[ZBXNEXT-1596] Support StartTLS for LDAP Auth Created: 2013 Jan 26  Updated: 2022 Dec 20  Resolved: 2022 Dec 20

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Frontend (F)
Affects Version/s: 2.0.4
Fix Version/s: None

Type: Change Request Priority: Trivial
Reporter: Steffen Gebert Assignee: Zabbix Development Team
Resolution: Duplicate Votes: 11
Labels: authentication, ldap, starttls
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates ZBXNEXT-2289 Multiple LDAP sources to authenticate... Closed
is duplicated by ZBXNEXT-2349 Add TLS option to LDAP authentication... Closed

 Description   

Authentication Frontend users through LDAP currently does not support LDAP connections using StartTLS, only through SSL.

Support for StartTLS is pretty trivial, see https://www.zabbix.com/forum/showpost.php?p=80435&postcount=4

 Comments   
Comment by Andrew Howell [ 2014 Jun 20 ]

Any chance this can make it into 2.4?

Comment by Len Rugen [ 2019 Jan 28 ]

Having this on the LDAP Settings screens would be safer than a file that could be overwritten or skipped at patch time.

Comment by Len Rugen [ 2019 Jan 30 ]

Based on some testing, I think the host & port fields should be replaced with an "LDAP URI" field and a checkbox for StartTLS.  

There are 3 cases:

  1. ldap://hostname:port without StartTLS:  (Auth in clear text)
  2. ldap://hostname:port with StartTLS
  3. ldaps://hostname:port without StartTLS (it doesn't apply)

php_ldap seems to ignore the separate port option when the host field is an URI.  Cases 1 & 2 use the standard ldap port 389 or 3268 for AD global catalog.  Case 3 uses port 636 or 3269.

For cases 2 & 3, certificate configuration is needed in openldap or settings to ignore certificate validation.

Comment by Oleksii Zagorskyi [ 2019 Oct 04 ]

For "Port" we documented that it's ignored if specified in URI
https://www.zabbix.com/documentation/4.2/manual/web_interface/frontend_sections/administration/authentication

Comment by André Pereira da Silva [ 2019 Oct 04 ]

LDAP, or SMTP, or IMAP, or POP3, etc all work in similiar ways

  • For SMTP zabbix allows to use the 3 ways (SMTP | SMTPS | SMTP+startTLS)
  • For LDAP, zabbix only alllows to use 2 ways (LDAP | LDAPS), so LDAP+StartTLS is currently missing.

Since the base framework already is capable of accepting LDAP+StartTLS connections (as referenced in the original feature request - and here https://github.com/zabbix/zabbix/blob/master/frontends/php/include/classes/ldap/CLdap.php#L58) and zabbix already have a similiar option for SMTP ion Email Media Type (https://www.zabbix.com/documentation/4.2/pt/manual/config/notifications/media/email), seems what is needed is to add that new option to the interface, for instance, reusing part of what is done with SMTP (Email Media Type) and then using it when logging in with LDAP.

 

Comment by Rainer Meier [ 2020 Mar 31 ]

Well... reported more than 7 years ago for Version 2.0. Implementation TRIVIAL by adding a checkbox on the GUI as even the feature is supported in the library and can be enabled by changing a boolean variable in PHP we still have to edit the PHP file on each release.

I am hoping for implementation "soon", but not holding my breath. At least there is a workaround available.

Comment by Michael E Hurn [ 2020 Sep 13 ]

This will be quite an issue if I find editing the CLdap.php file does not work.
I am installing Zabbix 5.0.3 on CentOS 8.2.
Note: Red Hat have removed/disabled SSL from the code.

At the moment when I try to configure ldaps:636 it fails.

Next week I will check if our AD server can be configured do LDAPS over TLS.

But I'm not holding my breath.

Comment by Gregory Chalenko [ 2022 Apr 28 ]

Support of LDAP+startTLS will be implemented as part of ZBXNEXT-2289.

Generated at Sun Apr 27 10:03:09 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.