zabbix-tooling / zabbix-ldap-sync Goto Github PK
View Code? Open in Web Editor NEWThis project forked from dnaeon/zabbix-ldap-sync
Sync Zabbix with LDAP directory server
License: BSD 3-Clause "New" or "Revised" License
This project forked from dnaeon/zabbix-ldap-sync
Sync Zabbix with LDAP directory server
License: BSD 3-Clause "New" or "Revised" License
When an user in AD has empty surname, the program generate an AttributeError:
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 369, in sync_users
user['surname'] = self.ldap_conn.get_user_sn(ldap_users[eachUser]).decode('utf8')
AttributeError: 'NoneType' object has no attribute 'decode'
First of all thank you for the script. Works like a charm, saving me a lot of time.
I just have one recommendation. I'm using this script on Centos 7.5 and initially I had some issues with ConfigParser. Seems Centos/Red Hat doesn't like how config data being parsed using ConfigParser.
# ./zabbix-ldap-sync --verbose -f zabbix-ldap.conf
'%' must be followed by '%' or '(', found: '%^Geks281%^'
Traceback (most recent call last):
File "/root/zabbix-ldap-sync/lib/zabbixldapconf.py", line 43, in __init__
self.ldap_passwd = parser.get('ldap', 'bindpass')
File "/usr/lib64/python3.6/configparser.py", line 799, in get
return self._interpolation.before_get(self, section, option, value, d)
File "/usr/lib64/python3.6/configparser.py", line 394, in before_get
self._interpolate_some(parser, option, L, value, section, defaults, 1)
File "/usr/lib64/python3.6/configparser.py", line 444, in _interpolate_some
"found: %r" % (rest,))
configparser.InterpolationSyntaxError: '%' must be followed by '%' or '(', found: '%^Geks281%^'
Configuration issues detected in zabbix-ldap.conf`
So probably is a good idea changing the way config data beaing parsed with RawConfigParser.
can't run the script with
zabbix-ldap-sync -f /home/user/zabbix-ldap-sync-master/zabbix-ldap.conf
get an error of zabbix-ldap-sync : command not found
Hi.
Script output on latest version:
2022-05-09 09:05:14 - INFO - pyzabbix:75 - Zabbix API version is: 4.4.10
2022-05-09 09:05:14 - INFO - ZabbixConn:104 - Connected to Zabbix API Version 4.4.10
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in <module>
main()
File "./zabbix-ldap-sync", line 109, in main
zabbix_conn.connect()
File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 105, in connect
if float(self.conn.api_version()) > 5.2:
Please also reopen my previous issue: #44
I'm not sure how official that parameter is yet, since it's only in the usage but not in the README.
Anyway, it doesn't seem to have an effect for me. It created the groups happily anyway :)
Is this expected?
My configuration:
[ldap]
groups = DEV*
[user]
role = Zabbix user
Hi. I'm getting the following error when I try to use wildcard-search option with activedirectory based on samba:
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 110, in main
zabbix_conn.create_missing_groups()
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 396, in create_missing_groups
name, _ = self._get_group_spec(group_spec)
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 602, in _get_group_spec
role_id = int(self._get_role_id(self.user_opt['role']))
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 68, in _get_role_id
for g in self._get_roles():
File "/opt/zabbix-ldap-sync-0.13/lib/zabbixconn.py", line 192, in _get_roles
result = self.conn.role.get(output='extend')
File "/opt/zabbix-ldap-sync-0.13/venv/lib64/python3.6/site-packages/pyzabbix/init.py", line 219, in fn
args or kwargs
File "/opt/zabbix-ldap-sync-0.13/venv/lib64/python3.6/site-packages/pyzabbix/init.py", line 196, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Incorrect API "role".', -32602)
Hello,
following problem I have. I don't have an idea how to work around this.
2022-05-13 17:36:00 - INFO - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-13 17:36:01 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: http://localhost/zabbix//api_jsonrpc.php
2022-05-13 17:36:01 - INFO - pyzabbix:75 - Zabbix API version is: 5.0.15
2022-05-13 17:36:01 - INFO - ZabbixConn:104 - Connected to Zabbix API Version 5.0.15
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 109, in main
zabbix_conn.connect()
File "/opt/zabbix/zabbix-ldap-sync/lib/zabbixconn.py", line 105, in connect
if float(self.conn.api_version()) > 5.2:
ValueError: could not convert string to float: '5.0.15'
[root@dcfra-vision-vi-zbx-srv1 zabbix-ldap-sync]#
Thanks in advance
Change/Add option to disable users instead of deleting them, so that the audit logs are kept.
Hello,
I want to ask if it's possible to implement multiple media per user.
Benefit is only one script for multiple media types.
In config something like:
[ldap]
media1 = mail
media2 = mobile
media3 = mobile
[media1]
name = Email (HTML)
description = Email (HTML)
active = 0
[media2]
name = VoIP
description = VoIP
active = 0
[media3]
name = SMS
description = SMS
active = 0
I have read and tried solution by creating multiple configs with different media as sugested in bug issue #17 and #8 but it doesnt work. Each config file just replace media for created user instead of updating another media.
I have used latest master build. Thx in advance.
Hello,
I was able to install all dependencies and ran my first sync how error, I am getting an invalid credentials error. I know that the credential is correct since I used it to create the LDAP bind on Zabbix portal. Is there a restriction as to what type of characters are allowed on the ldap password entry?
Full STDERR:
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in
main()
File "./zabbix-ldap-sync", line 107, in main
ldap_conn.connect()
File "/home/myuser/zabbix-ldap-sync/lib/ldapconn.py", line 57, in connect
self.conn.simple_bind_s(self.ldap_user, self.ldap_pass)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 249, in simple_bind_s
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 546, in result3
resp_ctrl_classes=resp_ctrl_classes
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 553, in result4
ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/root/.local/lib/python3.6/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
result = func(*args,**kwargs)
ldap.INVALID_CREDENTIALS: {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563'}
Current config:
...
[ldap]
groups = Support
[user]
type = 1
...
[root@zabbix zabbix-ldap-sync]# ./zabbix-ldap-sync --skip-disabled -f zabbix-ldap.conf --dryrun
2022-05-31 11:16:00 - INFO - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-31 11:16:00 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: https://zabbix-server/zabbix/api_jsonrpc.php
2022-05-31 11:16:00 - INFO - pyzabbix:75 - Zabbix API version is: 4.0.37
2022-05-31 11:16:00 - INFO - ZabbixConn:112 - Connected to Zabbix API Version 4.0.37
2022-05-31 11:16:00 - CRITICAL - ZabbixConn:619 - No default role specified
Script tries to use user role instead user type on older zabbix versions.
We don't care about "audit" trail and left the alldirusergroup option out of our configuration. This causes an issue because there's a check against zabbix_alldirusergroup_users when looking for accounts to delete. In this case, it will never delete any users that no longer exist in the AD group. Which in turn causes other issues downsteam, for example then trying to do media sync.
Basically the error below is a downstream consequence, because the user doesn't exist in the LDAP group anymore but hasn't been removed prior to the media sync.
Traceback (most recent call last):
File "/var/lib/zabbix/zabbix-ldap-sync/zabbix-ldap-sync", line 115, in
main()
File "/var/lib/zabbix/zabbix-ldap-sync/zabbix-ldap-sync", line 111, in main
zabbix_conn.sync_users()
File "/data00/zabbix/zabbix-ldap-sync/lib/zabbixconn.py", line 590, in sync_users
if self.ldap_conn.get_user_media(ldap_users[each_user], self.ldap_media):
KeyError: 'cwalls'
I was able to work around this issue by commenting out lines 540 and 541 in lib/zabbixconn.py; see screen shot below. There's should probably be a better long term option, which is why I'm opening this issue. This at least allows me to automatically clean up deleted users as expected.
Hi ,
thank you for the quick fix last week.
I just enabled https now for the Zabbix API as this is required in our production environment.
Now I get :
[root@servername zabbix-ldap-sync]# ./zabbix-ldap-sync -n -f zabbix-ldap-AD-Group-Name.conf
2022-05-17 15:23:10 - INFO - ZabbixLDAPConf:41 - configuration for zabbix-ldap-sync release 0.13
2022-05-17 15:23:10 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: https://zabbix-server-url/zabbix//api_jsonrpc.php
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 839, in validate_conn
conn.connect()
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 358, in connect
ssl_context=context)
File "/usr/lib/python3.6/site-packages/urllib3/util/ssl.py", line 354, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
_context=self, _session=session)
File "/usr/lib64/python3.6/ssl.py", line 776, in init
self.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='zabbix-server-url', port=443): Max retries exceeded with url: /zabbix//api_jsonrpc.php (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)'),))
Even if I set ignore_tls_errors = true , same issue...
I miss the "verify=False" option in the section Zabbix.
I haven't neither a glue how to turn this off on the lower system level.
For ldaps it is ldap.conf but I'm not sure how to do for the API https requests.
Thanks in advance,
Rob
Hi @blodone , i am getting the below error while trying it with zabbix 6
Seems like the group is created but the users are not.
ldap.FILTER_ERROR: {'result': -7, 'desc': 'Bad search filter', 'ctrls': []}
We've noticed an issue with Zabbix Server 5.0.8 and ldap-sync where a newly created user won't get the specified media entry added.
Error in question;
2021-04-21 15:48:00,967 - INFO - pyzabbix:65 - JSON-RPC Server Endpoint: https://zabbix.url/api_jsonrpc.php
2021-04-21 15:48:01,084 - INFO - ZabbixConn:69 - Connected to Zabbix API Version 5.0.8
2021-04-21 15:48:01,118 - INFO - ZabbixConn:309 - Creating Zabbix group ZabbixGroup
2021-04-21 15:48:01,155 - INFO - ZabbixConn:312 - Group ZabbixGroup created with groupid 41
2021-04-21 15:48:01,288 - INFO - ZabbixConn:393 - Updating user "[email protected]", adding to group "ZabbixGroup"
2021-04-21 15:48:03,480 - INFO - ZabbixConn:376 - Created user [email protected] and membership of Zabbix group >>ZabbixGroup<<
2021-04-21 15:48:04,095 - INFO - ZabbixConn:423 - Add media only on newly created users for group >>>ZabbixGroup<<<
2021-04-21 15:48:04,096 - INFO - ZabbixConn:440 - >>> Updating/create user media for "[email protected]", update "Email (HTML)"
Traceback (most recent call last):
File "zabbix-ldap-sync", line 103, in
main()
File "zabbix-ldap-sync", line 99, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 441, in sync_users
self.update_media(each_user, self.media_name, sendto, media_opt_filtered)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 253, in update_media
mediatypeid = self.get_mediatype_id(description)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync/lib/zabbixconn.py", line 99, in get_mediatype_id
raise Exception(f"Ambiguous media found, {len(result)} different medias")
Exception: Ambiguous media found, 0 different medias
configuration file for ldap contains the following;
[media]
description = Email
severity = Disaster, High, Average, Warning
active = 0
period = 1-7,00:00-24:00
onlycreate = true
It seems that the scripts tries to update the first use to be synced, and fails. Also the media type description doesn't seem to match the configured media type description.
Cant configure to work with more than one media type, could please anyone share config with working more than 1 medias to sync? (for ex.: Email and SMS).
When I use:
[media]
description = Email, SMS
active = 0
period = 1-7,00:00-24:00
severity = 63
onlycreate = false
I have the result when mobile phones properly inserted as Emails :(
in zabbix 5.2 the user obj have changed and type have been removed.
[media]
description = Email
active = 0
period = 1-5,07:00-22:00
severity = Disaster, High, Average, Warning, Information, Not Classified
onlycreate = true
[media]
description = Email
active = 0
period = 1-5,07:00-22:00
severity = 63
#Disaster, High, Average, Warning, Information, Not Classified
onlycreate = true
When a user is removed from an LDAP group but orphans are not deleted, the subsequent media update tries to access a user that does not exist:
zabbix-ldap-sync/lib/zabbixconn.py
Line 588 in 02412a9
Here, each_user
is an element of zabbix_group_users
which might contain users who are not present in the LDAP group anymore but have not been deleted before (in
zabbix-ldap-sync/lib/zabbixconn.py
Line 536 in 02412a9
On some accounts I got error message like above. When I run script again there is no error.
2022-05-31 14:57:30 - INFO - ZabbixConn:592 - >>> Updating/create user media for "[email protected]", update "Email"
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 115, in <module>
main()
File "./zabbix-ldap-sync", line 111, in main
zabbix_conn.sync_users()
File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 593, in sync_users
self.update_media(each_user, self.media_name, sendto, media_opt_filtered)
File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 353, in update_media
mediatypeid = self.get_mediatype_id(description)
File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 154, in get_mediatype_id
raise Exception(f"Ambiguous media '{name}' found, {len(result)} different medias")
Exception: Ambiguous media 'Email' found, 7 different medias
Zabbix server version: 4.0
Media configuration:
[media]
name = Email
severity = Disaster,High,Average,Warning
period = 1-7,00:07-22:00
# 1=disabled, 0=enabled
active = 0
onlycreate = true
Noticing that this should now be working, I tried to add a user to multiple groups. I am receiving the following error:
2021-04-15 15:07:36,146 - ZabbixConn - INFO - Connected to Zabbix API Version 5.2.6
2021-04-15 15:07:36,357 - ZabbixConn - INFO - Updating user "hicklc", adding to group "Zabbix ePC Operators"
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 102, in <module>
main()
File "./zabbix-ldap-sync", line 98, in main
zabbix_conn.sync_users()
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 395, in sync_users
self.update_user(each_user, zabbix_group_id)
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 222, in update_user
userid = self.get_user_id(user['alias'])
TypeError: string indices must be integers
We are running the latest version of Zabbix (5.2.6) and I installed all requirements. Importing the same user to only 1 group works without issues.
The "groups" in "ldap" and the "roleid" use numeric roles.
Since zabbix allows the definition of individual roles, it might be suitable to relsolve id from role names.
I want to package zabbix-ldap-sync for Debian and noticed that the last release 0.13 has been in Feb. 2022. Is there a release expected soon to incorporate the bugfixes since then?
Hi,
This project fell a little to the wayside, but now that we have some time to catch our breath, this is still an outstanding issue.
Here is our .conf file
cat zabbix-ldap-superadmins.conf
[ldap]
type = activedirectory
uri = ldap://subdomain.domain.com:389/
base =DC=subdomain,DC=domain,DC=com
binduser = domain\domain.account
bindpass = Password
groups = Zabbix Super Admins
media = mail
[activedirectory]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (objectClass=user)(objectCategory=Person)
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = sAMAccountName
[zabbix]
server = https://zabbix.subdomain.domain.com
username = zabbix.account
password = password
auth = webform
[user]
roleid = 3
[media]
description = Email (HTML)
active = 0
period = 1-5,07:00-22:00
severity = 56
The zabbix-ldap-sync script fails when creating users with Zabbix 5.2 api.
The fix is to change type
to roleid
in the create_user function within lib/zabbixconn.py and in the user stanza of any configuration files. This change is not backwards compatible with Zabbix versions < 5.2.
Here's more info about the change from type
property to roleid
in the user object:
USER
Changes:
ZBXNEXT-6148 user.create, user.update, user.get: dropped support of type property.
USER
Changes:
ZBXNEXT-6148 user.create, user.update, user.get: added new property roleid.
Here's the traceback that occurs as soon as the script tries to create a user:
Traceback (most recent call last):
File "/opt/zabbix-ldap-sync/zabbix-ldap-sync", line 112, in <module>
main()
File "/opt/zabbix-ldap-sync/zabbix-ldap-sync", line 109, in main
zabbix_conn.sync_users()
File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 376, in sync_users
self.create_user(user, zabbix_grpid, self.user_opt)
File "/opt/zabbix-ldap-sync/lib/zabbixconn.py", line 185, in create_user
result = self.conn.user.create(user)
File "/opt/zabbix-ldap-sync/lib/python3.6/site-packages/pyzabbix/__init__.py", line 192, in fn
args or kwargs
File "/opt/zabbix-ldap-sync/lib/python3.6/site-packages/pyzabbix/__init__.py", line 169, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1": unexpected parameter "type".', -32602)
Hello,
I am trying to configure ldap-sync but i get error:
2021-06-02 09:46:39,489 - INFO - pyzabbix:65 - JSON-RPC Server Endpoint: http://myzabbixserver/zabbix/api_jsonrpc.php
2021-06-02 09:46:39,539 - INFO - ZabbixConn:69 - Connected to Zabbix API Version 5.4.0
Traceback (most recent call last):
File "/etc/zabbix/zabbix-ldap-sync-master/zabbix-ldap-sync", line 103, in
main()
File "/etc/zabbix/zabbix-ldap-sync-master/zabbix-ldap-sync", line 99, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 355, in sync_users
zabbix_all_users = [x.lower() for x in self.get_users()]
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 81, in get_users
users = [user['alias'] for user in result]
File "/etc/zabbix/zabbix-ldap-sync-master/lib/zabbixconn.py", line 81, in
users = [user['alias'] for user in result]
KeyError: 'alias'
When i tried to debug this i found new change in zabbix API 5.4 release notes.
Can you please make fix for this.
Changed field "alias" into "username"
https://support.zabbix.com/browse/ZBXNEXT-1215
https://support.zabbix.com/browse/ZBXNEXT-6474
While implementing this script we noticed that the media type of the user was always defaulting to "Pushover". This happend in the get_media_typeid function. When we do the call, we can see in the description of the json output that the value is set to "Email" for media Email. When changing the filter to 'Name' in the function it seems to work.
Also, wildcard for OpenLDAP not working.
Zabbix version 4.4.6
Hi!
We using FreeIPA as LDAP Auth Service.
With that line we facing with problem when memberid contains full DN to account
zabbix-ldap-sync/lib/ldapconn.py
Line 112 in bcb898d
For quick hack
memberid = memberid.decode("utf-8")
memberid = memberid.split(',')[0]
Config is
[openldap]
type = posix
filtergroup = (&(objectClass=posixGroup)(cn=%s))
filteruser = (&(objectClass=posixAccount)(%s))
groupattribute = member
userattribute = uid
Maybe add some option to choose cut or not ?
Our (munged) config:
[ldap]
type = activedirectory
uri = ldaps://server01.domain.local:636/
base = dc=domain,dc=local
binduser = DOMAIN\zabbix_ldap
bindpass = <the_pass>
groups = Company Employees
[ad]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (objectClass=user)(objectCategory=Person)
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = sAMAccountName
When I use ldapsearch to query server01.domain.local using the filters as shown above, I get the list of users and groups that I expect (although I don't seem to be able to combine e.g. filteruser and filtermemberof, so I expect those matches are done in code?). Therefore I expect (hope) that the config I'm supplying is correct.
When I run zabbix-ldap-sync in verbose mode, I see:
[ldaps connection success omited]
** ld 0x1d770b0 Connections:
* host: server01.domain.local port: 636 (default)
refcnt: 2 status: Connected
last used: Tue Apr 2 16:46:11 2019
** ld 0x1d770b0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x1d770b0 request count 1 (abandoned 0)
** ld 0x1d770b0 Response Queue:
Empty
ld 0x1d770b0 response count 0
ldap_chkResponseList ld 0x1d770b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x1d770b0 NULL
ldap_int_select
read1msg: ld 0x1d770b0 msgid 1 all 1
read1msg: ld 0x1d770b0 msgid 1 message type bind
read1msg: ld 0x1d770b0 0 new referrals
read1msg: mark request completed, ld 0x1d770b0 msgid 1
request done: ld 0x1d770b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
Since I'm not that good at Python.. At which step can I add a "print" to see the query that is used?
2019-02-25 16:35:21,832 - INFO - Updating user "Username", adding to group "Group"
2019-02-25 16:35:22,024 - INFO - Add media only on newly created users for group >>>Group <<<
2019-02-25 16:35:22,024 - INFO - Add media only on newly created users for group >>>Group<<<
2019-02-25 16:35:22,024 - INFO - >>> Updating/create user media for "Username", update "Email"
2019-02-25 16:35:22,024 - INFO - >>> Updating/create user media for "Username", update "Email"
Traceback (most recent call last):
File "zabbix-ldap-sync", line 92, in
main()
File "zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/lib/zabbixconn.py", line 444, in sync_users
self.update_media(eachUser, self.media_description, sendto, media_opt_filtered)
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/lib/zabbixconn.py", line 274, in update_media
result = self.conn.user.update(userid=str(userid), user_medias=[media_defaults])
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/venv/lib/python3.4/site-packages/pyzabbix/init.py", line 157, in fn
args or kwargs
File "/etc/zabbix/zabbix-ldap-sync/zabbix-ldap-sync-master/venv/lib/python3.4/site-packages/pyzabbix/init.py", line 134, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1/user_medias/1": unexpected parameter "onlycreate".', -32602)
Hello, while we we're using this solution flawlessly in Zabbix 5.0, as soon as we upgraded to 6.0 it stopped working.
The given error is as follows:
[zabbix_prod@033 ~]$ /opt/sync-ad-ldap/zabbix-ldap-sync -sd -f /opt/sync-ad-ldap/zabbix-ldap.conf
2022-05-02 11:11:59 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: http://10.0.0.23/zabbix//api_jsonrpc.php
2022-05-02 11:11:59 - INFO - pyzabbix:75 - Zabbix API version is: 6.0.3
2022-05-02 11:11:59 - INFO - ZabbixConn:68 - Connected to Zabbix API Version 6.0.3
Traceback (most recent call last):
File "/opt/sync-ad-ldap/zabbix-ldap-sync", line 115, in
main()
File "/opt/sync-ad-ldap/zabbix-ldap-sync", line 111, in main
zabbix_conn.sync_users()
File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 338, in sync_users
zabbix_all_users = self.get_users()
File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 80, in get_users
users = [user['alias'] for user in result]
File "/opt/sync-ad-ldap/lib/zabbixconn.py", line 80, in
users = [user['alias'] for user in result]
KeyError: 'alias'
Any ideas on what it could be?
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/usr/local/zabbix-ldap-sync/lib/zabbixconn.py", line 428, in sync_users
self.update_media(eachUser, self.media_description, sendto, media_opt_filtered)
File "/usr/local/zabbix-ldap-sync/lib/zabbixconn.py", line 263, in update_media
result = self.conn.user.updatemedia(users=[{"userid": str(userid)}], medias=media_defaults)
File "/usr/lib/python3.6/site-packages/pyzabbix/init.py", line 157, in fn
args or kwargs
File "/usr/lib/python3.6/site-packages/pyzabbix/init.py", line 134, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Incorrect method "user.updatemedia".', -32602)
Hello,
while running the script, I get an error message when the sync gets to a particular user:
2018-05-29 15:36:15,262 - INFO - >>> Updating/create user media for "user1", update "Email"
2018-05-29 15:36:15,262 - INFO - >>> Updating/create user media for "user1", update "Email"
2018-05-29 15:36:15,664 - INFO - Remove other exist media from user user2 (type=Email)
2018-05-29 15:36:15,664 - INFO - Remove other exist media from user user2 (type=Email)
2018-05-29 15:36:15,810 - INFO - >>> Updating/create user media for "user3", update "Email"
2018-05-29 15:36:15,810 - INFO - >>> Updating/create user media for "user3", update "Email"
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 92, in
main()
File "./zabbix-ldap-sync", line 89, in main
zabbix_conn.sync_users()
File "/home/.../zabbix-ldap-sync-master/lib/zabbixconn.py", line 419, in sync_users
sendto = self.ldap_conn.get_user_media(ldap_users[eachUser], self.ldap_media).decode("utf8")
KeyError: 'user3'
Can anybody help me?
The problem with synchronizing the group is where 1 user (presumably this is the reason)
debug.txt
We are running the latest Zabbix version 5.2.6. I downloaded and installed the requirements, and I was able to import the users in the Active Directory group. However, when I removed a user and run the sync, I get the following error:
2021-04-15 15:00:52,276 - ZabbixConn - INFO - Connected to Zabbix API Version 5.2.6
2021-04-15 15:00:52,481 - ZabbixConn - INFO - Users in group Zabbix Super Admins which are not found in LDAP group:
2021-04-15 15:00:52,481 - ZabbixConn - INFO - User not in ldap group "werschmannj"
2021-04-15 15:00:52,482 - ZabbixConn - INFO - Update media on all users for group >>>Zabbix Super Admins<<<
2021-04-15 15:00:52,541 - ZabbixConn - INFO - >>> Updating/create user media for "muellervo", update "Email (HTML)"
2021-04-15 15:00:52,757 - ZabbixConn - INFO - >>> Updating/create user media for "hicklc", update "Email (HTML)"
2021-04-15 15:00:52,970 - ZabbixConn - INFO - >>> Updating/create user media for "werschmannj", update "Email (HTML)"
Traceback (most recent call last):
File "./zabbix-ldap-sync", line 102, in <module>
main()
File "./zabbix-ldap-sync", line 98, in main
zabbix_conn.sync_users()
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 436, in sync_users
if self.ldap_conn.get_user_media(ldap_users[each_user], self.ldap_media):
KeyError: 'werschmannj'`
Is there a setting I missed somewhere?
@vryzhevsky: With the relatively new "alldirusergroup" flag, the script adds all found users reproducible to the same, but unconfigured group.
(https://github.com/zabbix-tooling/zabbix-ldap-sync/pull/33/files)
Config example:
[ldap]
type = activedirectory
uri = ldaps://adds.yoloapp.de:636/
base = DC=yoloapp,DC=de
binduser = [email protected]
bindpass = sdkfjhksjdfkjkkkkjhkjh
groups = org_yolo_sre_regular:3,org_yolo_software_development_regular:1,org_yolo_software_development_srelight:3,org_yolo_customer_success_regular:6,org_yolo_finance_regular:6,org_yolo_+product_regular:6,org_yolo_marketing_regular:6
media = mail
ignore_tls_errors = true
[activedirectory]
filtergroup = (&(objectClass=group)(name=%s))
filteruser = (&(objectClass=user)(objectCategory=Person))
filterdisabled = (!(userAccountControl:1.2.840.113556.1.4.803:=2))
filtermemberof = (memberOf:1.2.840.113556.1.4.1941:=%s)
groupattribute = member
userattribute = userPrincipalName
[zabbix]
server = https://zabbix.yolo.de
username = Admin
password = sdfskjdhfkjshdfkjsdfkkKHJKHKJKKKJHKJHKJH
auth = webform
alldirusergroup = yolo synced users
ignore_tls_errors = false
[user]
roleid = 6
timezone = Europe/Berlin
rows_per_page = 100
# display password when creating new users
show_password = true
[media]
name = Email (HTML) - Sendgrid
period = 1-7,06:30-22:00
# 1=disabled, 0=enabled
active = 1
severity = Disaster,High,Average
onlycreate = true
Subject.
May be for some reason, but in this case option "--lowercase" is obsolete and confusing.
In fact all usernames synced from ldap are lowercased, which leads to a problems when doing some automation utilizing some third party tools matching real ldap sAMAccountName with usernames (aliases) in zabbix.
If it's done as it done just because lack of time - may be it will be better to leave usernames "as is" by default?
When trying to use the older behavior of --delete-orphans without setting alldirusergroup, the script still attempts to create a group and fails:
(venv) root@host:~/zabbix-ldap-sync# /root/zabbix-ldap-sync/zabbix-ldap-sync --delete-orphans -f /root/zabbix-ldap-sync/zabbix-ldap.conf
2022-02-09 10:13:49 - INFO - pyzabbix:68 - JSON-RPC Server Endpoint: https://1.2.3.4/api_jsonrpc.php
2022-02-09 10:13:49 - INFO - pyzabbix:75 - Zabbix API version is: 5.4.1
2022-02-09 10:13:50 - INFO - ZabbixConn:105 - Connected to Zabbix API Version 5.4.1
2022-02-09 10:13:50 - INFO - ZabbixConn:406 - Creating Zabbix group None
Traceback (most recent call last):
File "/root/zabbix-ldap-sync/zabbix-ldap-sync", line 115, in <module>
main()
File "/root/zabbix-ldap-sync/zabbix-ldap-sync", line 110, in main
zabbix_conn.create_missing_groups()
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 408, in create_missing_groups
grpid = self.create_group(eachGroup)
File "/root/zabbix-ldap-sync/lib/zabbixconn.py", line 226, in create_group
result = self.conn.usergroup.create(name=group)
File "/root/zabbix-ldap-sync/venv/lib/python3.7/site-packages/pyzabbix/__init__.py", line 219, in fn
args or kwargs
File "/root/zabbix-ldap-sync/venv/lib/python3.7/site-packages/pyzabbix/__init__.py", line 196, in do_request
raise ZabbixAPIException(msg, response_json['error']['code'], error=response_json['error'])
pyzabbix.ZabbixAPIException: ('Error -32602: Invalid params., Invalid parameter "/1/name": a character string is expected.', -32602)
The recommended OS is CentOS for Zabbix and thus the instructions should be for it too.
What libraries do I need to install?
gcc -pthread -Wno-unused-result -Wsign-compare -DDYNAMIC_ANNOTATIONS_ENABLED=1 -DNDEBUG -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DHAVE_SASL -DHAVE_TLS -DHAVE_LIBLDAP_R -DHAVE_LIBLDAP_R -DLDAPMODULE_VERSION=3.3.1 -DLDAPMODULE_AUTHOR=python-ldap project -DLDAPMODULE_LICENSE=Python style -IModules -I/home/sm/zabbix-ldap-sync/venv/include -I/usr/include/python3.6m -c Modules/LDAPObject.c -o build/temp.linux-x86_64-3.6/Modules/LDAPObject.o
In file included from Modules/LDAPObject.c:3:
Modules/common.h:15:10: fatal error: lber.h: No such file or directory
#include <lber.h>
^~~~~~~~
compilation terminated.
error: command 'gcc' failed with exit status 1
I've been working on getting our users inputted into Zabbix. However, whenever I run the script, the LDAPConn class fires, I'll paste the output below. What I can't figure out is after the zabbix-ldap-sync script is ran, it doesn't seem to get to the ZabbixConn part. I've already confirmed that I can successfully make API calls, the script queries LDAP.. But it just doesn't seem to make it to the point of actually creating the users in Zabbix.
Any help would be amazing!
Thanks!
LDAPConn output:
2021-01-27 15:36:09,563 - LDAPConn - DEBUG - Searching LDAP with filter >>>(&(&(objectClass=user)(sAMAccountName=%s)))<<<
ldap_search_ext
put_filter: "(&(&(objectClass=user)(sAMAccountName=%s)))"
put_filter: AND
put_filter_list "(&(objectClass=user)(sAMAccountName=%s))"
put_filter: "(&(objectClass=user)(sAMAccountName=%s))"
put_filter: AND
put_filter_list "(objectClass=user)(sAMAccountName=%s)"
put_filter: "(objectClass=user)"
put_filter: simple
put_simple_filter: "objectClass=user"
put_filter: "(sAMAccountName=%s)"
put_filter: simple
put_simple_filter: "sAMAccountName=%s"
ldap_build_search_req ATTRS: sAMAccountName
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x55a7da0307d0 msgid 47
wait4msg ld 0x55a7da0307d0 msgid 47 (infinite timeout)
wait4msg continue ld 0x55a7da0307d0 msgid 47 all 1
** ld 0x55a7da0307d0 Connections:
* host: $(ldapserver).$(domain).com port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Jan 27 15:36:09 2021
** ld 0x55a7da0307d0 Outstanding Requests:
* msgid 47, origid 47, status InProgress
outstanding referrals 0, parent count 0
ld 0x55a7da0307d0 request count 1 (abandoned 0)
** ld 0x55a7da0307d0 Response Queue:
Empty
ld 0x55a7da0307d0 response count 0
ldap_chkResponseList ld 0x55a7da0307d0 msgid 47 all 1
ldap_chkResponseList returns ld 0x55a7da0307d0 NULL
ldap_int_select
read1msg: ld 0x55a7da0307d0 msgid 47 all 1
read1msg: ld 0x55a7da0307d0 msgid 47 message type search-result
read1msg: ld 0x55a7da0307d0 0 new referrals
read1msg: mark request completed, ld 0x55a7da0307d0 msgid 47
request done: ld 0x55a7da0307d0 msgid 47
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 47, msgid 47)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
API Connection:
2021-01-27 15:38:32,513 - pyzabbix - DEBUG - Sending: {
"jsonrpc": "2.0",
"method": "usergroup.get",
"params": {
"status": 0,
"output": "extend"
},
"id": 2,
"auth": "0994ff5fcd5eb4350fa1973319ac5c6a"
}
Hello,
I am using your script on Zabbix server 6.4. I found problem with API change: https://support.zabbix.com/browse/ZBX-17955
In update media function there needs to be version check. I am not programmer but this works for me:
if self.get_api_minor_version() >= 5.2:
result = self.conn.user.update(userid=str(userid), medias=[media_defaults])
if self.get_api_minor_version() > 3.2 and self.get_api_minor_version() < 5.2:
result = self.conn.user.update(userid=str(userid), user_medias=[media_defaults])
else:
self.delete_media_by_description(user, description)
result = self.conn.user.updatemedia(users=[{"userid": str(userid)}], medias=media_defaults)
I have tested this on 6.4 and 6.2.9.
Please implement this.
I was running your excellent script fine until just recently it complained (after an update):
No option 'alldirusergroup' in section: 'zabbix'
Traceback (most recent call last):
File "/usr/lib64/python3.6/configparser.py", line 789, in get
value = d[option]
File "/usr/lib64/python3.6/collections/__init__.py", line 883, in __getitem__
return self.__missing__(key) # support subclasses that define __missing__
File "/usr/lib64/python3.6/collections/__init__.py", line 875, in __missing__
raise KeyError(key)
KeyError: 'alldirusergroup'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/zabbix-ldap-sync/lib/zabbixldapconf.py", line 75, in __init__
self.zbx_alldirusergroup = parser.get('zabbix', 'alldirusergroup')
File "/usr/lib64/python3.6/configparser.py", line 792, in get
raise NoOptionError(option, section)
configparser.NoOptionError: No option 'alldirusergroup' in section: 'zabbix'
Configuration issues detected in /data/.zbx-ldap-conf/CYC_Admins.cfg
Looking at the git, it seems a new parameter "alldirusergroup" has been added and is required, but I am not sure why it is there, why it is mandatory or indeed what it does.
I created the required "catch all" group in my Zabbix implementation and of course it works but personally I would rather not have such a group; if I delete users I want them deleted for security purposes not lingering in an unusable Zabbix group - is it possible to give more explanation of this parameter and more importantly can it be bypassed\made optional?
Many thanks.
STEVE
This is sort of two issues.
I have set this up to sync from "mail" (AD) to "Email" (zabbix). This works fine.
I tried taking that working config and changing it to use "mobile" (AD) to "Pager" (zabbix custom script media type) but that fails. The error implies that the contents of "mobile" is not an email address - which it is not - it is a phone number.
If I manually add a phone number to Pager for one of the sync'd users and then run the original sync it wipes out the phone number of the user I manually added.
Hi Team,
I am facing a issue when i try to create/add a new user using the tool.
dashboard appears in a weird way i have updated the screen short on the same.
zabbix version which i am using is 4.0.6. Please help me with issue.
user config as per below.
[user]
# use "type" for releases prior 5.2
type = 1
# use "roleid" for releases after 5.2
#roleid = 1
#timezone = Europe/Berlin
#rows_per_page = 100
Thanks
Sachin v Gaikwad
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.