See for the official Zabbix site.


Jump to: navigation, search


Single Authentication source for using OpenLDAP.


  • How do we move current user account to LDAP directory
  • Pootle account create form should be disabled (Pootle account create form can not create account to LDAP)

LDAP Configuration


suffix "dc=zabbix,dc=org"
rootdn "cn=root,dc=zabbix,dc=org"
rootpw secret

Initial schema

Create initial schema. The following should be save as an initial.ldif file.

dn: dc=zabbix,dc=org
objectClass: dcObject
objectClass: organization
dc: zabbix
o: zabbix

dn: cn=root,dc=zabbix,dc=org
objectclass: organizationalRole
cn: root

dn: ou=users,dc=zabbix,dc=org
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=zabbix,dc=org
objectClass: organizationalUnit
ou: groups

import initial schema

execute ldapadd command to import initial schema

ldapadd -x -D "cn=root,dc=zabbix,dc=org" -w secret -f initial.ldif

comfirm imported data



ldapsearch -x -h localhost -b "dc=zabbix,dc=org"

Media Wiki Configuration

Using LdapAuthentication extension

download and put the extension into MW plugin directory

cp LdapAuthentication.php /srv/www/htdocs/mw/extensions/

settings for LDAP authentication

change LocalSettings.php file which is in top directory of MediaWiki

require_once 'extensions/LdapAuthentication.php';
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
$wgLDAPServerNames = array(
  'zorg' => 'localhost'
$wgLDAPSearchStrings = array(
  'zorg' => 'uid=USER-NAME,ou=users,dc=zabbix,dc=org'
$wgLDAPEncryptionType = array(
  'zorg' => 'false'
$wgLDAPWriterDN = array(
$wgLDAPWriterPassword = array(
$wgLDAPWriteLocation = array(
$wgLDAPAddLDAPUsers = array(
$wgLDAPUpdateLDAP = array(
$wgLDAPMailPassword = array(
$wgLDAPRetrievePrefs = array(
$wgLDAPPreferences = array(
  "zorg"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")
$wgMinimalPasswordLength = 1;

move account to LDAP from MediaWiki to LDAP

quick idea from BManojlovic :

  • <BManojlovic> best aproach for migration if you do not have clear text password (as you sghould not have) is to create proxy login in mediawiki that will forward credentials to ldap
  • <BManojlovic> <? if ($_REQUEST['password'] == $db->exec("select password from shadow where id=?", $_REQUEST['username']) { ldap_modify("dn=username, ou=xxx,cn=ppp" , password = md5($_REQUEST['password'])); }
  • <BManojlovic> so after one month of that you simply replace it with real ldap login :)
  • <BManojlovic> and same for creation of user
  • <BManojlovic> Richlv:

account migration

  • migrate all account information from Mediawiki DB to LDAP without password
  • edit includes/specials/SpecialUserlogin.php (add only one line)
559                 } else {
560                         $wgAuth->updateUser( $u );
561                         $wgAuth->setPassword( $u, $this->mPassword );  <-- add this line
562                         $wgUser = $u;
564                         // Please reset throttle for successful logins, thanks!
565                         if( $throttleCount ) {
  • MW use local database password when user login if there is not password information on LDAP
  • if login is successful, mw store password to LDAP

password hash method

LDAP password hash method can be changed on slapd.conf

password-hash {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, {CLEARTEXT}

and, we also can use password-crypt-salt-format option.

MediaWiki internal account use original password hash

if( $wgPasswordSalt ) {
                       if ( $salt === false ) {
                               $salt = substr( wfGenerateToken(), 0, 8 );
                       return ':B:' . $salt . ':' . md5( $salt . '-' . md5( $password ) );
               } else {
                       return ':A:' . md5( $password );

Pootle Configuration

Pootle can use LDAP authentication by default.

settings for LDAP authentication

change on pootle directory

AUTHENTICATION_BACKENDS = ('pootle.auth.ldap_backend.LdapBackend', 'django.contrib.auth.backends.ModelBackend',)
#AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend',)
AUTH_LDAP_SERVER = 'ldap://localhost'
AUTH_LDAP_BASE_DN = 'ou=users,dc=zabbix,dc=org'
       'dn': 'dn',


  • Use apache basic authentication
  • subversion is set up with apache dav-svn module

set up subversion repository

mkdir /srv/repos/reponame
svnadmin create /srv/repos/reponame

Apache configuration

edit /etc/apache2/httpd.conf

<Location /repos>
  DAV svn
  SVNParentPath /srv/repos
  SVNListParentPath on 
  AuthBasicProvider ldap
  AuthType Basic
  AuthName "Zabbix community repository"
  AuthLDAPURL ldap://,dc=zabbix,dc=org
  Require valid-user