Ad Widget

Collapse

LDAP for multiple domais

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • kuchenIT
    Junior Member
    • Nov 2020
    • 5
    #1

    LDAP for multiple domais

    Hi everyone,

    We have a Zabbix server for many years now. Since we are growing we need to enable LDAP access for all domains.
    Currently we are only able to enable users form one domain (in my case <company>.de) to login on zabbix.
    We have some other domains in our Forest as well like <company>.com, <company>.at

    now my question is how does I need to setup the Zabbix Base DN to use all of our domains.
    on other system we just don't give any baseDN so it searches in all domains, but Zabbix needs one.
    LDAP already checks the Global Catalog

    any guesses how to set it up?

    Regards
    Alex
    Tags: authentication, ldap, ldap active directory, ldap authentication, login
    • Hamardaban
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • May 2019
      • 2713
      #2
      As far as I understand you have a forest of domains united by trust relationships?
      Then you need to specify a group from the one domain (any from yours forest) as BaseDN.
      And include AD users from other domains in it.
      Zabbix server should be able to access this AD group and get a list of users using the BindDN account.

        Comment

        • kuchenIT
          Junior Member
          • Nov 2020
          • 5
          #3
          yes, we have a Forest with a bunch of Domains, so i have to create a group in my AD and add users to this group in order to give them access?
          I Will try it.

            Comment

            • kuchenIT
              Junior Member
              • Nov 2020
              • 5
              #4
              I test with an Additional AD group.
              Sadly, with no luck. As soon as I set the group as BaseDN the login test results in "Login name or password wrong".
              I also tested to not specify the group CN, and specify the OU above instead, this also didn't help.

                Comment

                • Hamardaban
                  Senior Member
                  Zabbix Certified SpecialistZabbix Certified Professional
                  • May 2019
                  • 2713
                  #5
                  To find out how to correctly write BindDN, run the command in the command line on the domain controller: dsquery user -name outerdomsinusername

                  You may use GlobalCatalog and port 3268 ( dsquery server –isgc show GC location) and User principal name like blabla@<company>.com


                  Also check the availability of the domain controller on port 3268 from the Zabbix server.


                  https://www.zabbix.com/forum/zabbix-...tiple-base-dns
                  https://www.zabbix.com/forum/zabbix-...ltiple-domains
                  https://discourse.igniterealtime.org...ectory/48875/3
                  Last edited by Hamardaban; 24-11-2020, 19:48.

                    Comment

                    • kuchenIT
                      Junior Member
                      • Nov 2020
                      • 5
                      #6
                      thanks, but I already read through this posts, but it either only work with different subdomains what we don't have.

                      the port 3268 works, because we use them already.

                      but as soon I what to use the group not working again i also tried (&(sAMAccount)(memberOf=CN=path,OU=to,OU=group,DC= company,DC=com))

                      only getting errors, I guess the best way there give the possabilty to select more than one domain

                        Comment

                        Previous template Next
                        Working...