Zabbix has released the latest version 7.0.1 and I have been busy with Zabbix for a few months. Time to activate LDAPS and continue my Zabbix journey, but the problem is “Cannot bind to LDAP server”.
How to fix “Cannot bind to LDAP server.” problem?
There is a lot of thread to read and I have spent many days fixing it. Error is easy to fix but not clear to understand. My problem is that the SSL certificate is not trusted.
Lets check step by step
SSH to our zabbix server host.
I was using podman so lets review active containers.
Podman ps
f4e6fd7e83e9 763p.me/tech-docker/zabbix/zabbix-web-nginx-pgsql:ubuntu-7.0.1 19 hours ago Up 19 hours 0.0.0.0:80->8080/tcp, 0.0.0.0:389->389/tcp, 0.0.0.0:443->8443/tcp, 0.0.0.0:636->636/tcp zabbix-docker-64_zabbix-web-nginx-pgsql_1I am using zabbix 7.0.1 and ubuntu image. It is easy to diagnose with ubuntu image instead of alpine. We can see that
636 and 389 ports are open
0.0.0.0:389->389/tcp
0.0.0.0:636->636/tcp
Once inside our container, we can test our connection to the LDAP server. Let us check the connection
podman exec -it -u root zabbix-docker-64_zabbix-server_1 /bin/bashWe access our container as user root.
openssl s_client -port 636 -connect ldaps.763p.me -showcertsUpdate ldaps.763p.me with your ldap server fqdn. We can see that there is a certificate problem
We need to make sure it can be trusted and easily verified.
We add our certificate files and ldap.conf file as a volume to our podman compose file.
volumes:
- /data/zabbixCerts/763pme_new.pem:/etc/ssl/certs/763pme.pem
- /data/zabbixCerts/763pme_root.pem:/etc/ssl/certs/763pmeroot.pem
- /data/zabbixCerts/ldap.conf:/etc/ldap/ldap.conf.zabbixFor example:
zabbix-web-nginx-pgsql:
extends:
file: compose_zabbix_components.yaml
service: web-nginx-pgsql
image: "${ZABBIX_WEB_NGINX_PGSQL_IMAGE}:${ZABBIX_UBUNTU_IMAGE_TAG}${ZABBIX_IMAGE_TAG_POSTFIX}"
volumes:
- /data/zabbixCerts/763pme_new.pem:/etc/ssl/certs/763pme.pem
- /data/zabbixCerts/763pme_root.pem:/etc/ssl/certs/763pmeroot.pem
- /data/zabbixCerts/ldap.conf:/etc/ldap/ldap.conf.zabbix
depends_on:
- postgres-server
labels:
com.zabbix.os: "${UBUNTU_OS_TAG}"So we mounted our volumes, now its time to make them available, we cannot use vi or nano as text editor inside ubuntu image without installing them.
Get inside podman container
podman exec -it -u root zabbix-docker-64_zabbix-web-nginx-pgsql_1 /bin/bashRun c_rehash /etc/ssl/certs if we want to fix container SSL issue.
This should fix our problem with the openssl command, but zabbix may still throw the error “Cannot bind to LDAP server”.
If our openssl command trusts our certificate, we can use it in ldap.conf
Now fix our main issue “Cannot bind to LDAP server.”
We need add this lines to ldap.conf file
TLS_CACERT /etc/ssl/certs/763pme.pem
TLS_CACERT /etc/ssl/certs/763pmeroot.pem
We already mounted our ldap.conf file with /data/zabbixCerts/ldap.conf:/etc/ldap/ldap.conf.zabbix option
we need to run simple command
cp ldap.conf.zabbix ldap.confAfter that ldap package thats comes with ubuntu package is trust our certificate
Example ldap.conf file after cp.
Also we can remove .zabbix from the ldap.conf.zabbix to make it automatic 🙂
cat ldap.conf.zabbix
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-provider.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
#Zabbix
TLS_CACERT /etc/ssl/certs/763pme.pem
TLS_CACERT /etc/ssl/certs/763pmeroot.pem
Example ldap config
Bir yanıt yazın