Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-9096

LDAP Authentication fails: cannot bind by given Bind DN

XMLWordPrintable

    • Icon: Incident report Incident report
    • Resolution: Cannot Reproduce
    • Icon: Minor Minor
    • None
    • 2.4.2
    • Frontend (F)
    • CentOS 7, Apache 2.4, VSphere Virtual Machine

      Greetings!

      I've been using zabbix 2.2 at CentOS 6 for some time, so I'm trying to migrate to newer version (both OS and zabbix). So, I've created another virtual machine for that issue. Almost everything is done, the problem is - ldap authentication doesn't work with an error:

          ldap_bind(): Unable to bind to server: Can't contact LDAP server [authentication.php:120 ? CLdapAuthValidator->validate() ? CLdap->checkPass() ? ldap_bind() in /usr/share/zabbix/include/classes/ldap/CLdap.php:112]
    LDAP: cannot bind by given Bind DN.
    Login name or password is incorrect!

      My configurations are
      ldap host 172.25.172.20 port 389
      Base DN DC=domain,DC=LOCAL
      Search attribute sAMAccountName
      Bind DN [email protected]

      and they works just fine at my old installation. Moreover, I've tried full distinguishedName CN=Mr_LDAP,CN=Users,DC=domain,DC=local rather than userPrincipalName with no effect.

      Also, I've checked using ldapsearch utility - it bind's just fine.

      [root@zabbix ttch]# ldapsearch -h 172.25.172.20 -p 389 -D CN=Mr_LDAP,CN=Users,DC=domain,DC=local -w [password] -b "DC=domain,DC=local" sAMAccountName=_ldapd
# extended LDIF
#
# LDAPv3
# base <DC=domain,DC=local> with scope subtree
# filter: sAMAccountName=_ldapd
# requesting: ALL
#

# Mr_LDAP, Users, domain.local
dn: CN=Mr_LDAP,CN=Users,DC=domain,DC=local
[...]

      Tcpdump reveals that there is no traffic at port 389 when I press test at zabbix authorisation config page (but there is when I use ldapsearch).

      I've tried second, non-windows ldap server - with the same effect.

      And last one: I've read that It could be php module that checks for correct requst form so I've checked with this script:

      // using ldap bind
$ldaprdn  = '[email protected]';     // ldap rdn or dn
$ldappass = '[password]';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("172.25.172.20")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

}

      It succeed. Again, with traffic tcpdump could see.

      Here the list of installed ldap packages:

      • apr-util-ldap.x86_64 1.5.2-6.el7 @base
      • mod_ldap.x86_64 2.4.6-18.el7.centos @updates
      • openldap.x86_64 2.4.39-3.el7 @anaconda
      • openldap-clients.x86_64 2.4.39-3.el7 @base
      • openldap-devel.x86_64 2.4.39-3.el7 @base
      • php-ldap.x86_64 5.4.16-23.el7_0.3 @updates

      I've checked all related threads at zabbix forums but wasn't able to resolve my issue.

        1. ldap error.png
          ldap error.png
          155 kB

            Unassigned Unassigned
            ttch Timofey Chizhikov
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: