community.zabbix.zabbix_authentication module – Update Zabbix authentication
Note
This module is part of the community.zabbix collection (version 2.2.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.zabbix
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.zabbix.zabbix_authentication
.
New in community.zabbix 1.6.0
Synopsis
This module allows you to modify Zabbix authentication setting.
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.9
Parameters
Parameter |
Comments |
---|---|
Choose default authentication type. Choices:
|
|
User group name to assign the deprovisioned user to. The user group must be disabled and cannot be enabled or deleted when configured. Required if This parameter is available since Zabbix 6.4. |
|
HTTP authentication will be enabled if Choices:
|
|
Case sensitive login for HTTP authentication will be enabled if Choices:
|
|
Choose default login form. Choices:
|
|
Basic Auth password |
|
Basic Auth login |
|
A list of domain names that should be removed from the username. |
|
Time interval between JIT provision requests for logged-in user. Accepts seconds and time unit with suffix with month and year support (3600s,60m,1h,1d,1M,1y). Minimum value 1h. Available only for LDAP provisioning. This parameter is available since Zabbix 6.4. Default: |
|
LDAP authentication will be enabled if This parameter is available since Zabbix 6.4. Choices:
|
|
Base DN of LDAP. This setting is required if current value of ldap_configured is Works only with Zabbix <= 6.0 and is silently ignored in higher versions. |
|
Bind DN of LDAP. Works only with Zabbix <= 6.0 and is silently ignored in higher versions. |
|
Bind password of LDAP. Works only with Zabbix <= 6.0 and is silently ignored in higher versions. |
|
case sensitive login for LDAP authentication will be enabled if Choices:
|
|
LDAP authentication will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Removed in Zabbix 6.4 Choices:
|
|
LDAP server name. e.g. This setting is required if current value of ldap_configured is Works only with Zabbix <= 6.0 and is silently ignored in higher versions. |
|
Status of LDAP provisioning. This parameter is available since Zabbix 6.4. Choices:
|
|
A port number of LDAP server. This setting is required if current value of ldap_configured is Works only with Zabbix <= 6.0 and is silently ignored in higher versions. |
|
Search attribute of LDAP. This setting is required if current value of ldap_configured is Works only with Zabbix <= 6.0 and is silently ignored in higher versions. |
|
LDAP authentication default user directory name for user groups with gui_access set to LDAP or System default. Required to be set when |
|
Checking password rules. Select multiple from This parameter is available since Zabbix 6.0. |
|
Minimal length of password. Choose from 1-70. This parameter is available since Zabbix 6.0. |
|
SAML authentication will be enabled if Choices:
|
|
Case sensitive login for SAML authentication will be enabled if Choices:
|
|
SAML encrypt assertions will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Choices:
|
|
SAML encrypt name ID will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Choices:
|
|
SAML identify provider’s entity ID. This setting is required if current value of saml_auth_enabled is Works only with Zabbix <= 6.2 and is silently ignored in higher versions. |
|
Status of SAML provisioning. This parameter is available since Zabbix 6.4. Choices:
|
|
Name identifier format of SAML service provider. Works only with Zabbix <= 6.2 and is silently ignored in higher versions. |
|
SAML sign assertions will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Choices:
|
|
SAML sign AuthN requests will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Choices:
|
|
SAML sign logout requests will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Choices:
|
|
SAML sign logout responses will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Choices:
|
|
SAML sign messages will be enabled if Works only with Zabbix <= 6.2 and is silently ignored in higher versions. Choices:
|
|
URL for SAML single logout service. Works only with Zabbix <= 6.2 and is silently ignored in higher versions. |
|
Entity ID of SAML service provider. This setting is required if current value of saml_auth_enabled is Works only with Zabbix <= 6.2 and is silently ignored in higher versions. |
|
URL for single sign on service of SAML. This setting is required if current value of saml_auth_enabled is Works only with Zabbix <= 6.2 and is silently ignored in higher versions. |
|
User name attribute of SAML. This setting is required if current value of saml_auth_enabled is Works only with Zabbix <= 6.2 and is silently ignored in higher versions. |
Examples
# If you want to use Username and Password to be authenticated by Zabbix Server
- name: Set credentials to access Zabbix Server API
ansible.builtin.set_fact:
ansible_user: Admin
ansible_httpapi_pass: zabbix
# If you want to use API token to be authenticated by Zabbix Server
# https://www.zabbix.com/documentation/current/en/manual/web_interface/frontend_sections/administration/general#api-tokens
- name: Set API token
ansible.builtin.set_fact:
ansible_zabbix_auth_key: 8ec0d52432c15c91fcafe9888500cf9a607f44091ab554dbee860f6b44fac895
- name: Update all authentication setting (Zabbix <= 6.0)
# set task level variables as we change ansible_connection plugin here
vars:
ansible_network_os: community.zabbix.zabbix
ansible_connection: httpapi
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_zabbix_url_path: "zabbixeu" # If Zabbix WebUI runs on non-default (zabbix) path ,e.g. http://<FQDN>/zabbixeu
ansible_host: zabbix-example-fqdn.org
community.zabbix.zabbix_authentication:
authentication_type: internal
http_auth_enabled: true
http_login_form: zabbix_login_form
http_strip_domains:
- comp
- any
http_case_sensitive: true
ldap_configured: true
ldap_host: "ldap://localhost"
ldap_port: 389
ldap_base_dn: "ou=Users,ou=system"
ldap_search_attribute: "uid"
ldap_bind_dn: "uid=ldap_search,ou=system"
ldap_case_sensitive: true
ldap_bind_password: "password"
saml_auth_enabled: true
saml_idp_entityid: ""
saml_sso_url: "https://localhost/SAML2/SSO"
saml_slo_url: "https://localhost/SAML2/SLO"
saml_username_attribute: "uid"
saml_sp_entityid: "https://localhost"
saml_nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
saml_sign_messages: true
saml_sign_assertions: true
saml_sign_authn_requests: true
saml_sign_logout_requests: true
saml_sign_logout_responses: true
saml_encrypt_nameid: true
saml_encrypt_assertions: true
saml_case_sensitive: true
passwd_min_length: 70
passwd_check_rules:
- contain_uppercase_and_lowercase_letters
- contain_digits
- contain_special_characters
- avoid_easy_to_guess
- name: Update all authentication setting (Zabbix = 6.2)
# set task level variables as we change ansible_connection plugin here
vars:
ansible_network_os: community.zabbix.zabbix
ansible_connection: httpapi
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_zabbix_url_path: "zabbixeu" # If Zabbix WebUI runs on non-default (zabbix) path ,e.g. http://<FQDN>/zabbixeu
ansible_host: zabbix-example-fqdn.org
community.zabbix.zabbix_authentication:
authentication_type: internal
http_auth_enabled: true
http_login_form: zabbix_login_form
http_strip_domains:
- comp
- any
http_case_sensitive: true
ldap_configured: true
ldap_case_sensitive: true
saml_auth_enabled: true
saml_idp_entityid: ""
saml_sso_url: "https://localhost/SAML2/SSO"
saml_slo_url: "https://localhost/SAML2/SLO"
saml_username_attribute: "uid"
saml_sp_entityid: "https://localhost"
saml_nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
saml_sign_messages: true
saml_sign_assertions: true
saml_sign_authn_requests: true
saml_sign_logout_requests: true
saml_sign_logout_responses: true
saml_encrypt_nameid: true
saml_encrypt_assertions: true
saml_case_sensitive: true
passwd_min_length: 70
passwd_check_rules:
- contain_uppercase_and_lowercase_letters
- contain_digits
- contain_special_characters
- avoid_easy_to_guess
- name: Update all authentication setting (Zabbix >= 6.4)
# set task level variables as we change ansible_connection plugin here
vars:
ansible_network_os: community.zabbix.zabbix
ansible_connection: httpapi
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
ansible_zabbix_url_path: "zabbixeu" # If Zabbix WebUI runs on non-default (zabbix) path ,e.g. http://<FQDN>/zabbixeu
ansible_host: zabbix-example-fqdn.org
community.zabbix.zabbix_authentication:
authentication_type: internal
http_auth_enabled: true
http_login_form: zabbix_login_form
http_strip_domains:
- comp
- any
http_case_sensitive: true
ldap_auth_enabled: true
ldap_case_sensitive: true
saml_auth_enabled: true
saml_case_sensitive: true
ldap_jit_status: true
saml_jit_status: true
jit_provision_interval: 1h
disabled_usrgrp: Disabled
passwd_min_length: 70
passwd_check_rules:
- contain_uppercase_and_lowercase_letters
- contain_digits
- contain_special_characters
- avoid_easy_to_guess
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The result of the operation Returned: success Sample: |