Zabbix之LDAP认证登陆

一、演示环境

演示环境zabbix版本为社区版5.0.6,

涉及到的相关服务版本:

mysql-5.7.32,PHP-7.2.34 采用的是lnmp1.7的一键安装包

二、php开启ldap模块

在zabbix系统开启ldap认证时提示缺少php的ldap认证模块

php的ldap扩展具体安装过程:

登录后复制

[root@zabbix-server src]# tar -jxf php-7.2.34.tar.bz2  
[root@zabbix-server src]# cd php-7.2.34
[root@zabbix-server php-7.2.34]# pwd
/data/soft/lnmp1.7/src/php-7.2.34
[root@zabbix-server ldap]# ./configure --with-php-config=/usr/local/php/bin/php-config  --with-ldap

报错：
checking size of long int... (cached) 8
configure: error: Cannot find ldap.h
1.
2.
3.
4.
5.
6.
7.
8.
9.

解决办法:

登录后复制

yum -y install openldap openldap-devel
1.

继续编译安装报错如下：

登录后复制

configure: error: Cannot find ldap libraries in /usr/lib.
1.

解决办法:

创建软连接 把/usr/lib64/libldap*相关得ldap模块软连接到 /usr/lib/ 目录下 或者cp拷贝: cp -frp /usr/lib64/libldap* /usr/lib/  

登录后复制

[root@zabbix-server ldap]# ln -sv /usr/lib64/libldap* /usr/lib/
‘/usr/lib/libldap-2.4.so.2’ -> ‘/usr/lib64/libldap-2.4.so.2’
‘/usr/lib/libldap-2.4.so.2.10.7’ -> ‘/usr/lib64/libldap-2.4.so.2.10.7’
‘/usr/lib/libldap_r-2.4.so.2’ -> ‘/usr/lib64/libldap_r-2.4.so.2’
‘/usr/lib/libldap_r-2.4.so.2.10.7’ -> ‘/usr/lib64/libldap_r-2.4.so.2.10.7’
‘/usr/lib/libldap_r.so’ -> ‘/usr/lib64/libldap_r.so’
‘/usr/lib/libldap.so’ -> ‘/usr/lib64/libldap.so’

[root@zabbix-server ldap]# ll /usr/lib/libldap*
lrwxrwxrwx 1 root root 27 Dec 26 18:33 /usr/lib/libldap-2.4.so.2 -> /usr/lib64/libldap-2.4.so.2
lrwxrwxrwx 1 root root 32 Dec 26 18:33 /usr/lib/libldap-2.4.so.2.10.7 -> /usr/lib64/libldap-2.4.so.2.10.7
lrwxrwxrwx 1 root root 29 Dec 26 18:33 /usr/lib/libldap_r-2.4.so.2 -> /usr/lib64/libldap_r-2.4.so.2
lrwxrwxrwx 1 root root 34 Dec 26 18:33 /usr/lib/libldap_r-2.4.so.2.10.7 -> /usr/lib64/libldap_r-2.4.so.2.10.7
lrwxrwxrwx 1 root root 23 Dec 26 18:33 /usr/lib/libldap_r.so -> /usr/lib64/libldap_r.so
lrwxrwxrwx 1 root root 21 Dec 26 18:33 /usr/lib/libldap.so -> /usr/lib64/libldap.so
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.

继续编译通过:

登录后复制

[root@zabbix-server ldap]# ./configure --with-php-config=/usr/local/php/bin/php-config  --with-ldap



.......................

..............

checking if cc supports -fno-rtti -fno-exceptions... no

checking for cc option to produce PIC... -fPIC

checking if cc PIC flag -fPIC works... yes

checking if cc static flag -static works... no

checking if cc supports -c -o file.o... yes

checking whether the cc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes

checking whether -lc should be explicitly linked in... no

checking dynamic linker characteristics... GNU/Linux ld.so

checking how to hardcode library paths into programs... immediate

checking whether stripping libraries is possible... yes

checking if libtool supports shared libraries... yes

checking whether to build shared libraries... yes

checking whether to build static libraries... no

creating libtool
appending configuration tag "CXX" to libtool

configure: creating ./config.status

config.status: creating config.h
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.

进行make和make install :

登录后复制

[root@zabbix-server ldap]# make && make install
/bin/sh /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/libtool --mode=compile cc -DLDAP_DEPRECATED=1 -I. -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap -DPHP_ATOM_INC -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/include -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/main -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap -I/usr/local/php/include/php -I/usr/local/php/include/php/main -I/usr/local/php/include/php/TSRM -I/usr/local/php/include/php/Zend -I/usr/local/php/include/php/ext -I/usr/local/php/include/php/ext/date/lib  -DHAVE_CONFIG_H  -g -O2   -c /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/ldap.c -o ldap.lo 
mkdir .libs
 cc -DLDAP_DEPRECATED=1 -I. -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap -DPHP_ATOM_INC -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/include -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/main -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap -I/usr/local/php/include/php -I/usr/local/php/include/php/main -I/usr/local/php/include/php/TSRM -I/usr/local/php/include/php/Zend -I/usr/local/php/include/php/ext -I/usr/local/php/include/php/ext/date/lib -DHAVE_CONFIG_H -g -O2 -c /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/ldap.c  -fPIC -DPIC -o .libs/ldap.o
/bin/sh /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/libtool --mode=link cc -DPHP_ATOM_INC -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/include -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/main -I/data/soft/lnmp1.7/src/php-7.2.34/ext/ldap -I/usr/local/php/include/php -I/usr/local/php/include/php/main -I/usr/local/php/include/php/TSRM -I/usr/local/php/include/php/Zend -I/usr/local/php/include/php/ext -I/usr/local/php/include/php/ext/date/lib  -DHAVE_CONFIG_H  -g -O2    -o ldap.la -export-dynamic -avoid-version -prefer-pic -module -rpath /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/modules  ldap.lo -lldap
cc -shared  .libs/ldap.o  -lldap  -Wl,-soname -Wl,ldap.so -o .libs/ldap.so
creating ldap.la
(cd .libs && rm -f ldap.la && ln -s ../ldap.la ldap.la)
/bin/sh /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/libtool --mode=install cp ./ldap.la /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/modules
cp ./.libs/ldap.so /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/modules/ldap.so
cp ./.libs/ldap.lai /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/modules/ldap.la
PATH="$PATH:/sbin" ldconfig -n /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/modules
----------------------------------------------------------------------
Libraries have been installed in:
   /data/soft/lnmp1.7/src/php-7.2.34/ext/ldap/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------

Build complete.
Don't forget to run 'make test'.

Installing shared extensions:     /usr/local/php/lib/php/extensions/no-debug-non-zts-20170718/

看到ldap模块已经成功编译安装到了php服务中
编辑php.ini 文件开启ldap模块，然后重启php服务进行生效

[root@zabbix-server ldap]# /usr/local/php/sbin/php-fpm -y /usr/local/php/etc/php-fpm.conf -t
[26-Dec-2021 18:39:47] NOTICE: configuration file /usr/local/php/etc/php-fpm.conf test is successful

/etc/init.d/php-fpm restart

ldap模块添加完成
[root@zabbix-server ldap]# php -m|grep ldap
ldap
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.

三、登录zabbix配置ldap认证

上述配置完成后已经把ldap和zabbix打通了，用户登录zabbix时，会先到ldap认证，判断用户是否有效；但是zabbix不会把ldap的已经存在的用户自动同步到zabbix系统中，你要想通过ldap账户登录zabbix服务，必须在zabbix上创建和ldap内同名的用户才行，这个还是非常不方便的

同时需要特别注意：一旦选择LDAP认证之后，原来的abbix的Admin账户将无法登陆，除非ldap中提前创建好Admin的账户

即使忘记ldap中Admin账户的pass,导致无法登录zabbix系统也有解决办法:

登录后复制

登陆到数据库，将ldap认证改为本地认证：

mysql #登陆数据库

show databases; #查看数据库

use zabbixdb; #登陆到zabbix数据库

update zabbixdb.config set authentication_type=0; #修改成本地Admin账户进行登录zabbix系统即可。这样直接跳过了ldap登录认证。

然后使用Admin登陆，如果忘记Admin的pass，也可以重置Admin的pass

修改Admin的pass:

#查询Admin用户的ID:

mysql> select * from zabbixdb.users;

#更新Admin的pass

mysql> update users set passwd=password('zabbix')  where userid=1;
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.

登录ldap服务查看已经存在的ldap账户：

ldapuser1  ldapuser2  Admin三个账户

登录zabbix创建ldapuser1 和ldapuser2账户,mima随便设,集成ldap后,采用的是ldap中的ldapuser1和ldapuser2账户和mima进行登录zabbix系统的

已经经过验证 三个账户完全可以通过ldap中的账户信息进行登录