# 3 Authentication

#### Overview

In *Administration → Authentication* the user authentication method to
Zabbix can be changed. The available methods are internal, LDAP and HTTP
authentication.

![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/authentication.png)

By default, internal Zabbix authentication is used. To change, click on
the button with the method name and press *Save*.

##### Internal

Internal Zabbix authentication is used.

##### LDAP

External LDAP authentication can be used to check user names and
passwords. Note that a user must exist in Zabbix as well, however its
Zabbix password will not be used.

Zabbix LDAP authentication works at least with Microsoft Active
Directory and OpenLDAP.

![](../../../../../assets/en/manual/web_interface/frontend_sections/administration/auth_ldap.png)

Configuration parameters:

|Parameter|Description|
|---------|-----------|
|*LDAP host*|Name of LDAP server. For example: ldap://ldap.zabbix.com<br>For secure LDAP server use *ldaps* protocol.<br>ldaps://ldap.zabbix.com<br>With OpenLDAP 2.x.x and later, a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port may be used.|
|*Port*|Port of LDAP server. Default is 389.<br>For secure LDAP connection port number is normally 636.<br>Not used when using full LDAP URIs.|
|*Base DN*|Base path to search accounts:<br>ou=Users,ou=system (for OpenLDAP),<br>DC=company,DC=com (for Microsoft Active Directory)|
|*Search attribute*|LDAP account attribute used for search:<br>uid (for OpenLDAP),<br>sAMAccountName (for Microsoft Active Directory)|
|*Bind DN*|LDAP account for binding and searching over the LDAP server, examples:<br>uid=ldap\_search,ou=system (for OpenLDAP),<br>CN=ldap\_search,OU=user\_group,DC=company,DC=com (for Microsoft Active Directory)<br><br>Required, anonymous binding is not supported.|
|*Bind password*|LDAP password of the account for binding and searching over the LDAP server.|
|*Test authentication*|Header of a section for testing|
|*Login*|Name of a test user (which is currently logged in the Zabbix frontend). This user name must exist in the LDAP server.<br>Zabbix will not activate LDAP authentication if it is unable to authenticate the test user.|
|*User password*|LDAP password of the test user.|

::: notetip
It is recommended to create a separate LDAP account (*Bind DN*) to perform binding and searching over the LDAP server with minimal privileges in the LDAP instead of using real user accounts (used for logging in the Zabbix frontend).<br>
Such an approach provides more security and does not require changing the *Bind password* when the user changes his own password in the LDAP server.<br>
In the table above it's *ldap\_search* account name.
:::

::: notetip
Some user groups can still be authenticated by Zabbix.
These groups must have [frontend
access](/manual/config/users_and_usergroups/usergroup#configuration) set
to Internal.
:::

##### HTTP

Apache-based (HTTP) authentication can be used to check user names and
passwords. Note that a user must exist in Zabbix as well, however its
Zabbix password will not be used.

::: noteimportant
Be careful! Make sure that Apache authentication
is configured and works properly before switching it on.
:::

::: noteclassic
In case of Apache authentication all users (even with
[frontend
access](/manual/config/users_and_usergroups/usergroup#configuration) set
to Internal) will be authenticated by Apache, not by
Zabbix!
:::