Red Hat doesn't like how config data being parsed using ConfigParser.

# ./zabbix-ldap-sync --verbose -f zabbix-ldap.conf
'%' must be followed by '%' or '(', found: '%^Geks281%^'
Traceback (most recent call last):
  File "/root/zabbix-ldap-sync/lib/zabbixldapconf.py", line 43, in __init__
    self.ldap_passwd = parser.get('ldap', 'bindpass')
  File "/usr/lib64/python3.6/configparser.py", line 799, in get
    return self._interpolation.before_get(self, section, option, value, d)
  File "/usr/lib64/python3.6/configparser.py", line 394, in before_get
    self._interpolate_some(parser, option, L, value, section, defaults, 1)
  File "/usr/lib64/python3.6/configparser.py", line 444, in _interpolate_some
    "found: %r" % (rest,))
configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(', found: '%^Geks281%^'
Configuration issues detected in zabbix-ldap.conf`

So probably is a good idea changing the way config data beaing parsed with RawConfigParser.

can't run the script with
zabbix-ldap-sync -f /home/user/zabbix-ldap-sync-master/zabbix-ldap.conf
get an error of zabbix-ldap-sync : command not found

Hi.
Script output on latest version:

2022-05-09 09:05:14 - INFO    - pyzabbix:75 - Zabbix API version is: 4.4.10
2022-05-09 09:05:14 - INFO    - ZabbixConn:104 - Connected to Zabbix API Version 4.4.10
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 115, in <module>
    main()
  File "./zabbix-ldap-sync", line 109, in main
    zabbix_conn.connect()
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 105, in connect
    if float(self.conn.api_version()) > 5.2:

Please also reopen my previous issue: #44

I'm not sure how official that parameter is yet, since it's only in the usage but not in the README.

Anyway, it doesn't seem to have an effect for me. It created the groups happily anyway :)

Is this expected?

My configuration:

[ldap]
groups = DEV*

[user]
role = Zabbix user

Hi. I'm getting the following error when I try to use wildcard-search option with activedirectory based on samba:

Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 110, in main
zabbix_conn.create_missing_groups()
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 396, in create_missing_groups
name, _ = self._get_group_spec(group_spec)
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 602, in _get_group_spec
role_id = int(self._get_role_id(self.user_opt['role']))
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 68, in _get_role_id
for g in self._get_roles():
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 192, in _get_roles
result = self.conn.role.get(output='extend')
File "/opt/zabbix-ldap-sync-0.13/venv/lib64/python3.6/site-packages/pyzabbix/init.py", line 219, in fn
args or kwargs
File "/opt/zabbix-ldap-sync-0.13/venv/lib64/python3.6/site-packages/pyzabbix/init.py", line 196, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Incorrect API "role".', -32602)

Hello,

following problem I have. I don't have an idea how to work around this.

./zabbix-ldap-sync -n -f zabbix-ldap-user.conf

2022-05-13 17:36:00 - INFO - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-13 17:36:01 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: http://localhost/zabbix//api_jsonrpc.php
2022-05-13 17:36:01 - INFO - pyzabbix:75 - Zabbix API version is: 5.0.15
2022-05-13 17:36:01 - INFO - ZabbixConn:104 - Connected to Zabbix API Version 5.0.15
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 109, in main
zabbix_conn.connect()
File "/opt/zabbix/zabbix-ldap-sync/lib/zabbixconn.py", line 105, in connect
if float(self.conn.api_version()) > 5.2:
ValueError: could not convert string to float: '5.0.15'
[root@dcfra-vision-vi-zbx-srv1 zabbix-ldap-sync]#

Thanks in advance

Change/Add option to disable users instead of deleting them, so that the audit logs are kept.

Hello,
I want to ask if it's possible to implement multiple media per user.
Benefit is only one script for multiple media types.
In config something like:

[ldap]
media1 = mail
media2 = mobile
media3 = mobile

[media1]
name = Email (HTML)
description = Email (HTML)
active = 0

[media2]
name = VoIP
description = VoIP
active = 0

[media3]
name = SMS
description = SMS
active = 0

I have read and tried solution by creating multiple configs with different media as sugested in bug issue #17 and #8 but it doesnt work. Each config file just replace media for created user instead of updating another media.
I have used latest master build. Thx in advance.

Hello,
I was able to install all dependencies and ran my first sync how error, I am getting an invalid credentials error. I know that the credential is correct since I used it to create the LDAP bind on Zabbix portal. Is there a restriction as to what type of characters are allowed on the ldap password entry?

Full STDERR:
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 107, in main
ldap_conn.connect()
File "/home/myuser/zabbix-ldap-sync/lib/ldapconn.py", line 57, in connect
self.conn.simple_bind_s(self.ldap_user, self.ldap_pass)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 249, in simple_bind_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 546, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 553, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563'}

Current config:
...
[ldap]
groups = Support
[user]
type = 1
...

[root@zabbix zabbix-ldap-sync]# ./zabbix-ldap-sync --skip-disabled -f zabbix-ldap.conf --dryrun
2022-05-31 11:16:00 - INFO    - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-31 11:16:00 - INFO    - pyzabbix:68 - JSON-RPC Server Endpoint: https://zabbix-server/zabbix/api_jsonrpc.php
2022-05-31 11:16:00 - INFO    - pyzabbix:75 - Zabbix API version is: 4.0.37
2022-05-31 11:16:00 - INFO    - ZabbixConn:112 - Connected to Zabbix API Version 4.0.37
2022-05-31 11:16:00 - CRITICAL - ZabbixConn:619 - No default role specified

Script tries to use user role instead user type on older zabbix versions.

We don't care about "audit" trail and left the alldirusergroup option out of our configuration. This causes an issue because there's a check against zabbix_alldirusergroup_users when looking for accounts to delete. In this case, it will never delete any users that no longer exist in the AD group. Which in turn causes other issues downsteam, for example then trying to do media sync.

Basically the error below is a downstream consequence, because the user doesn't exist in the LDAP group anymore but hasn't been removed prior to the media sync.

Traceback (most recent call last):
File "/var/lib/zabbix/zabbix-ldap-sync/zabbix-ldap-sync", line 115, in
main()
File "/var/lib/zabbix/zabbix-ldap-sync/zabbix-ldap-sync", line 111, in main
zabbix_conn.sync_users()
File "/data00/zabbix/zabbix-ldap-sync/lib/zabbixconn.py", line 590, in sync_users
if self.ldap_conn.get_user_media(ldap_users[each_user], self.ldap_media):
KeyError: 'cwalls'

I was able to work around this issue by commenting out lines 540 and 541 in lib/zabbixconn.py; see screen shot below. There's should probably be a better long term option, which is why I'm opening this issue. This at least allows me to automatically clean up deleted users as expected.

Hi ,

thank you for the quick fix last week.
I just enabled https now for the Zabbix API as this is required in our production environment.
Now I get :

[root@servername zabbix-ldap-sync]# ./zabbix-ldap-sync -n -f zabbix-ldap-AD-Group-Name.conf
2022-05-17 15:23:10 - INFO - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-17 15:23:10 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: https://zabbix-server-url/zabbix//api_jsonrpc.php
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 839, in validate_conn
conn.connect()
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 358, in connect
ssl_context=context)
File "/usr/lib/python3.6/site-packages/urllib3/util/ssl.py", line 354, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 776, in init
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='zabbix-server-url', port=443): Max retries exceeded with url: /zabbix//api_jsonrpc.php (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))

Even if I set ignore_tls_errors = true , same issue...
I miss the "verify=False" option in the section Zabbix.
I haven't neither a glue how to turn this off on the lower system level.
For ldaps it is ldap.conf but I'm not sure how to do for the API https requests.

Thanks in advance,
Rob

Hi @blodone , i am getting the below error while trying it with zabbix 6

Seems like the group is created but the users are not.

ldap.FILTER_ERROR: {'result': -7, 'desc': 'Bad search filter', 'ctrls': []}

We've noticed an issue with Zabbix Server 5.0.8 and ldap-sync where a newly created user won't get the specified media entry added.

Error in question;

2021-04-21 15:48:00,967 - INFO - pyzabbix:65 - JSON-RPC Server Endpoint: https://zabbix.url/api_jsonrpc.php
2021-04-21 15:48:01,084 - INFO - ZabbixConn:69 - Connected to Zabbix API Version 5.0.8
2021-04-21 15:48:01,118 - INFO - ZabbixConn:309 - Creating Zabbix group ZabbixGroup
2021-04-21 15:48:01,155 - INFO - ZabbixConn:312 - Group ZabbixGroup created with groupid 41
2021-04-21 15:48:01,288 - INFO - ZabbixConn:393 - Updating user "[email protected]", adding to group "ZabbixGroup"
2021-04-21 15:48:03,480 - INFO - ZabbixConn:376 - Created user [email protected] and membership of Zabbix group >>ZabbixGroup<<
2021-04-21 15:48:04,095 - INFO - ZabbixConn:423 - Add media only on newly created users for group >>>ZabbixGroup<<<
2021-04-21 15:48:04,096 - INFO - ZabbixConn:440 - >>> Updating/create user media for "[email protected]", update "Email (HTML)"
Traceback (most recent call last):
File "zabbix-ldap-sync", line 103, in
main()
File "zabbix-ldap-sync", line 99, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 441, in sync_users
self.update_media(each_user, self.media_name, sendto, media_opt_filtered)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 253, in update_media
mediatypeid = self.get_mediatype_id(description)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 99, in get_mediatype_id
raise Exception(f"Ambiguous media found, {len(result)} different medias")
Exception: Ambiguous media found, 0 different medias

configuration file for ldap contains the following;

[media]
description = Email
severity = Disaster, High, Average, Warning
active = 0
period = 1-7,00:00-24:00
onlycreate = true

It seems that the scripts tries to update the first use to be synced, and fails. Also the media type description doesn't seem to match the configured media type description.

Cant configure to work with more than one media type, could please anyone share config with working more than 1 medias to sync? (for ex.: Email and SMS).
When I use:

[media]
description = Email, SMS
active = 0
period = 1-7,00:00-24:00
severity = 63
onlycreate = false

I have the result when mobile phones properly inserted as Emails :(

in zabbix 5.2 the user obj have changed and type have been removed.

Current

[media]
description = Email
active = 0
period = 1-5,07:00-22:00
severity = Disaster, High, Average, Warning, Information, Not Classified
onlycreate = true

Expected

[media]
description = Email
active = 0
period = 1-5,07:00-22:00
severity = 63
#Disaster, High, Average, Warning, Information, Not Classified
onlycreate = true

When a user is removed from an LDAP group but orphans are not deleted, the subsequent media update tries to access a user that does not exist:

Here, each_user is an element of zabbix_group_users which might contain users who are not present in the LDAP group anymore but have not been deleted before (in

On some accounts I got error message like above. When I run script again there is no error.

2022-05-31 14:57:30 - INFO    - ZabbixConn:592 - >>> Updating/create user media for "[email protected]", update "Email"
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 115, in <module>
    main()
  File "./zabbix-ldap-sync", line 111, in main
    zabbix_conn.sync_users()
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 593, in sync_users
    self.update_media(each_user, self.media_name, sendto, media_opt_filtered)
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 353, in update_media
    mediatypeid = self.get_mediatype_id(description)
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 154, in get_mediatype_id
    raise Exception(f"Ambiguous media '{name}' found, {len(result)} different medias")
Exception: Ambiguous media 'Email' found, 7 different medias

Zabbix server version: 4.0
Media configuration:

[media]
name = Email
severity = Disaster,High,Average,Warning
period = 1-7,00:07-22:00
# 1=disabled, 0=enabled
active = 0
onlycreate = true

Noticing that this should now be working, I tried to add a user to multiple groups. I am receiving the following error:

2021-04-15 15:07:36,146 - ZabbixConn - INFO - Connected to Zabbix API Version 5.2.6
2021-04-15 15:07:36,357 - ZabbixConn - INFO - Updating user "hicklc", adding to group "Zabbix ePC Operators"
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 102, in <module>
    main()
  File "./zabbix-ldap-sync", line 98, in main
    zabbix_conn.sync_users()
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 395, in sync_users
    self.update_user(each_user, zabbix_group_id)
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 222, in update_user
    userid = self.get_user_id(user['alias'])
TypeError: string indices must be integers

We are running the latest version of Zabbix (5.2.6) and I installed all requirements. Importing the same user to only 1 group works without issues.

The "groups" in "ldap" and the "roleid" use numeric roles.

Since zabbix allows the definition of individual roles, it might be suitable to relsolve id from role names.

I want to package zabbix-ldap-sync for Debian and noticed that the last release 0.13 has been in Feb. 2022. Is there a release expected soon to incorporate the bugfixes since then?

Hi,
This project fell a little to the wayside, but now that we have some time to catch our breath, this is still an outstanding issue.
Here is our .conf file

cat zabbix-ldap-superadmins.conf
[ldap]
type = activedirectory
uri = ldap://subdomain.domain.com:389/
base =DC=subdomain,DC=domain,DC=com
binduser = domain\domain.account
bindpass = Password
groups = Zabbix Super Admins
media = mail

[activedirectory]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (objectClass=user)(objectCategory=Person)
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = sAMAccountName

[zabbix]
server = https://zabbix.subdomain.domain.com
username = zabbix.account
password = password
auth = webform

[user]
roleid = 3

[media]
description = Email (HTML)
active = 0
period = 1-5,07:00-22:00
severity = 56

The zabbix-ldap-sync script fails when creating users with Zabbix 5.2 api.

The fix is to change type to roleid in the create_user function within lib/zabbixconn.py and in the user stanza of any configuration files. This change is not backwards compatible with Zabbix versions < 5.2.

Here's more info about the change from type property to roleid in the user object:

USER
Changes:
ZBXNEXT-6148 user.create, user.update, user.get: dropped support of type property.

USER
Changes:
ZBXNEXT-6148 user.create, user.update, user.get: added new property roleid.

User object - 5.2 (diff)

Here's the traceback that occurs as soon as the script tries to create a user:

Traceback (most recent call last):
  File "/opt/zabbix-ldap-sync/zabbix-ldap-sync", line 112, in <module>
    main()
  File "/opt/zabbix-ldap-sync/zabbix-ldap-sync", line 109, in main
    zabbix_conn.sync_users()
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 376, in sync_users
    self.create_user(user, zabbix_grpid, self.user_opt)
  File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 185, in create_user
    result = self.conn.user.create(user)
  File "/opt/zabbix-ldap-sync/lib/python3.6/site-packages/pyzabbix/__init__.py", line 192, in fn
    args or kwargs
  File "/opt/zabbix-ldap-sync/lib/python3.6/site-packages/pyzabbix/__init__.py", line 169, in do_request
    raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1": unexpected parameter "type".', -32602)

Hello,
I am trying to configure ldap-sync but i get error:

2021-06-02 09:46:39,489 - INFO - pyzabbix:65 - JSON-RPC Server Endpoint: http://myzabbixserver/zabbix/api_jsonrpc.php
2021-06-02 09:46:39,539 - INFO - ZabbixConn:69 - Connected to Zabbix API Version 5.4.0
Traceback (most recent call last):
File "/etc/zabbix/zabbix-ldap-sync-master/zabbix-ldap-sync", line 103, in
main()
File "/etc/zabbix/zabbix-ldap-sync-master/zabbix-ldap-sync", line 99, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 355, in sync_users
zabbix_all_users = [x.lower() for x in self.get_users()]
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 81, in get_users
users = [user['alias'] for user in result]
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 81, in
users = [user['alias'] for user in result]
KeyError: 'alias'

When i tried to debug this i found new change in zabbix API 5.4 release notes.
Can you please make fix for this.

Changed field "alias" into "username"
https://support.zabbix.com/browse/ZBXNEXT-1215
https://support.zabbix.com/browse/ZBXNEXT-6474

While implementing this script we noticed that the media type of the user was always defaulting to "Pushover". This happend in the get_media_typeid function. When we do the call, we can see in the description of the json output that the value is set to "Email" for media Email. When changing the filter to 'Name' in the function it seems to work.

Also, wildcard for OpenLDAP not working.

Zabbix version 4.4.6

Hi!
We using FreeIPA as LDAP Auth Service.
With that line we facing with problem when memberid contains full DN to account

For quick hack

memberid = memberid.decode("utf-8")
memberid = memberid.split(',')[0]

Config is

[openldap]
type = posix
filtergroup = (&(objectClass=posixGroup)(cn=%s))
filteruser = (&(objectClass=posixAccount)(%s))
groupattribute = member
userattribute = uid

Maybe add some option to choose cut or not ?

Our (munged) config:

[ldap]
type = activedirectory
uri = ldaps://server01.domain.local:636/
base = dc=domain,dc=local
binduser = DOMAIN\zabbix_ldap
bindpass = <the_pass>
groups = Company Employees

[ad]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (objectClass=user)(objectCategory=Person)
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = sAMAccountName

When I use ldapsearch to query server01.domain.local using the filters as shown above, I get the list of users and groups that I expect (although I don't seem to be able to combine e.g. filteruser and filtermemberof, so I expect those matches are done in code?). Therefore I expect (hope) that the config I'm supplying is correct.

When I run zabbix-ldap-sync in verbose mode, I see:

[ldaps connection success omited]

** ld 0x1d770b0 Connections:
* host: server01.domain.local  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Tue Apr  2 16:46:11 2019


** ld 0x1d770b0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1d770b0 request count 1 (abandoned 0)
** ld 0x1d770b0 Response Queue:
   Empty
  ld 0x1d770b0 response count 0
ldap_chkResponseList ld 0x1d770b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1d770b0 NULL
ldap_int_select
read1msg: ld 0x1d770b0 msgid 1 all 1
read1msg: ld 0x1d770b0 msgid 1 message type bind
read1msg: ld 0x1d770b0 0 new referrals
read1msg:  mark request completed, ld 0x1d770b0 msgid 1
request done: ld 0x1d770b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree

Since I'm not that good at Python.. At which step can I add a "print" to see the query that is used?

2019-02-25 16:35:21,832 - INFO - Updating user "Username", adding to group "Group"
2019-02-25 16:35:22,024 - INFO - Add media only on newly created users for group >>>Group <<<
2019-02-25 16:35:22,024 - INFO - Add media only on newly created users for group >>>Group<<<
2019-02-25 16:35:22,024 - INFO - >>> Updating/create user media for "Username", update "Email"
2019-02-25 16:35:22,024 - INFO - >>> Updating/create user media for "Username", update "Email"
Traceback (most recent call last):
File "zabbix-ldap-sync", line 92, in
main()
File "zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/lib/zabbixconn.py", line 444, in sync_users
self.update_media(eachUser, self.media_description, sendto, media_opt_filtered)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/lib/zabbixconn.py", line 274, in update_media
result = self.conn.user.update(userid=str(userid), user_medias=[media_defaults])
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/venv/lib/python3.4/site-packages/pyzabbix/init.py", line 157, in fn
args or kwargs
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/venv/lib/python3.4/site-packages/pyzabbix/init.py", line 134, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1/user_medias/1": unexpected parameter "onlycreate".', -32602)

Hello, while we we're using this solution flawlessly in Zabbix 5.0, as soon as we upgraded to 6.0 it stopped working.

The given error is as follows:

[zabbix_prod@033 ~]$ /opt/sync-ad-ldap/zabbix-ldap-sync -sd -f /opt/sync-ad-ldap/zabbix-ldap.conf

2022-05-02 11:11:59 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: http://10.0.0.23/zabbix//api_jsonrpc.php

2022-05-02 11:11:59 - INFO - pyzabbix:75 - Zabbix API version is: 6.0.3

2022-05-02 11:11:59 - INFO - ZabbixConn:68 - Connected to Zabbix API Version 6.0.3

Traceback (most recent call last):

File "/opt/sync-ad-ldap/zabbix-ldap-sync", line 115, in

main()

File "/opt/sync-ad-ldap/zabbix-ldap-sync", line 111, in main

zabbix_conn.sync_users()

File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 338, in sync_users

zabbix_all_users = self.get_users()

File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 80, in get_users

users = [user['alias'] for user in result]

File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 80, in

users = [user['alias'] for user in result]

KeyError: 'alias'

Any ideas on what it could be?

Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/usr/local/zabbix-ldap-sync/lib/zabbixconn.py", line 428, in sync_users
self.update_media(eachUser, self.media_description, sendto, media_opt_filtered)
File "/usr/local/zabbix-ldap-sync/lib/zabbixconn.py", line 263, in update_media
result = self.conn.user.updatemedia(users=[{"userid": str(userid)}], medias=media_defaults)
File "/usr/lib/python3.6/site-packages/pyzabbix/init.py", line 157, in fn
args or kwargs
File "/usr/lib/python3.6/site-packages/pyzabbix/init.py", line 134, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Incorrect method "user.updatemedia".', -32602)

Hello,

while running the script, I get an error message when the sync gets to a particular user:

2018-05-29 15:36:15,262 - INFO - >>> Updating/create user media for "user1", update "Email"
2018-05-29 15:36:15,262 - INFO - >>> Updating/create user media for "user1", update "Email"
2018-05-29 15:36:15,664 - INFO - Remove other exist media from user user2 (type=Email)
2018-05-29 15:36:15,664 - INFO - Remove other exist media from user user2 (type=Email)
2018-05-29 15:36:15,810 - INFO - >>> Updating/create user media for "user3", update "Email"
2018-05-29 15:36:15,810 - INFO - >>> Updating/create user media for "user3", update "Email"
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/home/.../zabbix-ldap-sync-master/lib/zabbixconn.py", line 419, in sync_users
sendto = self.ldap_conn.get_user_media(ldap_users[eachUser], self.ldap_media).decode("utf8")
KeyError: 'user3'

Can anybody help me?

The problem with synchronizing the group is where 1 user (presumably this is the reason)
debug.txt

We are running the latest Zabbix version 5.2.6. I downloaded and installed the requirements, and I was able to import the users in the Active Directory group. However, when I removed a user and run the sync, I get the following error:

2021-04-15 15:00:52,276 - ZabbixConn - INFO - Connected to Zabbix API Version 5.2.6
2021-04-15 15:00:52,481 - ZabbixConn - INFO - Users in group Zabbix Super Admins which are not found in LDAP group:
2021-04-15 15:00:52,481 - ZabbixConn - INFO - User not in ldap group "werschmannj"
2021-04-15 15:00:52,482 - ZabbixConn - INFO - Update media on all users for group >>>Zabbix Super Admins<<<
2021-04-15 15:00:52,541 - ZabbixConn - INFO - >>> Updating/create user media for "muellervo", update "Email (HTML)"
2021-04-15 15:00:52,757 - ZabbixConn - INFO - >>> Updating/create user media for "hicklc", update "Email (HTML)"
2021-04-15 15:00:52,970 - ZabbixConn - INFO - >>> Updating/create user media for "werschmannj", update "Email (HTML)"
Traceback (most recent call last):
  File "./zabbix-ldap-sync", line 102, in <module>
    main()
  File "./zabbix-ldap-sync", line 98, in main
    zabbix_conn.sync_users()
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 436, in sync_users
    if self.ldap_conn.get_user_media(ldap_users[each_user], self.ldap_media):
KeyError: 'werschmannj'`

Is there a setting I missed somewhere?

@vryzhevsky: With the relatively new "alldirusergroup" flag, the script adds all found users reproducible to the same, but unconfigured group.
(https://github.com/zabbix-tooling/zabbix-ldap-sync/pull/33/files)

Config example:

[ldap]
type = activedirectory
uri = ldaps://adds.yoloapp.de:636/
base =  DC=yoloapp,DC=de
binduser = [email protected]
bindpass = sdkfjhksjdfkjkkkkjhkjh
groups = org_yolo_sre_regular:3,org_yolo_software_development_regular:1,org_yolo_software_development_srelight:3,org_yolo_customer_success_regular:6,org_yolo_finance_regular:6,org_yolo_+product_regular:6,org_yolo_marketing_regular:6
media = mail
ignore_tls_errors = true

[activedirectory]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (&(objectClass=user)(objectCategory=Person))
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = userPrincipalName

[zabbix]
server = https://zabbix.yolo.de
username = Admin
password = sdfskjdhfkjshdfkjsdfkkKHJKHKJKKKJHKJHKJH
auth = webform
alldirusergroup = yolo synced users
ignore_tls_errors = false

[user]
roleid = 6
timezone = Europe/Berlin
rows_per_page = 100
# display password when creating new users
show_password = true

[media]
name = Email (HTML) - Sendgrid
period = 1-7,06:30-22:00
# 1=disabled, 0=enabled
active = 1
severity = Disaster,High,Average
onlycreate = true

Subject.
May be for some reason, but in this case option "--lowercase" is obsolete and confusing.
In fact all usernames synced from ldap are lowercased, which leads to a problems when doing some automation utilizing some third party tools matching real ldap sAMAccountName with usernames (aliases) in zabbix.
If it's done as it done just because lack of time - may be it will be better to leave usernames "as is" by default?

When trying to use the older behavior of --delete-orphans without setting alldirusergroup, the script still attempts to create a group and fails:

(venv) root@host:~/zabbix-ldap-sync# /root/zabbix-ldap-sync/zabbix-ldap-sync --delete-orphans -f /root/zabbix-ldap-sync/zabbix-ldap.conf
2022-02-09 10:13:49 - INFO    - pyzabbix:68 - JSON-RPC Server Endpoint: https://1.2.3.4/api_jsonrpc.php
2022-02-09 10:13:49 - INFO    - pyzabbix:75 - Zabbix API version is: 5.4.1
2022-02-09 10:13:50 - INFO    - ZabbixConn:105 - Connected to Zabbix API Version 5.4.1
2022-02-09 10:13:50 - INFO    - ZabbixConn:406 - Creating Zabbix group None
Traceback (most recent call last):
  File "/root/zabbix-ldap-sync/zabbix-ldap-sync", line 115, in <module>
    main()
  File "/root/zabbix-ldap-sync/zabbix-ldap-sync", line 110, in main
    zabbix_conn.create_missing_groups()
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 408, in create_missing_groups
    grpid = self.create_group(eachGroup)
  File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 226, in create_group
    result = self.conn.usergroup.create(name=group)
  File "/root/zabbix-ldap-sync/venv/lib/python3.7/site-packages/pyzabbix/__init__.py", line 219, in fn
    args or kwargs
  File "/root/zabbix-ldap-sync/venv/lib/python3.7/site-packages/pyzabbix/__init__.py", line 196, in do_request
    raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1/name": a character string is expected.', -32602)

The recommended OS is CentOS for Zabbix and thus the instructions should be for it too.

What libraries do I need to install?

    gcc -pthread -Wno-unused-result -Wsign-compare -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DHAVE_SASL -DHAVE_TLS -DHAVE_LIBLDAP_R -DHAVE_LIBLDAP_R -DLDAPMODULE_VERSION=3.3.1 -DLDAPMODULE_AUTHOR=python-ldap project -DLDAPMODULE_LICENSE=Python style -IModules -I/home/sm/zabbix-ldap-sync/venv/include -I/usr/include/python3.6m -c Modules/LDAPObject.c -o build/temp.linux-x86_64-3.6/Modules/LDAPObject.o
    In file included from Modules/LDAPObject.c:3:
    Modules/common.h:15:10: fatal error: lber.h: No such file or directory
     #include <lber.h>
              ^~~~~~~~
    compilation terminated.
    error: command 'gcc' failed with exit status 1

I've been working on getting our users inputted into Zabbix. However, whenever I run the script, the LDAPConn class fires, I'll paste the output below. What I can't figure out is after the zabbix-ldap-sync script is ran, it doesn't seem to get to the ZabbixConn part. I've already confirmed that I can successfully make API calls, the script queries LDAP.. But it just doesn't seem to make it to the point of actually creating the users in Zabbix.

Any help would be amazing!

Thanks!

LDAPConn output:

2021-01-27 15:36:09,563 - LDAPConn - DEBUG - Searching LDAP with filter >>>(&(&(objectClass=user)(sAMAccountName=%s)))<<<
ldap_search_ext
put_filter: "(&(&(objectClass=user)(sAMAccountName=%s)))"
put_filter: AND
put_filter_list "(&(objectClass=user)(sAMAccountName=%s))"
put_filter: "(&(objectClass=user)(sAMAccountName=%s))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=%s)"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=%s)"
put_filter: simple
put_simple_filter: "sAMAccountName=%s"
ldap_build_search_req ATTRS: sAMAccountName
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55a7da0307d0 msgid 47
wait4msg ld 0x55a7da0307d0 msgid 47 (infinite timeout)
wait4msg continue ld 0x55a7da0307d0 msgid 47 all 1
** ld 0x55a7da0307d0 Connections:
* host: $(ldapserver).$(domain).com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Jan 27 15:36:09 2021


** ld 0x55a7da0307d0 Outstanding Requests:
 * msgid 47,  origid 47, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x55a7da0307d0 request count 1 (abandoned 0)
** ld 0x55a7da0307d0 Response Queue:
   Empty
  ld 0x55a7da0307d0 response count 0
ldap_chkResponseList ld 0x55a7da0307d0 msgid 47 all 1
ldap_chkResponseList returns ld 0x55a7da0307d0 NULL
ldap_int_select
read1msg: ld 0x55a7da0307d0 msgid 47 all 1
read1msg: ld 0x55a7da0307d0 msgid 47 message type search-result
read1msg: ld 0x55a7da0307d0 0 new referrals
read1msg:  mark request completed, ld 0x55a7da0307d0 msgid 47
request done: ld 0x55a7da0307d0 msgid 47
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 47, msgid 47)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

API Connection:

2021-01-27 15:38:32,513 - pyzabbix - DEBUG - Sending: {
    "jsonrpc": "2.0",
    "method": "usergroup.get",
    "params": {
        "status": 0,
        "output": "extend"
    },
    "id": 2,
    "auth": "0994ff5fcd5eb4350fa1973319ac5c6a"
}

Hello,
I am using your script on Zabbix server 6.4. I found problem with API change: https://support.zabbix.com/browse/ZBX-17955
In update media function there needs to be version check. I am not programmer but this works for me:

if self.get_api_minor_version() >= 5.2:
result = self.conn.user.update(userid=str(userid), medias=[media_defaults])
if self.get_api_minor_version() > 3.2 and self.get_api_minor_version() < 5.2:
result = self.conn.user.update(userid=str(userid), user_medias=[media_defaults])
else:
self.delete_media_by_description(user, description)
result = self.conn.user.updatemedia(users=[{"userid": str(userid)}], medias=media_defaults)

I have tested this on 6.4 and 6.2.9.
Please implement this.

I was running your excellent script fine until just recently it complained (after an update):

No option 'alldirusergroup' in section: 'zabbix'
Traceback (most recent call last):
  File "/usr/lib64/python3.6/configparser.py", line 789, in get
    value = d[option]
  File "/usr/lib64/python3.6/collections/__init__.py", line 883, in __getitem__
    return self.__missing__(key)            # support subclasses that define __missing__
  File "/usr/lib64/python3.6/collections/__init__.py", line 875, in __missing__
    raise KeyError(key)
KeyError: 'alldirusergroup'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/root/zabbix-ldap-sync/lib/zabbixldapconf.py", line 75, in __init__
    self.zbx_alldirusergroup = parser.get('zabbix', 'alldirusergroup')
  File "/usr/lib64/python3.6/configparser.py", line 792, in get
    raise NoOptionError(option, section)
configparser.NoOptionError: No option 'alldirusergroup' in section: 'zabbix'
Configuration issues detected in /data/.zbx-ldap-conf/CYC_Admins.cfg

Looking at the git, it seems a new parameter "alldirusergroup" has been added and is required, but I am not sure why it is there, why it is mandatory or indeed what it does.
I created the required "catch all" group in my Zabbix implementation and of course it works but personally I would rather not have such a group; if I delete users I want them deleted for security purposes not lingering in an unusable Zabbix group - is it possible to give more explanation of this parameter and more importantly can it be bypassed\made optional?

Many thanks.

STEVE

This is sort of two issues.

I have set this up to sync from "mail" (AD) to "Email" (zabbix). This works fine.
I tried taking that working config and changing it to use "mobile" (AD) to "Pager" (zabbix custom script media type) but that fails. The error implies that the contents of "mobile" is not an email address - which it is not - it is a phone number.

If I manually add a phone number to Pager for one of the sync'd users and then run the original sync it wipes out the phone number of the user I manually added.

Hi Team,
I am facing a issue when i try to create/add a new user using the tool.
dashboard appears in a weird way i have updated the screen short on the same.
zabbix version which i am using is 4.0.6. Please help me with issue.

user config as per below.

[user]
# use "type" for releases prior 5.2
type = 1
# use "roleid" for releases after 5.2
#roleid = 1
#timezone = Europe/Berlin
#rows_per_page = 100 

Thanks
Sachin v Gaikwad