Setup LDAPS authentification in Zabbix

php debian ldap zabbix

9,017

This is what works on Ubuntu 14.04. Debian based system should be the same:

https://www.novell.com/coolsolutions/tip/5838.html

9,017

Nico_Melotte

Updated on September 18, 2022

Comments

Nico_Melotte almost 2 years
I try to setup LDAPS authentification on Zabbix 2.4 but it's not working. Here is the infos on my configuration :
- OS : Debian
- PHP packages installed : libapache2-mod-php5 php-pear php5 php5-cli php5-common php5-curl php5-gd php5-imagick php5-json php5-ldap php5-mysqlnd php5-pgsql php5-readline php5-sasl zabbix-frontend-php
- This command is working :
ldapsearch -H ldaps://ldaps.mptest.be:636 -D cn=reader,dc=antidot,dc=prv -W -b ou=people,dc=antidot,dc=prv

Same URI, OU, login, password in the Authentification LDAP setup page on zabbix, I have this :

ldap_bind(): Unable to bind to server: Can't contact LDAP server

[authentication.php:120 → CLdapAuthValidator->validate() → CLdap->checkPass() → ldap_bind() in /usr/share/zabbix/include/classes/ldap/CLdap.php:112] LDAP: cannot bind by given Bind DN. Login name or password is incorrect!

Here is the content of /etc/ldap/ldap.conf: TLS_REQCERT allow BASE dc=antidot,dc=prv URI ldaps://ldap.mptest.be TLS_CACERTDIR /etc/ssl/mptest/wildcard_mptest_be.ca

(Authentification without SSL, on port 386 is not possible)
- sam_pan_mariusz almost 9 years
  
  What version of Debian? Have you checked connectivity without SSL (be careful with this, change password immediately after if you do)? Tell us also contents of /etc/ldap.conf.
- Nico_Melotte almost 9 years
  
  Thanks for your reply, I edit the main post with the ldap config. unfortunately, Ldap on port 386 without SSL is not possible.
- sam_pan_mariusz almost 9 years
  
  Everything seems to be fine here. Are there any per-process or per-user firewall rules? Have you tested LDAPS connectivity with another, simple PHP script? And have you considered authenticating in httpd (Apache?) and passing REMOTE_USER to application? Zabbix works that way in my workplace (although with Kerberos, not LDAP, as we prefer having SSO).
- Nico_Melotte almost 9 years
  
  I did try a test PHP : code<?php $handle = ldap_connect('ldaps://ldaps.mptest.be',636); $bind = ldap_bind($handle, 'cn=reader,dc=antidot,dc=prv', 'reader'); echo "TEST BIND"; if ($bind) { if (ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) { echo "Error Binding to LDAP: $extended_error"; } else { echo "Error Binding to LDAP: No additional information is available."; } } else { echo "not binding"; } ?>code
- Nico_Melotte almost 9 years
  
  And i have a dokuwiki page that is using that LDAPS server but in anoymous
- sam_pan_mariusz almost 9 years
  
  At the moment, besides configuring httpd authentication as already mentioned, I can only recommend: finding the lines with ldap_connect() and ldap_bind() in Zabbix panel and modify it temporarily to dump all arguments to be analyzed (look for leading/trailing spaces, NULLs, etc.); sniffing the traffic with tcpdump, although with SSL this will be of limited use.
dortegaoh almost 7 years

Welcome to Server Fault! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
hargut over 5 years

The tip in the answer is really good, and I think that this was the site that also helped me getting onto the right track. Good input, thank you @jouflux.