763p.me

How to connect LDAPS using Zabbix podman container?

yazar:

PME
kategori:

Zabbix has released the latest version 7.0.1 and I have been busy with Zabbix for a few months. Time to activate LDAPS and continue my Zabbix journey, but the problem is “Cannot bind to LDAP server”.

How to fix “Cannot bind to LDAP server.” problem?

There is a lot of thread to read and I have spent many days fixing it. Error is easy to fix but not clear to understand. My problem is that the SSL certificate is not trusted.

Lets check step by step

SSH to our zabbix server host.

I was using podman so lets review active containers.

Podman ps
f4e6fd7e83e9  763p.me/tech-docker/zabbix/zabbix-web-nginx-pgsql:ubuntu-7.0.1                        19 hours ago  Up 19 hours  0.0.0.0:80->8080/tcp, 0.0.0.0:389->389/tcp, 0.0.0.0:443->8443/tcp, 0.0.0.0:636->636/tcp  zabbix-docker-64_zabbix-web-nginx-pgsql_1

I am using zabbix 7.0.1 and ubuntu image. It is easy to diagnose with ubuntu image instead of alpine. We can see that

636 and 389 ports are open

0.0.0.0:389->389/tcp

0.0.0.0:636->636/tcp

Once inside our container, we can test our connection to the LDAP server. Let us check the connection

podman exec -it -u root zabbix-docker-64_zabbix-server_1 /bin/bash

We access our container as user root.

openssl s_client -port 636 -connect ldaps.763p.me -showcerts

Update ldaps.763p.me with your ldap server fqdn. We can see that there is a certificate problem

We need to make sure it can be trusted and easily verified.

We add our certificate files and ldap.conf file as a volume to our podman compose file.

  volumes:
   - /data/zabbixCerts/763pme_new.pem:/etc/ssl/certs/763pme.pem
   - /data/zabbixCerts/763pme_root.pem:/etc/ssl/certs/763pmeroot.pem
   - /data/zabbixCerts/ldap.conf:/etc/ldap/ldap.conf.zabbix

For example:

zabbix-web-nginx-pgsql:
  extends:
   file: compose_zabbix_components.yaml
   service: web-nginx-pgsql
  image: "${ZABBIX_WEB_NGINX_PGSQL_IMAGE}:${ZABBIX_UBUNTU_IMAGE_TAG}${ZABBIX_IMAGE_TAG_POSTFIX}"
  volumes:
   - /data/zabbixCerts/763pme_new.pem:/etc/ssl/certs/763pme.pem
   - /data/zabbixCerts/763pme_root.pem:/etc/ssl/certs/763pmeroot.pem
   - /data/zabbixCerts/ldap.conf:/etc/ldap/ldap.conf.zabbix
  depends_on:
   - postgres-server
  labels:
   com.zabbix.os: "${UBUNTU_OS_TAG}"

So we mounted our volumes, now its time to make them available, we cannot use vi or nano as text editor inside ubuntu image without installing them.

Get inside podman container

podman exec -it -u root zabbix-docker-64_zabbix-web-nginx-pgsql_1 /bin/bash

Run c_rehash /etc/ssl/certs if we want to fix container SSL issue.

This should fix our problem with the openssl command, but zabbix may still throw the error “Cannot bind to LDAP server”.

If our openssl command trusts our certificate, we can use it in ldap.conf

Now fix our main issue “Cannot bind to LDAP server.”

We need add this lines to ldap.conf file

TLS_CACERT /etc/ssl/certs/763pme.pem
TLS_CACERT /etc/ssl/certs/763pmeroot.pem

We already mounted our ldap.conf file with /data/zabbixCerts/ldap.conf:/etc/ldap/ldap.conf.zabbix option

we need to run simple command

cp ldap.conf.zabbix ldap.conf

After that ldap package thats comes with ubuntu package is trust our certificate

Example ldap.conf file after cp.

Also we can remove .zabbix from the ldap.conf.zabbix to make it automatic 🙂

cat ldap.conf.zabbix
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
#Zabbix
TLS_CACERT /etc/ssl/certs/763pme.pem
TLS_CACERT /etc/ssl/certs/763pmeroot.pem



Example ldap config

Yorumlar

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir