SSO in zabbix
- single sign-on (SSO)
- SSL (Secure Sockets Layer - the level of protected cookes) is a cryptographic protocol for a safe connection. From version 3.0 SSL replaced TLS (Transport Layer Security - transport level safety), but the name of the previous version has taken place. Therefore, today under SSL most often implies TLS.
- Works only with using domain name.
LDAP/LDAPS
Let us configure LDAP authentication in Zabbix. In the Zabbix frontend, go to the LDAP settings tab in Administration -> Authentication.
Check Enable LDAP authentication and fill in the following fields:
LDAP host: ldap://dc1.domain.local
Port: 389
Base DN: DC=domain, DC=local
Search attribute: sAMAccountName
Bind DN: CN=zabbix,OU=Users,DC=domain,DC=local
If the test has been successful, save the settings, and change the authentication type in Zabbix from Internal to LDAP
LDAP authentication is configured. If the LDAP server is unavailable, we will not be able to access Zabbix.
After Enable HTTP authentication (HTTP Settings -> Enable HTTP authentication): To get back to the internal authentication, we can open MySQL, and run the following command: update zabbix.config set authentication_type='0' where configid='1?;
DC
Create A record in dns and user in AD users, then:
ktpass -princ HTTP/zabbix.domain.local@DOMAIN.LOCAL -mapuser zabbix@DOMAIN.LOCAL -crypto all -pass VeryStrongPASS!!! -ptype KRB5_NT_PRINCIPAL -out my.keytab
If we want LDAPS, there need some settings on our DC: https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
WARNING: do not user IP addresses instead of hostnames/FQDNs, the value in LDAP host field must match what the server's certificate was issued for! After transfer ca.cer on zabbix server convert cer extension to pem:
openssl x509 -inform der -in ca-01.cer -out ca-01.pem
mv /tmp/ca-01.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust
Kerberos
For Centos:
yum install krb5-workstation krb5-libs krb5-auth-dialog mod_auth_kerb ntp ntpdate -y
ntpdate DC1.domain.local
vi /etc/krb5.conf
Change next in /etc/krb5.conf:
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Restart Apache to take effect specify the FQDN name of the server in /etc/hostname that must match the DNS record in the domain.
cat /etc/hosts
127.0.0.1 zabbix.domain.local zabbix
'server ip' zabbix.domain.local zabbix
After copy keytab file from DC, we need check permission for this.
Command klist
will show if the ticket was created.
Create a Kerberos ticket for user OR easy to check if your krb5.conf is valid by doing kinit username@DOMAIN.COM
, for our example kinit zabbix
.
Make sure the Kerberos authentication works on Linux:kinit -kV -p HTTP/zabbix.domain.local
.
Delete tickets - kdestroy -A
.
web
Enable HTTP authentication in zabbix, and im not think that change default login form is good for all. So i want work with link /zabbix/index_http.php
.
For apache add next block in /etc/httpd/conf.d/zabbix.conf:
<Location /zabbix/index_http.php>
AuthType Kerberos
AuthName "Kerberos Authenticated"
KrbAuthRealms DOMAIN.LOCAL
Krb5Keytab "/etc/httpd/conf.d/zabbix.keytab"
KrbMethodNegotiate On
KrbSaveCredentials On
KrbVerifyKDC On
KrbServiceName Any
KrbLocalUserMapping On
KrbMethodK5Passwd Off
Require valid-user
# LogLevel trace8
</Location>
Browser
For Internet Explorer to use Kerberos authentication on Zabbix, we will have to add its URL to Local Intranet sites. Google Chrome uses Internet Explorer settings, so we do not need to configure it separately. 1. Open Options -> Security in the IE. 1. Click Sites in the Local intranet, check the options shown in the screenshot below, and click Advanced: 1. Later, enter the Zabbix server URL. 1. Then, go to the Advanced tab and check Enable Integrated Windows Authentication. 1. Add the URL of the Zabbix server to the following parameters of about:config for Mozilla Firefox:
network.automatic-ntlm-auth.trusted-uris
network.negotiate-auth.delegation-uris
network.negotiate-auth.trusted-uris
Also, we can also put Zabbix URL to the Local Intranet zone using the Group Policies (Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List. Use zone code 1 for intranet sites).
debug
Kerberos Authentication Debugging & Troubleshooting in Apache
If we have any issues, enable debug mode in apache: Enter the following before the closing tag in /etc/apache2/sites-available/000-defaults.conf:
LogLevel trace8
Then we restart apache and check the Kerberos module error in the error.log file.
To make it more convenient, we use the command to filter the entries by the IP address:
tailf /var/log/httpd/error_log | grep 'our ip'
tail -f /var/log/apache2/error.log | grep 'Our IP address'
Similarly, to work with and diagnose Kerberos, we can use kinit and klist commands.
kinit is a tool to get and cache Kerberos tickets, for example:
kinit -V -k -t /etc/apache2/zabbix.keytab -p HTTP/zabbix.domain.local@DOMAIN.LOCAL
If we have generated our keytab file correctly, the command will run.
As a result, we will get a message that the authentication has been successful.
Using klist, we can view cached Kerberos tickets: klist -a
Make sure that the SPN record for your Zabbix service account exists in AD. Enter the following command on the domain controller:
setpn -l zabbix_admin
It must be in HTTP/zabbix.domain.local format. If there is no entry, add it.
setspn -a HTTP/zabbix.domain.local zabbix_admin
If KrbServiceName does not match the name specified in the keyboard file, an error occurs. So you can set the desired value during the test. Once you have made sure that the system is working, enter a valid service name. You can check with: klist - the /etc/apache2/zabbix.keytab
Notes
A successful request should look like:
Acquiring creds for HTTP/web01@DOMAIN.NET
Verifying client data using KRB5 GSS-API
Client didn't delegate us their credential
GSS-API token of length XXX bytes will be sent back
.
gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
This usually means there's something wrong with the principal configuration.
GSS-API major_status:000d0000, minor_status:025ea101
Could no find principal. Spelling error or wrong syntax ?
GSS-API major_status:000d0000, minor_status:0000000d
File permission errors (usually the keytab file).
GSS-API major_status:000d0000, minor_status:000186a3
Wrong password in keytab or your ticket.
kinit: Preauthentication failed while getting initial credentials
Wrong password and/or credentials in general (check letter casing)
kinit: KDC has no support for encryption type while getting initial credentials
Encryption type is not supported by the AD server. Make sure not to use DES.
Users not getting synced
Make sure the users are as low in the hierarchy as possible or else they might not get caught.
General authentication errors
Make sure you're typing the login in correct case. They also have to match in the keytab file.
Some links
Nice one http://woshub.com/zabbix-single-sign-sso-authentication-ldap-active-directory/
For debugging
- https://gist.github.com/andersevenrud/53920c3ef91c5e11c939fce5ca17af3b
- https://plugins.miniorange.com/guide-to-setup-kerberos-single-sign-sso
- https://www.drupal.org/project/ldap/issues/2123615
- https://jakondo.ru/integratsiya-zabbix-s-active-directory-nastrojka-prozrachnoj-autentifikatsii-sso-single-sign-on/
- https://jakondo.ru/nastrojka-sso-single-sign-on-avtorizatsii-na-apache-v-active-directory-debian-8-jessie-ubuntu-server-14-04/
LDAPS
- https://techcommunity.microsoft.com/t5/sql-server/step-by-step-guide-to-setup-ldaps-on-windows-server/ba-p/385362
- https://winitpro.ru/index.php/2014/10/02/aktiviruem-ldap-over-ssl-ldaps-v-windows-server-2012-r2/
- https://winitpro.ru/index.php/2015/11/02/ustanovka-sertifikata-na-kompyutery-domena-s-pomoshhyu-gruppovyx-politik/
- https://denisitpro.wordpress.com/2019/02/02/ldaps-tls-ssl/
- https://bgmot.com/zabbix_secure_ldap