Setup LDAPS authentification in Zabbix
This is what works on Ubuntu 14.04. Debian based system should be the same:
https://www.novell.com/coolsolutions/tip/5838.html
Related videos on Youtube
Nico_Melotte
Updated on September 18, 2022Comments
-
Nico_Melotte almost 2 years
I try to setup LDAPS authentification on Zabbix 2.4 but it's not working. Here is the infos on my configuration :
- OS : Debian
PHP packages installed :
libapache2-mod-php5 php-pear php5 php5-cli php5-common php5-curl php5-gd php5-imagick php5-json php5-ldap php5-mysqlnd php5-pgsql php5-readline php5-sasl zabbix-frontend-php
This command is working :
ldapsearch -H ldaps://ldaps.mptest.be:636 -D cn=reader,dc=antidot,dc=prv -W -b ou=people,dc=antidot,dc=prv
Same URI, OU, login, password in the Authentification LDAP setup page on zabbix, I have this :
ldap_bind(): Unable to bind to server: Can't contact LDAP server
[authentication.php:120 → CLdapAuthValidator->validate() → CLdap->checkPass() → ldap_bind() in /usr/share/zabbix/include/classes/ldap/CLdap.php:112] LDAP: cannot bind by given Bind DN. Login name or password is incorrect!
Here is the content of /etc/ldap/ldap.conf:
TLS_REQCERT allow BASE dc=antidot,dc=prv URI ldaps://ldap.mptest.be TLS_CACERTDIR /etc/ssl/mptest/wildcard_mptest_be.ca
(Authentification without SSL, on port 386 is not possible)
-
sam_pan_mariusz almost 9 yearsWhat version of Debian? Have you checked connectivity without SSL (be careful with this, change password immediately after if you do)? Tell us also contents of /etc/ldap.conf.
-
Nico_Melotte almost 9 yearsThanks for your reply, I edit the main post with the ldap config. unfortunately, Ldap on port 386 without SSL is not possible.
-
sam_pan_mariusz almost 9 yearsEverything seems to be fine here. Are there any per-process or per-user firewall rules? Have you tested LDAPS connectivity with another, simple PHP script? And have you considered authenticating in httpd (Apache?) and passing REMOTE_USER to application? Zabbix works that way in my workplace (although with Kerberos, not LDAP, as we prefer having SSO).
-
Nico_Melotte almost 9 yearsI did try a test PHP :
code
<?php $handle = ldap_connect('ldaps://ldaps.mptest.be',636); $bind = ldap_bind($handle, 'cn=reader,dc=antidot,dc=prv', 'reader'); echo "TEST BIND"; if ($bind) { if (ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) { echo "Error Binding to LDAP: $extended_error"; } else { echo "Error Binding to LDAP: No additional information is available."; } } else { echo "not binding"; } ?>code
-
Nico_Melotte almost 9 yearsAnd i have a dokuwiki page that is using that LDAPS server but in anoymous
-
sam_pan_mariusz almost 9 yearsAt the moment, besides configuring httpd authentication as already mentioned, I can only recommend: finding the lines with ldap_connect() and ldap_bind() in Zabbix panel and modify it temporarily to dump all arguments to be analyzed (look for leading/trailing spaces, NULLs, etc.); sniffing the traffic with tcpdump, although with SSL this will be of limited use.
-
dortegaoh almost 7 yearsWelcome to Server Fault! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
-
hargut over 5 yearsThe tip in the answer is really good, and I think that this was the site that also helped me getting onto the right track. Good input, thank you @jouflux.