Zabbix LDAP Auth?

NethServer Version: 7.9

I was able to install zabbix and configure LDAP settings but I cannot login with a Domainuser: zabbix@mydomain.lan or zabbix only…

Is there something else to configure?

@fausp

Hi

As with a lot of Web-Apps with the option to login via LDAP / AD there is a small gotcha in the small print: Your LDAP needs a valid SSL cert on the LDAP. And you need to use port 636…

For NethServer with LDAP Authentication-Provider and enabled LetsEncrypt this works.

NethServer with AD is a different animal. As the AD runs in a container and uses a different IP address, the AD uses a different SSL-Cert, a self generated cert and not the LE cert, as one would expect.

At home, for the same reason, I enabled a script copy of the LE Cert everytime the LE gets updated, so my AD now has a valid SSL cert (You also need to add in the FQDN for your AD on the LE Request!). AD itself does NOT have to be accessible from the Internet (Better not!).

See here:

Create the script file:

nano /etc/e-smith/events/certificate-update/S80push2ad

For the contents you can use the following:

scp /etc/letsencrypt/live/your-server-fqdn/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
scp /etc/letsencrypt/live/your-server-fqdn/fullchain.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba

-> Replace “your-server-fqdn” with the real FQDN of your server, as can be found on the path stated above…

First time, run this after changing the above:
/etc/e-smith/events/certificate-update/

Mine at home:

I was using EcoDMS, which also allows a LDAP or AD integration, and I knew the credentials were correct. But there was a Java error about SSL… So I used this, it now works!

Best is to set up a group in AD, eg: zabbix-users and add in the users for Zabbix there (You do not want every system AD user to show up in Zabbix!).

How it looks like in EcoDMS: (You can use the shown queries to query for a specific group!)

My 2 cents
Andy

4 Likes

OK Andy, thank you very much for your input. I will test it in the next days…

1 Like