Scribd
Upload
592 views

Tutorial Zabbix - Active Directory Authentication Using LDAP Over SSL

This document provides instructions for configuring Zabbix for Active Directory authentication using LDAP over SSL. It lists the necessary hardware, includes links to related Zabbix tutorial videos and documentation, and provides step-by-step instructions for installing Active Directory on a Windows 2012 R2 server to integrate with Zabbix authentication. The tutorial will show how to authenticate Zabbix users on the Active Directory database using LDAPS for an encrypted connection.

Uploaded by

BIGBOARD BILLS
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
592 views

Tutorial Zabbix - Active Directory Authentication Using LDAP Over SSL

This document provides instructions for configuring Zabbix for Active Directory authentication using LDAP over SSL. It lists the necessary hardware, includes links to related Zabbix tutorial videos and documentation, and provides step-by-step instructions for installing Active Directory on a Windows 2012 R2 server to integrate with Zabbix authentication. The tutorial will show how to authenticate Zabbix users on the Active Directory database using LDAPS for an encrypted connection.

Uploaded by

BIGBOARD BILLS
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Skip to content

 Home  Tutorials  Books  Youtube Channels  About English  

Zabbix - Active Directory Authentication using LDAP over SSL Home/Zabbix/Zabbix - Active Directory Authentication using LDAP over SSL

Zabbix - Active Directory Authentication using LDAP over SSL 30% off

Get
top-rated 
family
Search for courses for free cybersecurity.

Compare courses from top universities and


online pla orms for free.

Coursary Open

Would you like to learn how to con gure the Zabbix Active directory authentication using LDAP over SSL? In
this tutorial, we are going to show you how to authenticate Zabbix users on the Active Directory database
using the LDAPS protocol for an encrypted connection.

• Zabbix 4.2.6
• Windows 2012 R2
Hardware List: Explore Now

The following section presents the list of equipment used to create this Zabbix tutorial.
 Server

 Laptop

 Switch

GravityZone Business Security


Every piece of hardware listed above can be found at Amazon website.

Protect 15
devices for
less than $375
per year

Zabbix Playlist:
On this page, we o er quick access to a list of videos related to Zabbix installation.
 Playlist
SAVE

Don't forget to subscribe to our youtube channel named FKIT. 30%


Zabbix Related Tutorial:
ACT NOW
On this page, we o er quick access to a list of tutorials related to Zabbix installation.
Buy online up to 100 endpoints
 List of Tutorials - Zabbix

 Zabbix Server Installation

 Zabbix - Monitor Vmware

 Zabbix - Monitor ICMP Ping

 Zabbix - Monitor Website

 Zabbix - Monitor Cisco Switch


 Go
 to Top- Monitor Windows using Agent
Zabbix
 Home  Tutorials  Books  Youtube Channels  About English  
 Zabbix - Monitor Windows using SNMP GravityZone Business Security
 Zabbix - Monitor Linux using Agent

 Zabbix - Monitor Linux using SNMP


Protect 15
Zabbix - Monitor IPMI

devices for
 Zabbix - Monitor TCP less than $375
 Zabbix - Monitor UDP
per year
 Zabbix - E-mail Noti cation

 Zabbix - SMS Noti cation

Tutorial - Active Directory Installation on Windows SAVE

• IP - 192.168.15.10.
• Operacional System - Windows 2012 R2
30%
• Hostname - TECH-DC01
• Active Directory Domain: TECH.LOCAL ACT NOW

Buy online up to 100 endpoints


If you already have an Active Directory domain, you may skip this part of the tutorial.

Open the Server Manager application.

Access the Manage menu and click on Add roles and features.
Sourcing and
selling starts
here

Access the Server role screen, select the Active Directory Domain Service and click on the Next button.

The fastest way for


enterprises and service
providers to connect.

Learn more

On the following screen, click on the Add features button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Sourcing and
selling starts
here

The fastest way for


enterprises and service
providers to connect.

Learn more
Keep clicking on the Next button until you reach the last screen.

GravityZone Business Security

Pay less than


$24.73 per endpoint
for 1 year protection

Buy online
up to 100 endpoints

SAVE

30%

ACT NOW

On the con rmation screen, click on the Install button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  
GravityZone Business Security

Pay less than


$24.73 per endpoint
for 1 year protection

Buy online
up to 100 endpoints

SAVE

30%

ACT NOW

Wait the Active directory installation to nish.

Ramadan offer!

Protect
your family
online. 

Open the Server Manager application.

Click on the yellow ag menu and select the option to promote this server to a domain controller

Select the option to Add a new forest and enter a root domain name.
 Go
In ourto Top
example, we created a new domain named: TECH.LOCAL.
 Home  Tutorials  Books  Youtube Channels  About English  

Ramadan offer!

Protect
your family
online. 

Enter a password to secure the Active Directory restoration.

On the DNS options screen, click on the Next button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Verify the Netbios name assigned to your domain and click on the Next button.

Click on the Next button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Review your con guration options and click on the Next button.

On the Prerequisites Check screen, click on the Install button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Wait the Active Directory Con guration to nish.

After nishing the Active directory installation, the computer will restart automatically

You have nished the Active directory con guration on Windows server.
Zabbix - Testing the LDAP over SSL communication
We need to test if your domain controller is o ering the LDAP over SSL service on port 636.

On the domain controller, access the start menu and search for the LDP application.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

First, let's test if your domain controller is o ering the LDAP service on port 389.

Access the Connection menu and select the Connect option.

Try to connect to the localhost using the TCP port 389.

You should be able to connect to the LDAP service on the localhost port 389.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Now, we need to test if your domain controller is o ering the LDAP over SSL service on port 636.

Open a new LDP application Window and try to connect to the localhost using the TCP port 636.

Select the SSL checkbox and click on the Ok button.

If the system displays an error message, your domain controller is not o ering the LDAPS service yet.

To solve this, we are going to install a Windows Certi cation authority on the next part of this tutorial.

If you were able to successfully connect to the localhost on port 636 using SSL encryption, you may skip the
next part of this tutorial.
Tutorial - Certi cation Authority Installation on Windows
We need to install the Windows certi cation authority service.

The local certi cation authority will provide the domain controller with a certi cate that will allow the LDAPS
service to operate on the TCP port 636.

Open the Server Manager application.

Access the Manage menu and click on Add roles and features.

Access the Server role screen, select the Active Directory Certi cate Services and click on the Next button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

On the following screen, click on the Add features button.

Keep clicking on the Next button until you reach the role service screen.

Enable the option named Certi cation Authority and click on the Next button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

On the con rmation screen, click on the Install button.

Wait the Certi cation Authority installation to nish.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Open the Server Manager application.

Click on the yellow ag menu and select the option: Con gure Active Directory Certi cate Services

On the credentials screen, click on the Next button.

Select the Certi cation Authority option and click on the Next button.

 Go
Selecttothe
TopEnterprise CA option and click on the Next button.
 Home  Tutorials  Books  Youtube Channels  About English  

Select the Create a new private key option and click on the Next button.

Keep the default cryptography con guration and click on the Next button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Set a common name to the Certi cation authority and click on the Next button.

In our example, we set the common name: TECH-CA

Set the Windows Certi cation authority validity period.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Keep the default Windows Certi cation authority database location.

Verify the summary and click on the Con gure button.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Wait for the Windows server certi cation authority installation to nish.

After nishing the certi cation authority installation, reboot your computer.

You have nished the Windows Certi cation authority installation.


Zabbix - Testing the LDAP over SSL Communication Again
We need to test if your domain controller is o ering the LDAP over SSL service on port 636.

After nishing the Certi cation authority installation, wait 5 minutes and restart your domain controller.

During boot time, your domain controller will automatically request a server certi cate from the local
certi cation authority.

After getting the server certi cate, your domain controller will start o ering the LDAP service over SSL on the
636 port.
 Go
On thetodomain
Top controller, access the start menu and search for the LDP application.
 Home  Tutorials  Books  Youtube Channels  About English  

Access the Connection menu and select the Connect option.

Try to connect to the localhost using the TCP port 636.

Select the SSL checkbox and click on the Ok button.

Try to connect to the localhost using the TCP port 636.

Select the SSL checkbox and click on the Ok button.

This time, you should be able to connect to the LDAP service on the localhost port 636.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

If you are not able to connect to port 636, reboot the computer again and wait 5 minutes more.

It may take sometime before your domain controller receives the certi cate requested from the Certi cation
Authority.
Tutorial - Windows Domain Controller Firewall
First, we need to create a Firewall rule on the Windows domain controller.

This rewall rule will allow the Zabbix server to query the Active directory database.

On the domain controller, open the application named Windows Firewall with Advanced Security

Create a new Inbound rewall rule.

Select the PORT option.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Select the TCP option.

Select the Speci c local ports option.

Enter the TCP port 636.

Select the Allow the connection option.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Check the DOMAIN option.

Check the PRIVATE option.

Check the PUBLIC option.

Enter a description to the rewall rule.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Congratulations, you have created the required rewall rule.

This rule will allow Zabbix to query the Active directory database.

Tutorial - Windows Domain Account Creation


Next, we need to create at least 2 accounts on the Active directory database.

The ADMIN account will be used to login on the Zabbix web interface.

The ZABBIX account will be used to query the Active Directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Create a new account named: admin

Password con gured to the Admin user: 123qwe.

This account will be used to authenticate as admin on the Zabbix web interface.

Create a new account named: zabbix

Password con gured to the Zabbix user: 123qwe.

This account will be used to query the passwords stored on the Active Directory database.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

Congratulations, you have created the required Active Directory accounts.


Tutorial - Preparing the Zabbix LDAPS Communication
On the Zabbix server command-line, edit the ldap.conf con guration le.
1 vi /etc/ldap/ldap.conf

Add the following line at the end of the ldap.conf le.


1 TLS_REQCERT never

Here is the content of our ldap.conf le.


1 #
2 # LDAP Defaults
3 #
4
5 # See ldap.conf(5) for details
6 # This file should be world readable but not world writable.
7
8 #BASE dc=example,dc=com
9 #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
10
11 #SIZELIMIT 12
12 #TIMELIMIT 15
13 #DEREF never
14
15 # TLS certificates (needed for GnuTLS)
16 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
17 TLS_REQCERT never

The Zabbix server must be able to communicate with the domain controller using its DNS name. (FQDN)

 Go
to Top
To solve this problem, the Zabbix server may use the domain controller as a DNS server to enable the
translation of  TECH-DC01.TECH.LOCAL to the IP address 192.168.15.10.  Home  Tutorials  Books  Youtube Channels  About English  

If you don't want to set the Windows domain controller as the DNS server of the Zabbix server, you may add a
static entry on the hosts le.
1 vi /etc/hosts
2
3 127.0.0.1 localhost
4 127.0.1.1 ubuntu
5 192.168.15.10 TECH-DC01.TECH.LOCAL
6
7 # The following lines are desirable for IPv6 capable hosts
8 ::1 ip6-localhost ip6-loopback
9 fe00::0 ip6-localnet
10 ff00::0 ip6-mcastprefix
11 ff02::1 ip6-allnodes
12 ff02::2 ip6-allrouters

Use the PING command to verify if the Zabbix server is able to translate the hostname to IP address.
1 ping tech-dc01.tech.local
2 PING TECH-DC01.TECH.LOCAL (192.168.15.10) 56(84) bytes of data.

In our example, the Zabbix server was able to translate the TECH-DC01.TECH.LOCAL hostname to
192.168.15.10 using a static entry on the hosts le.

Use the following command to test the LDAPS communication.

It will try to get a copy of the domain controller certi cate.


1 openssl s_client -showcerts -connect 192.168.15.10:636

Keep in mind that you need to change the IP address above to your Domain controller.

The system should display a copy of the Domain Controller certi cate.
1 CONNECTED(00000003)
2 depth=0 CN = TECH-DC01.TECH.LOCAL
3 verify error:num=20:unable to get local issuer certificate
4 verify return:1
5 depth=0 CN = TECH-DC01.TECH.LOCAL
6 verify error:num=21:unable to verify the first certificate
7 verify return:1
8 ---
9 Certificate chain
10 0 s:/CN=TECH-DC01.TECH.LOCAL
11 i:/DC=LOCAL/DC=TECH/CN=TECH-CA
12 -----BEGIN CERTIFICATE-----
13 MIIF0TCCBLmgAwIBAgITYgAAAAKR0uMAYmVSUAAAAAAAAjANBgkqhkiG9w0BAQUF
14 ADA/MRUwEwYKCZImiZPyLGQBGRYFTE9DQUwxFDASBgoJkiaJk/IsZAEZFgRURUNI
15 MRAwDgYDVQQDEwdURUNILUNBMB4XDTE5MTAwMjAxNDUyOFoXDTIwMTAwMTAxNDUy
16 OFowHzEdMBsGA1UEAxMUVEVDSC1EQzAxLlRFQ0guTE9DQUwwggEiMA0GCSqGSIb3
17 DQEBAQUAA4IBDwAwggEKAoIBAQDbEowRoMmpHUWLIai7agvz5CMfBN6rNGSzrmBu
18 tddGZcNuor8LNsM/cWAIjOEv3q6h5xczE+gnBDu8JdsSRLES+roRxOCI3lTNCQvb
19 7TYYCc1+6nXh2izhxj+xRX4JD90v2PxL16epp2CLlH6n7kvout1kOHF7bSf3oNcF
20 r30JsiseW0t44Ijbsy99FDrfwVjaiU0qfCMTc18aVUQKDaCnzGnOWysoYSmB1Beu
21 2syZ9AaqkFz2iaBOLzKKutaQorHCzX7/ruUakIzIHUbx3usZHqQdELISHWiadBjw
22 a3KvQNpLfMmKSybz8rms80Xi57bHQlg8TSxEeQuNSM8fVS5nAgMBAAGjggLkMIIC
23 4DAvBgkrBgEEAYI3FAIEIh4gAEQAbwBtAGEAaQBuAEMAbwBuAHQAcgBvAGwAbABl
24 AHIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIF
25 oDB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAIC
26 AIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEAQIwCwYJYIZI
27 AWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1UdDgQWBBQpyuAHlRliyuPp
28 +p1jvgU1EvqxejAfBgNVHSMEGDAWgBSWAptN6Wv3nfbUeOYwob7seGhYTzCBxgYD
29 VR0fBIG+MIG7MIG4oIG1oIGyhoGvbGRhcDovLy9DTj1URUNILUNBLENOPVRFQ0gt
30 REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
31 ZXMsQ049Q29uZmlndXJhdGlvbixEQz1URUNILERDPUxPQ0FMP2NlcnRpZmljYXRl
32 UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
33 b2ludDCBuAYIKwYBBQUHAQEEgaswgagwgaUGCCsGAQUFBzAChoGYbGRhcDovLy9D
34 Tj1URUNILUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1T
35 ZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPVRFQ0gsREM9TE9DQUw/Y0FDZXJ0
36 aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkw
 Go
37 toQAYDVR0RBDkwN6AfBgkrBgEEAYI3GQGgEgQQgv2rfFfv7EWeBvteXHi1xIIUVEVD
Top
38 SC1EQzAxLlRFQ0guTE9DQUwwDQYJKoZIhvcNAQEFBQADggEBAAwpAMocs+9U8xv0  Home  Tutorials  Books  Youtube Channels  About English  
39 3ox60Vvw03DSzXwXPV9POK1tPQTugtA3PIHye3WPzWFLkPwKmbKd+FcZEpljz0U7
40 rg8PbgL1g4y7SnnG4b/qi8z9kLhDOWAuNT40f7T3Cwprnxo3p5tDIv9UCMrk29JQ
41 o2c9q0N1FaLpG/UgEaoi10UfLk/+HBAstT3bNYXvGX2Zsb2D6CG/xNmGUdLDCYNR
42 Oso+w1j7h/48+8MWKiVIyP7tUzRcQEFDRcA3tJpeaNhJ2w3YcfY3VFipFQaM4IDo
43 bu1MTplcszrNUIADrAnh9icugmbDKOoTmN3rqiKwhxfa2FyFZQypSJaWRzfpCNbP
44 k/YyGNo=
45 -----END CERTIFICATE-----
46 ---
47 Server certificate
48 subject=/CN=TECH-DC01.TECH.LOCAL
49 issuer=/DC=LOCAL/DC=TECH/CN=TECH-CA
50 ---
51 No client certificate CA names sent
52 Client Certificate Types: RSA sign, DSA sign, ECDSA sign
53 Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RS
54 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SHA256:RSA+SH
55 Peer signing digest: SHA1
56 Server Temp Key: ECDH, P-256, 256 bits
57 ---
58 SSL handshake has read 2063 bytes and written 501 bytes
59 ---
60 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
61 Server public key is 2048 bit
62 Secure Renegotiation IS supported
63 Compression: NONE
64 Expansion: NONE
65 No ALPN negotiated
66 SSL-Session:
67 Protocol : TLSv1.2
68 Cipher : ECDHE-RSA-AES256-SHA384
69 Session-ID: EC1A0000F6130E13A35CAD47078B692A7CE1EA5759905A7C6EBE25B55984FE17
70 Session-ID-ctx:
71 Master-Key: 53D98FEB36F897F4B2143962CF9018E69C5E67A026597B2C5DED9C8D05BF27D1
72 Key-Arg : None
73 PSK identity: None
74 PSK identity hint: None
75 SRP username: None
76 Start Time: 1569986693
77 Timeout : 300 (sec)
78 Verify return code: 21 (unable to verify the first certificate)

Con gurations! You have nished the required Zabbix command-line con gurations.
Tutorial - Zabbix LDAP Authentication on Active Directory
Open your browser and enter the IP address of your web server plus /zabbix.

In our example, the following URL was entered in the Browser:

• http://192.168.15.11/zabbix

On the login screen, use the default username and default password.

• Default Username: Admin


• Default Password: zabbix

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

After a successful login, you will be sent to the Zabbix Dashboard.

On the dashboard screen, access the Administration menu and select the Authentication option.

On the Authentication screen, access the LDAP settings tab.

You need to con gure the following items:

• LDAP Host: ldaps://TECH-DC01.TECH.LOCALO:636


• Port: 636
• Base DN: dc=tech,dc=local
• Search Attribute: SaMAccountName
• Bind DN: CN=zabbix,CN=Users,DC=tech,DC=local

Enter the Admin username, its password and click on the Test button.

You need to change TECH-DC01.TECH.LOCAL to your domain controller hostname.

You need to change the domain information to re ect your Network environment.

You need to change the bind credentials to re ect your Network environment.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

If your test succeeds, you should see the following message.

On the Authentication screen, select the Ldap option to enable the LDAPS authentication on Active Directory.

After nishing your con guration, you should log o the Zabbix web interface.

Try to login using the Admin user and the password from the Active Directory database.

On the login screen, use the Admin user and the password from the Active Directory database.

• Username: Admin
• Password: Enter the Active directory password.

Congratulations! You have con gured the Zabbix LDAP authentication on Active Directory using LDAP.

In order to authenticate a user against Active directory, the user account must also exist in the Zabbix server
user database.

 Go
to Top
 Home  Tutorials  Books  Youtube Channels  About English  

VirtualCoin CISSP, PMP, CCNP, MCSE, LPIC22019-10-02T15:30:40-03:00


Related Posts

 

Zabbix 5.2 - Zabbix - Kerberos Tutorial - Zabbix HTTPS -


Installation on authentication Zabbix_get Installation on
Ubuntu Linux September 27th, 2020 Examples Ubuntu Linux
October 28th, 2020 July 29th, 2020 July 29th, 2020

 Go

You might also like