Page tree
Skip to end of metadata
Go to start of metadata

Specific steps below can be used to connect and test active directory setups to your PBX

Step-by-step guide

The following steps were tested with a Microsoft Server 2012 Essentials, your mileage may vary. Requires version 13 or higher of the PBX software.

  1. Make sure you have access to AD on TCP port 389 from the PBX to the AD system
  2. use dsquery to get correct base DN; from the windows server command line run the following

    C:\Users\master> dsquery user -name validADusername
    "CN=validADusername,CN=Users,DC=domain,DC=local"*

    The base DN derived from above will be:
    DC=domain,DC=local

    The User DN and Group DN will be:
    CN=Users

  3. Then armed with the base DN begin filling out the required information
    • Host: enter the IP address of the AD server
    • Port: defaults to 389 which should be fine in most cases
    • Username: a valid AD user
    • Password: that valid AD users password
    • Domain: the AD domain, in my case domain.local
    • Base DN: the base DN derived from step 2
    • User DN: The filter string where users live (can be an OU)
    • Group DN: The filter string where groups live (can be an OU)

 

This was tested using a hosted PBX with a local instance of server 2012 essentials; It was configured with a port forward on the local router to take requests for 389 from the PBX and redirect those to the AD server and insured they had no issues speaking with each other.

 

Manual Syncing

Manual Syncing can be preformed by running the following command

[root@freepbxdev4 framework]# fwconsole userman --syncall --force
Directory 'PBX Internal Directory' does not support syncing
Starting Sync on directory 'Markham Blade AD'...
Finished
Starting Sync on directory 'zflex server'...
Finished

Troubleshooting

Using a directory browser

An LDAP directory browser is a great way to get a visual overview of your directory. Directory browsers can also be used to check authentication. Apache Directory Studio was used in the development of Active Directory in User Manager.

http://directory.apache.org/studio/

Using the PBX CLI

You can troubleshoot User Manager Active Directory syncing by running from the CLI with a few options

[root@freepbxdev4 framework]# fwconsole userman --help
 ______             _____  ______   __
|  ____|           |  __ \|  _ \ \ / /
| |__ _ __ ___  ___| |__) | |_) \ V /
|  __| '__/ _ \/ _ \  ___/|  _ < > <
| |  | | |  __/  __/ |    | |_) / . \
|_|  |_|  \___|\___|_|    |____/_/ \_\
Usage:
  userman [options]

Options:
      --syncall         Syncronize all directories
      --sync=SYNC       Syncronize a single directory by id (obtained from --list)
      --force           Force syncronization
      --list            List directories
  -h, --help            Display this help message
  -q, --quiet           Do not output any message
  -V, --version         Display this application version
      --ansi            Force ANSI output
      --no-ansi         Disable ANSI output
  -n, --no-interaction  Do not ask any interactive question
  -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Help:
  User Manager

List Directories

[root@freepbxdev4 framework]# fwconsole userman --list
+----+------------------------+
| ID | Name                   |
+----+------------------------+
| 9  | PBX Internal Directory |
| 2  | Markham Blade AD       |
| 3  | zflex server           |
+----+------------------------+

Sync all directories

[root@freepbxdev4 framework]# fwconsole userman --syncall
Directory 'PBX Internal Directory' does not support syncing
Not syncing directory for another 5598 seconds
Not syncing directory for another 1998 seconds

Force Sync all directories

[root@freepbxdev4 framework]# fwconsole userman --syncall --force
Directory 'PBX Internal Directory' does not support syncing
Starting Sync on directory 'Markham Blade AD'...
Finished
Starting Sync on directory 'zflex server'...
Finished

Force sync a single directory with verbose logging 

This will then return exactly what user manager is doing while syncing.

For certain queries an ldapsearch statement will be returned. You can copy and paste this command and run it locally to see what is returned on the search using the filters you supplied in setup

[root@freepbxdev4 framework]# fwconsole userman --sync 2 --force --verbose
Starting Sync on directory 'Markham Blade AD'...

Updating All Users
	ldapsearch -w password -h 1.1.1.1 -p 3389 -D "administrator@domain.local" -b "cn=users,dc=domain,dc=local" -s sub "(&(&(objectcategory=person)(samaccountname=*))(objectclass=user))"
	Retrieving all users...
	Got 6 users
		Updating anagy
			Extension 1050 does not exist, skipping link
		Updating backup
		Updating lookup
		Updating krbtgt
		Updating Guest
		Updating Administrator
Updating All Groups
	ldapsearch -w password -h 1.1.1.1 -p 3389  -D "administrator@domain.local" -b "cn=users,dc=domain,dc=local" -s sub "(&(objectcategory=group)(objectclass=group))"
	Retrieving all groups...
	Got 19 groups
	Working on Read-only Domain Controllers
		Updating Read-only Domain Controllers
	Working on Denied RODC Password Replication Group
			Adding krbtgt to group
		Updating Denied RODC Password Replication Group
	Working on Allowed RODC Password Replication Group
		Updating Allowed RODC Password Replication Group
	Working on Enterprise Read-only Domain Controllers
		Updating Enterprise Read-only Domain Controllers
	Working on Cloneable Domain Controllers
		Updating Cloneable Domain Controllers
	Working on DnsUpdateProxy
		Updating DnsUpdateProxy
	Working on DnsAdmins
		Updating DnsAdmins
	Working on Protected Users
		Updating Protected Users
	Working on RAS and IAS Servers
		Updating RAS and IAS Servers
	Working on Group Policy Creator Owners
			Adding Administrator to group
		Updating Group Policy Creator Owners
	Working on Schema Admins
			Adding Administrator to group
		Updating Schema Admins
	Working on Domain Controllers
		Updating Domain Controllers
	Working on Domain Computers
		Updating Domain Computers
	Working on Enterprise Admins
			Adding Administrator to group
		Updating Enterprise Admins
	Working on Cert Publishers
		Updating Cert Publishers
	Working on Domain Guests
		Updating Domain Guests
	Working on Domain Users
		Updating Domain Users
	Working on Domain Admins
			Adding Administrator to group
		Updating Domain Admins
	Working on WinRMRemoteWMIUsers__
		Updating WinRMRemoteWMIUsers__
Finished adding users from non-primary groups
Updating Primary Groups
	Adding anagy to Domain Users...Done
	Adding backup to Domain Users...Done
	Adding lookup to Domain Users...Done
	Adding krbtgt to Domain Users...Done
	Adding Guest to Domain Guests...Done
	Adding Administrator to Domain Users...Done
Executing User Manager Hooks
	Updating User anagy...done
	Updating User backup...done
	Updating User lookup...done
	Updating User krbtgt...done
	Updating User Guest...done
	Updating User Administrator...done
	Updating Group Read-only Domain Controllers...done
	Updating Group Denied RODC Password Replication Group...done
	Updating Group Allowed RODC Password Replication Group...done
	Updating Group Enterprise Read-only Domain Controllers...done
	Updating Group Cloneable Domain Controllers...done
	Updating Group DnsUpdateProxy...done
	Updating Group DnsAdmins...done
	Updating Group Protected Users...done
	Updating Group RAS and IAS Servers...done
	Updating Group Group Policy Creator Owners...done
	Updating Group Schema Admins...done
	Updating Group Domain Controllers...done
	Updating Group Domain Computers...done
	Updating Group Enterprise Admins...done
	Updating Group Cert Publishers...done
	Updating Group Domain Guests...done
	Updating Group Domain Users...done
	Updating Group Domain Admins...done
	Updating Group WinRMRemoteWMIUsers__...done
Finished

3 Comments

  1. To enable SSL in AD, you'll need to install SSL certificates. Either a purchased certificate that's already trusted by the client web browser or a self-signed certificate. (This may help: https://support.microsoft.com/en-us/kb/321051 ) If you use a self-signed certificate you'll need to install the root certificate on every client.

    I'd love to figure out a way to make this work with https://letsencrypt.org – but I haven't had the time to look into it. Better yet would be a SAML solution – so my users only have to login once for all the corporate websites.

  2. To use ldaps on CentOS6 with private pki you must tell openldap where to find your trust bundle.  Installing the trust bundle into the system trust did not work for me.

  3. Gordon,

    Thanks for posting this. Without out it I may have lost additional hours.

    I could not get FreePBX to authenticate against SAMBA4 (Version 4.3.11-Ubuntu). Even when specifying port 389

    it was expecting TLS. If I used ldaps://foo.example.com I got certificate error (likely because untrusted self signed from SAMBA. 

    A little bit of digging from testparm -v results showed this "cldap port = 389" I thought the c was bad text wrapping, but it's valid

    and so is the following host setting for FreePBX user Manager authentication!

    This is of course if you don't care to use TLS, which both machines are behind firewall so I'm not overly concerned.
    Update:
    Well although it says connected, I can't do much with cldap. I get error about base dn. So looks like I'll need to try to 
    turn off requirement for TLS or get a trusted certificate.
    Update 2:
    I was able to connect with SAMBA4 after creating self-signed certificate using these instructions. I also added the following to /etc/openldap/ldap.conf on the pbx (but I'm not certain if it was required).

    URI ldaps://dc1.events.eventsunlimitedpartyrentals.com:636
    TLS_CACERT /etc/openldap/certs/samba.pem
    TLS_REQCERT allow

    I copied the self-signed SAMBA4 certificate to the pbx > /etc/openldap/certs

    Restarted samba and configured user manager to point to host=ldaps://ip_of_DC port=636

    I also decided to map ipPhone attribute in AD to the phone extension. Works a treat! I'm not using

    Exchange server so there will be no conflicts there.