Listen to this Post
Integrating Zabbix 7 with Active Directory (AD) over LDAPS can be challenging, especially when dealing with certificate issues. This article covers the process, common pitfalls, and verified solutions to ensure a secure LDAPS connection.
You Should Know:
1. Setting Up LDAPS on Windows Server
Before configuring Zabbix, ensure your AD Domain Controller (DC) has a valid LDAPS certificate. Follow these steps:
Step 1: Obtain a Publicly Signed Certificate for LDAPS
– Use a trusted CA (e.g., DigiCert, Let’s Encrypt) to issue a certificate for your DC.
– Ensure the certificate has the following attributes:
– Subject Name: Must match the DC’s hostname (e.g., dc1.yourdomain.com).
– Enhanced Key Usage (EKU): Must include Server Authentication (1.3.6.1.5.5.7.3.1).
Step 2: Install the Certificate on the Domain Controller
1. Open MMC → Add Certificates Snap-in → Computer Account.
2. Import the certificate into Personal and Trusted Root Certification Authorities.
3. Bind the certificate to LDAPS:
netsh http add sslcert ipport=0.0.0.0:636 certhash=<Thumbprint> appid={00112233-4455-6677-8899-AABBCCDDEEFF}
Step 3: Verify LDAPS Connectivity
Use `ldp.exe` or OpenSSL to test:
openssl s_client -connect dc1.yourdomain.com:636 -showcerts
### **2. Configuring Zabbix for LDAPS**
Zabbix requires proper LDAPS settings in `/etc/zabbix/zabbix_server.conf`:
LDAPServer=ldaps://dc1.yourdomain.com LDAPPort=636 LDAPBaseDN=DC=yourdomain,DC=com LDAPSearchAttribute=sAMAccountName LDAPBindDN=CN=ldapuser,CN=Users,DC=yourdomain,DC=com LDAPBindPassword=YourSecurePassword LDAPTLSCAFile=/etc/ssl/certs/yourdomain-ca.pem # If using a private CA
#### **Troubleshooting Zabbix LDAPS Issues**
- Error: Unable to establish TLS connection → Ensure Zabbix trusts the LDAPS certificate.
- Self-signed certificate rejection → Either:
- Add `LDAPTLS_REQCERT=allow` in Zabbix’s environment (not recommended for production).
- Properly import the CA certificate into Zabbix’s trusted store.
### **3. Automating Certificate Verification with PowerShell**
To confirm which certificate is being used for LDAPS:
$LDAPServer = "dc1.yourdomain.com" $LDAPPort = 636 $TCPClient = New-Object System.Net.Sockets.TcpClient($LDAPServer, $LDAPPort) $SSLStream = New-Object System.Net.Security.SslStream($TCPClient.GetStream()) $SSLStream.AuthenticateAsClient($LDAPServer) $Certificate = $SSLStream.RemoteCertificate [System.Security.Cryptography.X509Certificates.X509Certificate2]$Certificate | Select-Object Subject, Thumbprint, NotAfter
## **What Undercode Say**
LDAPS integration is critical for secure authentication but often fails due to certificate misconfigurations. Always:
– Use publicly signed certificates for production.
– Verify certificate bindings with `openssl` or PowerShell.
– Ensure Zabbix’s config points to the correct CA file.
For further reading, refer to:
## **Expected Output:**
A fully functional Zabbix 7 integration with AD over LDAPS, with verified certificate trust and secure authentication.
References:
Reported By: Vmwarenerd Zabbix – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
