Specific steps below can be used to connect and test active directory setups to your PBX
Step-by-step guide
The following steps were tested with a Microsoft Server 2012 Essentials, your mileage may vary. Requires version 13 or higher of the PBX software.
- Make sure you have access to AD on TCP port 389 from the PBX to the AD system
use dsquery to get correct base DN; from the windows server command line run the following
C:\Users\master> dsquery user -name validADusername "CN=validADusername,CN=Users,DC=domain,DC=local"*
The base DN derived from above will be:
DC=domain,DC=localThe User DN and Group DN will be:
CN=Users- Then armed with the base DN begin filling out the required information
- Host: enter the IP address of the AD server
- Port: defaults to 389 which should be fine in most cases
- Username: a valid AD user
- Password: that valid AD users password
- Domain: the AD domain, in my case domain.local
- Base DN: the base DN derived from step 2
- User DN: The filter string where users live (can be an OU)
- Group DN: The filter string where groups live (can be an OU)
This was tested using a hosted PBX with a local instance of server 2012 essentials; It was configured with a port forward on the local router to take requests for 389 from the PBX and redirect those to the AD server and insured they had no issues speaking with each other.
Manual Syncing
Manual Syncing can be preformed by running the following command
[root@freepbxdev4 framework]# fwconsole userman --syncall --force Directory 'PBX Internal Directory' does not support syncing Starting Sync on directory 'Markham Blade AD'... Finished Starting Sync on directory 'zflex server'... Finished
Troubleshooting
Using a directory browser
An LDAP directory browser is a great way to get a visual overview of your directory. Directory browsers can also be used to check authentication. Apache Directory Studio was used in the development of Active Directory in User Manager.
http://directory.apache.org/studio/
Using the PBX CLI
You can troubleshoot User Manager Active Directory syncing by running from the CLI with a few options
[root@freepbxdev4 framework]# fwconsole userman --help
______ _____ ______ __
| ____| | __ \| _ \ \ / /
| |__ _ __ ___ ___| |__) | |_) \ V /
| __| '__/ _ \/ _ \ ___/| _ < > <
| | | | | __/ __/ | | |_) / . \
|_| |_| \___|\___|_| |____/_/ \_\
Usage:
userman [options]
Options:
--syncall Syncronize all directories
--sync=SYNC Syncronize a single directory by id (obtained from --list)
--force Force syncronization
--list List directories
-h, --help Display this help message
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
-n, --no-interaction Do not ask any interactive question
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
Help:
User Manager
List Directories
[root@freepbxdev4 framework]# fwconsole userman --list +----+------------------------+ | ID | Name | +----+------------------------+ | 9 | PBX Internal Directory | | 2 | Markham Blade AD | | 3 | zflex server | +----+------------------------+
Sync all directories
[root@freepbxdev4 framework]# fwconsole userman --syncall Directory 'PBX Internal Directory' does not support syncing Not syncing directory for another 5598 seconds Not syncing directory for another 1998 seconds
Force Sync all directories
[root@freepbxdev4 framework]# fwconsole userman --syncall --force Directory 'PBX Internal Directory' does not support syncing Starting Sync on directory 'Markham Blade AD'... Finished Starting Sync on directory 'zflex server'... Finished
Force sync a single directory with verbose logging
This will then return exactly what user manager is doing while syncing.
For certain queries an ldapsearch statement will be returned. You can copy and paste this command and run it locally to see what is returned on the search using the filters you supplied in setup
[root@freepbxdev4 framework]# fwconsole userman --sync 2 --force --verbose Starting Sync on directory 'Markham Blade AD'... Updating All Users ldapsearch -w password -h 1.1.1.1 -p 3389 -D "[email protected]" -b "cn=users,dc=domain,dc=local" -s sub "(&(&(objectcategory=person)(samaccountname=*))(objectclass=user))" Retrieving all users... Got 6 users Updating anagy Extension 1050 does not exist, skipping link Updating backup Updating lookup Updating krbtgt Updating Guest Updating Administrator Updating All Groups ldapsearch -w password -h 1.1.1.1 -p 3389 -D "[email protected]" -b "cn=users,dc=domain,dc=local" -s sub "(&(objectcategory=group)(objectclass=group))" Retrieving all groups... Got 19 groups Working on Read-only Domain Controllers Updating Read-only Domain Controllers Working on Denied RODC Password Replication Group Adding krbtgt to group Updating Denied RODC Password Replication Group Working on Allowed RODC Password Replication Group Updating Allowed RODC Password Replication Group Working on Enterprise Read-only Domain Controllers Updating Enterprise Read-only Domain Controllers Working on Cloneable Domain Controllers Updating Cloneable Domain Controllers Working on DnsUpdateProxy Updating DnsUpdateProxy Working on DnsAdmins Updating DnsAdmins Working on Protected Users Updating Protected Users Working on RAS and IAS Servers Updating RAS and IAS Servers Working on Group Policy Creator Owners Adding Administrator to group Updating Group Policy Creator Owners Working on Schema Admins Adding Administrator to group Updating Schema Admins Working on Domain Controllers Updating Domain Controllers Working on Domain Computers Updating Domain Computers Working on Enterprise Admins Adding Administrator to group Updating Enterprise Admins Working on Cert Publishers Updating Cert Publishers Working on Domain Guests Updating Domain Guests Working on Domain Users Updating Domain Users Working on Domain Admins Adding Administrator to group Updating Domain Admins Working on WinRMRemoteWMIUsers__ Updating WinRMRemoteWMIUsers__ Finished adding users from non-primary groups Updating Primary Groups Adding anagy to Domain Users...Done Adding backup to Domain Users...Done Adding lookup to Domain Users...Done Adding krbtgt to Domain Users...Done Adding Guest to Domain Guests...Done Adding Administrator to Domain Users...Done Executing User Manager Hooks Updating User anagy...done Updating User backup...done Updating User lookup...done Updating User krbtgt...done Updating User Guest...done Updating User Administrator...done Updating Group Read-only Domain Controllers...done Updating Group Denied RODC Password Replication Group...done Updating Group Allowed RODC Password Replication Group...done Updating Group Enterprise Read-only Domain Controllers...done Updating Group Cloneable Domain Controllers...done Updating Group DnsUpdateProxy...done Updating Group DnsAdmins...done Updating Group Protected Users...done Updating Group RAS and IAS Servers...done Updating Group Group Policy Creator Owners...done Updating Group Schema Admins...done Updating Group Domain Controllers...done Updating Group Domain Computers...done Updating Group Enterprise Admins...done Updating Group Cert Publishers...done Updating Group Domain Guests...done Updating Group Domain Users...done Updating Group Domain Admins...done Updating Group WinRMRemoteWMIUsers__...done Finished
3 Comments
Dave Alitz
To enable SSL in AD, you'll need to install SSL certificates. Either a purchased certificate that's already trusted by the client web browser or a self-signed certificate. (This may help: https://support.microsoft.com/en-us/kb/321051 ) If you use a self-signed certificate you'll need to install the root certificate on every client.
I'd love to figure out a way to make this work with https://letsencrypt.org – but I haven't had the time to look into it. Better yet would be a SAML solution – so my users only have to login once for all the corporate websites.
gordon
To use ldaps on CentOS6 with private pki you must tell openldap where to find your trust bundle. Installing the trust bundle into the system trust did not work for me.
volkswagner
Gordon,
Thanks for posting this. Without out it I may have lost additional hours.
I could not get FreePBX to authenticate against SAMBA4 (Version 4.3.11-Ubuntu). Even when specifying port 389
it was expecting TLS. If I used ldaps://foo.example.com I got certificate error (likely because untrusted self signed from SAMBA.
A little bit of digging from testparm -v results showed this "cldap port = 389" I thought the c was bad text wrapping, but it's valid
and so is the following host setting for FreePBX user Manager authentication!
cldap://foo.example.com
URI ldaps://dc1.events.eventsunlimitedpartyrentals.com:636
TLS_CACERT /etc/openldap/certs/samba.pem
TLS_REQCERT allow
I copied the self-signed SAMBA4 certificate to the pbx > /etc/openldap/certs
Restarted samba and configured user manager to point to host=ldaps://ip_of_DC port=636
I also decided to map ipPhone attribute in AD to the phone extension. Works a treat! I'm not using
Exchange server so there will be no conflicts there.