��Ĳ�

Table of Contents

2 ?????

2 ?????

????? ?????

???? ????? �� ????? ????? ????? ?? ???? ????? ????? ??????? ?- ��Ĳ� ?????? ?????? ??????. ?????? ??????? ?? ???????, HTTP, LDAP ?-SAML ?????.

????? ????? ????

?????? ????, ��Ĳ� ?????? ?????? ��Ĳ� ????? ???? ?? ????????. ?? ???? ????? ?? ???? ????? ????? ?-LDAP ??? ?????? ?? ???? ????? LDAP ?? ???? ?????? ??????? ????????.

??? ?????? LDAP ????? ????? ????? ???? ???? ?? ????????, ???? ?? ????????? LDAP ????? ?? ?????? ??????, ??? ???? ?? ????????? ????? ????? ?? ???? ????? ????? ?? ????? ? LDAP.

???? ?? ????? ?????? ?? ???? ?????? ?-????? group. ????? ?? ????? LDAP ????? ????? ??????, ?????? ??????? ??????? ????? ?????? ????? ????? ?? ??? ��Ĳ�. ??????? ??? ???? ????? frontend access ????? ?? ??????. ?????, ?? ???? ????? ?????? ????? ????? ?????, ???? ????? ???? ????? LDAP ??????? ??? ???? ????? ?????? ?????? ??-frontend access ??? ????? ?-LDAP. ?? ????? ???? ?????? ??????? ??? ????? ?? ????? LDAP, ????? ?? ?? ???? ?????? ????? ???? ?????.

HTTP ?-SAML 2.0 ???? ?????? ?????? ????? ????? ?????? ????? ???? ?????.

????? ?????

????????? ????? ?????? ?????? ?? ??????? ?????? ??????? ????? ?????? ??????? ��Ĳ� ???????.

???? ?????? ?? ???????? ??????? ???????? ?????:

?????	?????
???? ????? ???????	?????? ????, ???? ?????? ???????? ????? ?-8. ???? ????: 1-70. ???? ?? ???????? ?????? ?-72 ????? ??????.
?????? ????? ?????	??? ????? ????? ??? ?? ??? ??? ????? ????? ?????? ?????? ??????: -??? ????? ???? ?????? ???? -???? -?? ????? < br>??? ??? ???? ????? ??? ????? ??? ?? ????? ?????? ??? ??????.
????? ??????? ???? ??????	?? ??? ??????, ????? ????? ??? ??????? ?????: - ?? ????? ????? ?? ?? ??????, ?? ?????? ?? ?? ?????? - ?? ????? ????? ??? ???????? ?? ??????? ???????? ?????. ????? ???????? ??????? ?????????? ????? ????? ???????? ?????? NCSC "Top 100k ???????", ????? SecLists "Top 1M ???????" ?????? ????? ?? ��Ĳ�- ??????? ????????. ??????? ??????? ?? ????? ?????? ??????? ??????? ?????? ?? ?????? ???????? ???? ?????? ????? ??? ?????? ????? ???.

??????? ??????? ??????? ?????? ?? ?????? ?? ?????? ??????? ?????, ?? ?? ????? ???? ???? ????? ?????, ?????? ????? ????? ????? ??????? ????????. ??? ?? ? ????? ??????? ???? ??? ???? ????? ? ?? ?????? ?????? ??-????? ???? ????? ???? ??????? ????? �� ???????.

????? HTTP

????? ????? HTTP ?? ??? ??????? (??????: ????? ???? ?????? ??????, NTLM/Kerberos) ?????? ???? ????? ? ???????. ???? ?? ?????? ???? ??????? ?? ?- ��Ĳ�, ??? ???? ??? ?? ???? ????? ?????? ��Ĳ�.

::: ???? ?? ???? ????! ??? ?? ??? ???????? ?????? ????? ????? ????? ???? ?????? ???. :::

?????? ?????:

?????	?????
???? ????? HTTP	??? ?? ???? ?????? ??? ????? ????? HTTP. ????? ????? ??? ???? ???? ??? ??????? ?????? ?? ????? ??? ????????, ?? ???????? (????? ?? ???? ?????? ??????? ?-LDAP/Internal) ?????? ?? ??? ??? ????????, ?? ?? ??? ��Ĳ�.
???? ??????? ?????? ????	???? ?? ?????? ??????? ?? ??????? ?: ???? ??????? ?? ��Ĳ� - ?? ??????? ???? ?? ��Ĳ�. ???? ??????? ?-HTTP - ?? ??????? ?? HTTP.<br >????? ????? ????? ????? ??? ??????? ???? ?? `index_http.php` ????. ?? ???? ???????? ?????? ?????? ???? ????? ?'?? ??????? HTTP', ?????? ????? ???????? ?? ????? ????? ??? ???????? ????? ??????? ????? ?????? ?????? `$_SERVER`. ?????? `$_SERVER` ??????? ?? `$_SERVER` PHP_AUTH_USER`,`REMOTE_USER`,`AUTH_USER`.\| \|??? ?? ??????\|????? ?????? ??????? ?? ???? ???????? ??? ????? ??? ??????. ????.`comp,any` - ?? ?? ?????? ??? 'Admin@any', 'comp\Admin', ?????? ????? ???? 'Admin'; ?? ?? ?????? ??? 'notacompany\Admin', ?????? ?????.
????? ????? ??????	??? ?? ????? ???? ?????? ??? ???? ????? ????? ?????? (????? ?????? ????) ???? ???? ?????. ????. ???? ??????? ????? ?????? ?????? ??, ????, ????? 'ADMIN' ?? ?? ????? ��Ĳ� ??? 'Admin'. ??? ?? ????? ??????? ????? ?????? ??????, ?????? ????? ?? ?????? ???? ??????? ?- ??? ?????? ?? ��Ĳ� ?? ???? ????? ????? (???? Admin, admin).

???????? ??????? ????? ?????? ?????? ??????? HTTP ??????? (?? ???? ??????? HTTP ????? ?????? ????) ???????? ?-401 ?????, ????? ????? ?????? 'ErrorDocument 401 /index.php?form=default' ?? ??????? ????? ???????, ????? ???? ?- ???? ??????? ???? ?? ��Ĳ�.

????? LDAP

???? ?????? ?????? LDAP ?????? ?????? ???? ????? ? ???????. ???? ?? ?????? ???? ??????? ?? ?- ��Ĳ�, ??? ???? ??? ?? ???? ????? ?????? ��Ĳ�.

????? LDAP ?? ��Ĳ� ???? ????? ?? Microsoft Active Directory ?-OpenLDAP.

?????? ?????:

?????	?????
???? ????? LDAP	??? ?? ???? ?????? ??? ????? ????? LDAP.
???? LDAP	?? ??? LDAP. ??????: ldap://ldap.zabbix.com ???? LDAP ?????? ????? ????????? ldaps. ldaps://ldap.zabbix.com ?? OpenLDAP 2.x.x ?????, ???? ?????? ?-LDAP URI ????? ldap://hostname:port ?? ldaps://hostname:port.
?????	????? ?? ??? LDAP. ????? ????? ??? 389. ???? ????? LDAP ?????? ???? ?????? ??? ???? ??? 636. ?? ?????? ??? ????? ??????? URI ????? ?? LDAP.
Base DN	???? ???? ???????? ?????: ou=Users,ou=system (???? OpenLDAP), DC=company,DC=com (???? Microsoft Active Directory)
????? ?????	????? ????? LDAP ?????? ??????: uid (???? OpenLDAP), sAMAccountName (???? Microsoft Active Directory)
Bind DN	????? LDAP ?????? ?????? ??? ??? LDAP, ???????: uid=ldap_search,ou=system (???? OpenLDAP), CN=ldap_search,OU=user_group ,DC=company,DC=com (???? Microsoft Active Directory) ????? ??????? ???? ?? ??. ???? ?? ?????? ??????? ???? ????? ?? ????? ??????? ???????? ?? ?????? (???? ?? ???????, ??????, ?????, ??????, ??????? ???'). ????? ?????, ???? ?? ?????? ?????????? ?????? LDAP ?????? ????? ??? ????? ??????.
????? ????? ??????	??? ?? ????? ???? ?????? ??? ???? ????? ????? ?????? (????? ?????? ????) ???? ???? ?????. ????. ???? ??????? ????? ?????? ?????? ??, ????, ????? 'ADMIN' ?? ?? ????? ��Ĳ� ??? 'Admin'. ??? ?? ????? ??????? ????? ?????? ??????, ?????? ????? ?? ?????? ???? ??????? ?- ??? ?????? ?? ��Ĳ� ?? ???? ????? ????? (???? Admin, admin).
????? ?????	????? LDAP ?? ?????? ?????? ?????? ???? LDAP.
????? ?????	????? ?? ??? ??????
?????	?? ????? ????? (??? ????? ??? ?-frontend ?? ��Ĳ�). ?? ????? ?? ???? ??????? ???? LDAP. ��Ĳ� ?? ????? ????? LDAP ?? ??? ???????? ???? ?? ?????? ?????.
????? ?????	????? LDAP ?? ?????? ?????.

::: ???? ????? ????? ?? ???? ???????, ????? ? ????? LDAP ?????? (ldaps) ???? ????? ????? ???? ?????? ? ???? TLS_REQCERT allow ?????? /etc/openldap/ldap.conf ??????. ?? ???? ?????? ?? ????? ?????? ?-LDAP ????????. :::

????? ????? ????? LDAP ???? (Bind DN) ?????? ????? ?????? ??????? ??? LDAP ?????? ????????? ?-LDAP ????? ?????? ???????? ????? ??????? (?????? ?????? ????? ��Ĳ�).
???? ??? ????? ???? ?????? ????? ?????? ????? ?-Bind password ???? ?????? ???? ?? ?????? ??? ?-LDAP ???.
????? ????? ?? ?? ????? ldap_search.

????? SAML

???? ?????? ?????? SAML 2.0 ??? ?????? ?- ��Ĳ�. ???? ?? ?? ? ?????? ???? ??????? ?- ��Ĳ�, ?? ???, ????? ?- ��Ĳ� ??? ?? ???? ??????. ?? ?????? ?????, ��Ĳ� ????? ??????? ?? ????? ?? ????? ?? ?????? ??????? ?? ??? SAML.

?? ????? SAML ?????, ???????? ????? ????? ??? ??? ??? ????? ?????? ?? ??? SAML ????? ?????.

????? ??? ?????

?? ??? ????? ?? ��Ĳ�, ??? ???? SAML (, , ?? ?????? ?? ???' ?- ???? ????:

?? ?????? ?? ????? ?-URL ?? ????? <path_to_zabbix_ui>/index_sso.php?acs
?? ?????? ?? ????? ???? ?????? ????? <path_to_zabbix_ui>/index_sso.php?sls

??????? ?? <path_to_zabbix_ui>: %% , , <any_public_ip_address>/zabbix %%

????? ��Ĳ�

::: ???? ?? ???? ?? ???? ?????? php-openssl ?? ??? ???? ??? ?????? ?????? SAML ?-frontend. :::

??? ?????? ?????? SAML ?? ?????? ?? ��Ĳ� ????? ?????:

1. ?? ????? ???? ???? ?????? ?- ui/conf/certs/, ??? ?? ??????? ?????? ??????? ????? ? zabbix.conf.php.

?????? ????, ��Ĳ� ???? ???????? ?????:

ui/conf/certs/sp.key - ???? ???? ???? SP
ui/conf/certs/sp.crt - ???? ????? SP
ui/conf/certs/idp.crt - ???? ????? IDP

2. ???? ?????? ?? ?? ??????? ??????? ????? ?- ��Ĳ� ?????. ?? ???, ???? ????? ?????? ?????? ?- ???? ?????.

?????? ?????, ?????? ????? ��Ĳ�:

?????	?????
???? ????? SAML	??? ?? ???? ?????? ??? ?????? ????? SAML.
???? ???? IDP	????? ??????? ?? ??? ????? SAML.
????? ?-SSO ?? ?????	????? ?-URL ???????? ????? ???? ??? ??????.
SLO Service URL	????? ?-URL ???????? ????? ???? ??? ??????. ?? ???? ???, ????? SLO ?? ????? ??????.
// ????? ?? ?????//	????? SAML ????? ??? ????? ??? ????? ?-Zabix. ????? ?????? ??????? ????? ?? ??? ??? ?????. ???????: uid userprincipalname samaccountname ?? ????? userusername urn:oid:0.9.2342.19200300.100.1.1 urn:oid:1.3.6.1.4.1.5923.1.1.1.13< br>urn:oid:0.9.2342.19200300.100.1.44
???? ???? SP	????? ??????? ?? ??? ?????? SAML.
????? ???? ?? SP	????? ????? ????? ???? ?? ?? ??????. ???????: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos <urn:oasis:names :tc:SAML:2.0:nameid-format:entity>
????	??? ?? ????? ?????? ??? ????? ?????? ?????? ?? ?????? ????? SAML: ?????? ?????? ????? ????? ????? ????? ????? ??????
?????	??? ?? ????? ?????? ??? ????? ?????? ?????? ?? ????? ????? SAML: ?????? ???? ??
????? ????? ??????	??? ?? ???? ?????? ??? ????? ??????? ????? ?????? (????? ?????? ????) ???? ???? ?????. ????. ???? ??????? ????? ?????? ?????? ??, ????, ????? 'ADMIN' ?? ?? ????? ��Ĳ� ??? 'Admin'. ??? ?? ????? ??????? ????? ?????? ??????, ?????? ????? ?? ?????? ???? ??????? ?- ??? ?????? ?? ��Ĳ� ?? ???? ????? ????? (???? Admin, admin).

?????? ???????

???? ?????? ??????? ?????? ?? SAML ????? ????? ?? ��Ĳ� ???? ????? (zabbix.conf.php):

$SSO['SP_KEY'] = '<???? ????? ????? ????? ?? SP>';
$SSO['SP_CERT'] = '<???? ????? ????? SP>';
$SSO['IDP_CERT'] = '<???? ????? ????? IDP>';
$SSO['??????']

��Ĳ� ????? ?-SAML PHP ?? OneLogin ???? ????](https://github.com/onelogin/php-saml/tree/3.4.1) ?????? (???? 3.4.1). ????? ?? ??? $SSO['SETTINGS'] ???? ????? ???? ????? ?? ?????? ???????. ?????? ?? ???????? ?????, ??? ?????? ????? .

???? ?????? ?? ?? ????????? ????? ???? ?-$SSO['SETTINGS']:

????
baseurl
???
??? ???
?????
sp (?? ???????? ?????? ?????? ??)
- attributeConsumingService
- x509certNew
idp (?? ???????? ?????? ?????? ??)
- singleLogoutService (?????? ??? ????)
  - ????? ?????
- certprintprint
- certFingerprintAlgorithm
- x509certMulti
????? (?? ???????? ?????? ?????? ??)
- signMetadata
- wantNameId
- requestedAuthnContext
- requestedAuthnContextComparison
- wantXMLValidation
- ??????DestinationValidation
- destinationStrictlyMatches
- ???UnsolicitedResponsesWithInResponseTo
- ???????? ?????
- ???????? ?????
- ????? urlencase ???

?? ??? ????????? ?????? ???? ??????? ??? ???? ????. ??????? ????? ????? ?????.

?????, ?? ???? ?????? ?? ��Ĳ� ???? ?????? ?????? ?? ???? ??????, ? ???? ?????? ??????? ?????? ????? ?? use_proxy_headers:

false (????? ????) - ????? ????????;
true - ????? ??????? X-Forwarded-* HTTP ?????? ????? ?-URL ???????.

?? ??? ????? ????? ?????? ??? ?????? ????? ?? ��Ĳ�, ???? ???? ????? ????? ?-TLS/SSL ?-��Ĳ� ?? ???? ???, ???? ????? ?? ???????? 'baseurl', 'strict' ?-'use_proxy_headers' ????? ???:

 $SSO_SETTINGS=['strict' => false, 'baseurl' => "https://zabbix.example.com/zabbix/", 'use_proxy_headers' => true]

????? ??????:

 $SSO['SETTINGS'] = [
            '??????' => [
                'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
                'digestAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#sha384',
                // ...
            ],
            // ...
        ];

Frontend configuration with Kerberos/ADFS

The ��Ĳ� frontend configuration file (zabbix.conf.php) can be used to configure SSO with Kerberos authentication and ADFS:

$SSO['SETTINGS'] = [
           'security' => [
               'requestedAuthnContext' => [
                   'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos',
               ],
               'requestedAuthnContextComparison' => 'exact'
           ]
       ];

In this case, in the SAML configuration SP name ID field set:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

�����Ĳ�

Documentation

2 ?????

????? ?????

????? ????? ????

????? ?????

????? HTTP

????? LDAP

????? SAML

????? ??? ?????

????? �����Ĳ�

?????? ???????

Frontend configuration with Kerberos/ADFS

��Ĳ�

????? ��Ĳ�