Overview of MFA for Zabbix
This documentation describes how to integrate Rublon MFA with Zabbix using the LDAP(S) protocol to enable multi-factor authentication for logins to Zabbix.
Supported Authentication Methods
Before You Start Configuring MFA for Zabbix Using LDAP(S)
Before configuring Rublon MFA for Zabbix:
- Ensure you have prepared all required components.
- Create an application in the Rublon Admin Console.
- Install the Rublon Authenticator mobile app.
Required Components
1. User Identity Provider (IdP) – You need an external Identity Provider, such as Microsoft Active Directory, OpenLDAP, or FreeIPA.
2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already, and configure the Rublon Authentication Proxy as an LDAP proxy.
3. Zabbix – A properly installed and configured Zabbix.
Create an Application in the Rublon Admin Console
1. Sign up for the Rublon Admin Console. Here’s how.
2. In the Rublon Admin Console, go to the Applications tab and click Add Application.
3. Enter a name for your application (e.g., Zabbix) and then set the type to Rublon Authentication Proxy.
4. Click Save to add the new application in the Rublon Admin Console.
5. Copy the values of System Token and Secret Key of the newly created application. You will need them later.
Install Rublon Authenticator
Some end-users may use the Rublon Authenticator mobile app. So, as a person configuring MFA for Zabbix, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Zabbix via Mobile Push.
Download the Rublon Authenticator for:
Configuring Multi-Factor Authentication (MFA) for Zabbix Using LDAP(S)
Rublon Authentication Proxy
1. Edit the Rublon Auth Proxy configuration file and paste the previously copied values of System Token and Secret Key in system_token and secret_key, respectively.
2. Config example file in YAML:
log:
debug: true
rublon:
api_server: https://core.rublon.net
system_token: YOURSYSTEMTOKEN
secret_key: YOURSECRETKEY
proxy_servers:
- name: LDAP-Proxy
type: LDAP
ip: 0.0.0.0
port: 636
auth_source: LDAP_SOURCE_1
auth_method: push, email
rublon_section: rublon
cert_path: /etc/ssl/certs/ca.crt
pkey_path: /etc/ssl/certs/key.pem
auth_sources:
- name: LDAP_SOURCE_1
type: LDAP
ip: 172.16.0.127
port: 636
transport_type: ssl
search_dn: dc=example,dc=org
access_user_dn: cn=admin,dc=example,dc=org
access_user_password: CHANGE_ME
ca_certs_dir_path: /etc/ssl/certs/Zabbix
1. Log in to the Zabbix admin panel.
2. In the left pane, select Users → Authentication → LDAP Settings.
3. Select Enable LDAP authentication and Enable JIT provisioning.
4. In Servers, select Add. Fill in the fields. Refer to the following image and table.
| Name | Descriptive name for the LDAP connection. |
| Host | The IP address or hostname of the Rublon Authentication Proxy, prefixed with ldap:// for LDAP or ldaps:// for LDAPS. |
| Port | The port of the Rublon Authentication Proxy (636 for LDAPS; 389 for LDAP). |
| Base DN | Enter the Base DN from which Zabbix should start searching for users (e.g., ou=Users,dc=my,dc=organization,dc=domain). This must match what the bind account “sees”. |
| Search attribute | LDAP attribute used for logging in and searching for users (e.g., sAMAccountName). |
| Bind DN | The Bind DN (the full LDAP path of the service account, e.g., CN=rublonadmin,OU=Rublon,DC=rublondemo,DC=local) that Zabbix will use to authenticate and access the LDAP directory for querying user information. This account must have at least the permission to read other users’ attributes. Note: This Bind DN must be the same as access_user_dn in your Rublon Auth Proxy’s config file. |
| Bind password | The password of the user defined in the Bind DN. Note: This Bind password must be the same as access_user_password in your Rublon Auth Proxy’s config file. |
| Description | An optional field to add a descriptive note about the LDAP connection. |
| Configure JIT provisioning | Enable automatic creation of user accounts upon first login. |
| Group configuration | Define how group membership is read (e.g., using memberOf). |
| Group name attribute | Set the LDAP attribute that holds the group’s name (e.g., sAMAccountName). |
| User group membership attribute | Set the LDAP attribute indicating which groups a user belongs to. |
| User name attribute | Set the LDAP attribute mapped to the user’s first name. |
| User last name attribute | Set the LDAP attribute mapped to the user’s last name. |
| User group mapping | Define the rules for mapping LDAP groups to application groups/roles. Select Add and then enter the LDAP group pattern, and then select the corresponding user groups and user roles. Using a wildcard (*) in the LDAP group pattern can simplify setup, but it is not recommended because it creates overly broad mapping. Use exact group names or precise patterns to avoid overpermissioning. |
| Media type mapping | Optionally define the mapping of LDAP attributes to additional user data (e.g., phone number). |
| StartTLS | Optional. LDAPS will work even if this option is unchecked due to ldaps://, which inherently enforces TLS. |
| Search filter | Optional. An LDAP filter that limits which users are retrieved during the search. |
5. Select Test to test your configuration and then Add to save your new server.
6. Select Update again to save the changes to the LDAP settings.
7. In Authentication, set Default authentication to LDAP and select Update.
Testing Multi-Factor Authentication (MFA) for Zabbix Integrated Via LDAP(S)
This example portrays logging in to Zabbix with Rublon Multi-Factor Authentication. Mobile Push has been set as the second factor in the Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).
1. Log in to Zabbix as a user by entering your name and password and clicking Sign in.
2. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.
3. You will be logged in to Zabbix.
Troubleshooting MFA for Zabbix Using LDAP(S)
If you encounter any issues with your Rublon integration, please contact Rublon Support.
