Ad Widget

Collapse

Cannot bind to LDAP server

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • synex
    Junior Member
    • Jun 2020
    • 4
    #1

    Cannot bind to LDAP server

    Hi there,

    I seem to have an issue with setting up LDAP authentication with Active Directory, these are my settings:


    I am able to run ldapsearch without any issues to the same base DN that I am using for the configuration. However when I run it on zabbix it does not work, showing the cannot bind to LDAP error.

    Click image for larger version Name: Capture.JPG Views: 6574 Size: 62.1 KB ID: 403089

    I am running ubuntu 18.04 and zabbix 5.0.1, I also have php-ldap installed.

    Any help will be much appreciated!

    Thanks!
    Attached Files
    Tags: None
    • cjbidwell
      Junior Member
      • Dec 2019
      • 16
      #2
      Were you able to get this resolved? Curious what you did if so. Using RHEL8 on mine and I am getting the same issue, however I'm trying ldaps (tcp/636) and am importing the certificates (I think) correctly into openldap, but still having issues.

        Comment

        • synex
          Junior Member
          • Jun 2020
          • 4
          #3
          Originally posted by cjbidwell
          Were you able to get this resolved? Curious what you did if so. Using RHEL8 on mine and I am getting the same issue, however I'm trying ldaps (tcp/636) and am importing the certificates (I think) correctly into openldap, but still having issues.
          I gave up on this and set up monitoring with a different supplier.

            Comment

            • tim.mooney
              Senior Member
              • Dec 2012
              • 1427
              #4
              synex 's screenshot shows config for an LDAP simple bind over a clear text channel.

              Microsoft is phasing out any support for that, as it's a very insecure config. Your Active Directory admins may have already made the changes that prevents AD from allowing that.

              cjbidwell , using tcp/636 is definitely a better way to go for this, and importing your AD's CA is also a good idea.

              Are you using the latest Zabbix 5.0.4 packages?

              If you run
              Code:
              openssl s_client -connect you.ad.server.here:636
              from your Zabbix server and then examine the top of the output from openssl's s_client, does it appear that the certificate verification succeeded?

                Comment

                • cjbidwell
                  Junior Member
                  • Dec 2019
                  • 16
                  #5
                  So I verified that I can connect to the ad server over 636. So not sure why my web app cannot do this.

                    Comment

                    • Russell517
                      Junior Member
                      • Jul 2025
                      • 1
                      #6
                      For those who might be stuck in this, there is one more thing you might want to check. If you've validated that there are no firewalls blocking the connection, and you can run ldapsearch/ldapwhoami, but zabbix always fails, make sure your CA is READABLE by the www-data user. I had to figure this out by trying to establish the connection as www-data:

                      $ ldapwhoami -x -H ldaps://ad.server.com -d 4
                      TLS: could not use CA certificate file `/usr/local/share/ca-certificates/ad.server-ca.crt': Error while reading file. (-64)
                      ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

                        Comment

                        Previous template Next
                        Working...