I've done a preliminary search but every solution I've tried just isn't working.
I recently setup a zabbix server instance, and I've been trying to use LDAPS authentication first, but I keep having issues with Zabbix unable to establish TLS handshake. Well, that's a certificate issue you would say and you'd be right, however I am perfectly able to use TLS from sssd (AlmaLinux 9) and authentication through the OS works just fine.
I then decided to just install mod_ldap underr apache, and configured it to use LDAPS authentication - and that works perfectly as well, I'm able to authenticate via Apache through LDAP using TLS. The Root CA certs are setup properly, both from the OS, and clearly as far as apache/httpd is concerned. The issue, however, is getting the zabbix UI to recognize and use the proper certificates. In fact, on the server hosting zabbix, I can run
"openssl s_client -connect <fqdn of ldap server>:636" and I see the certificate from the LDAP server and get an exit 0, meaning openssl is perfectly happy with the certificate.
So to further get this working, I've tried the following:
create /etc/openldap/ldap.conf with the following lines:
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
TLS_REQCERT allow
And also added
env[LDAPCONF] = /etc/openldap/ldap.conf
to the file in php-fdm.d/zabbix.conf
just to make sure that PHP was aware of where to pick this up, but still it's unable to use TLS.
So, I then just turned my effort to use HTTP authentication since I have it working using mod_ldap in apache, and I get the logon prompt from apache, it authenticates me perfectly fine, but then the zabbix login comes up and says I'm not authenticated.
So, to make this long story short, is there a way to just disable the zabbix login stuff altogether and rely on the functioning LDAP authentication that's working in Apache/httpd?
Whlie this isn't the most desirable solution, i'm really at a loss as to why I can't seem to get other authentication mechanisms to work. And incidentally, if I just try doing ldap without TLS, works perfect - it's just escaping me how to get PHP or Zabbix to validate the cert against the private CA cert that is installed in the OS properly.
Anyoone have any sueggestions?
Thanks again - I'm sure I'm doing something stupid, and probably overthinking something somewhere. Any help yiou can give is much appreciated.
Eiriki "Grep Boy" Toft
I recently setup a zabbix server instance, and I've been trying to use LDAPS authentication first, but I keep having issues with Zabbix unable to establish TLS handshake. Well, that's a certificate issue you would say and you'd be right, however I am perfectly able to use TLS from sssd (AlmaLinux 9) and authentication through the OS works just fine.
I then decided to just install mod_ldap underr apache, and configured it to use LDAPS authentication - and that works perfectly as well, I'm able to authenticate via Apache through LDAP using TLS. The Root CA certs are setup properly, both from the OS, and clearly as far as apache/httpd is concerned. The issue, however, is getting the zabbix UI to recognize and use the proper certificates. In fact, on the server hosting zabbix, I can run
"openssl s_client -connect <fqdn of ldap server>:636" and I see the certificate from the LDAP server and get an exit 0, meaning openssl is perfectly happy with the certificate.
So to further get this working, I've tried the following:
create /etc/openldap/ldap.conf with the following lines:
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
TLS_REQCERT allow
And also added
env[LDAPCONF] = /etc/openldap/ldap.conf
to the file in php-fdm.d/zabbix.conf
just to make sure that PHP was aware of where to pick this up, but still it's unable to use TLS.
So, I then just turned my effort to use HTTP authentication since I have it working using mod_ldap in apache, and I get the logon prompt from apache, it authenticates me perfectly fine, but then the zabbix login comes up and says I'm not authenticated.
So, to make this long story short, is there a way to just disable the zabbix login stuff altogether and rely on the functioning LDAP authentication that's working in Apache/httpd?
Whlie this isn't the most desirable solution, i'm really at a loss as to why I can't seem to get other authentication mechanisms to work. And incidentally, if I just try doing ldap without TLS, works perfect - it's just escaping me how to get PHP or Zabbix to validate the cert against the private CA cert that is installed in the OS properly.
Anyoone have any sueggestions?
Thanks again - I'm sure I'm doing something stupid, and probably overthinking something somewhere. Any help yiou can give is much appreciated.
Eiriki "Grep Boy" Toft