Active Directory Authentication in User Manager operational questions

I guess what I’m looking for is the AD information sync for the rest of the user properties, which currently resides in the authentication scheme, but perhaps should be moved outside of it?

I’m not following you here.

Hi Andrew,
I wanted to ask a question about the implications of choosing a specific authentication scheme (AD for this question but it would hold true for Asterisk VM as well). When the auth sceme was “FreePBX Internal Directory” I set an extension that mapped (linked to a default user) in the extensions module.This extension in particular is setup for receiving inbound faxes. I can set the fax preferences in user manager for that user (extension). When I switch to Windows AD scheme I lose visibility to that user in User Manager and thereby can no longer manage any settings. Despite this FreePBX internal directory user not being listed in User Manager and the extension no longer being linked to a default user in extensions module, the fax settings for that un-linked user are still honored (faxes are still emailed to the address that was listed in user manager for that FreePBX internal directory user).
I am glad that this continues to function in this manner (sending emails for received faxes) despite the ability to change settings for that missing user, but I wanted to know if that is operating as intended. If you choose a different authentication scheme are you then required to have every extension you want to manage settings for in User Manager mapped to an account in that auth scheme? Not that I have tested this, but I would imagine the same scenario would be true for the Asterisk Voicemail scheme if a pre-existing user in another scheme did not have voicemail established (as my dedicated fax extension currently does not).

Thanks,

Brian

That is not how it’s suppose to work.

Those User/Group Configuration options are very important.
AD integration is a major thing for me in a business environment. I always look for tools that integrate against it, it makes my life easier. And now with Samba 4 I can get a basic 2008R2 AD (which does everything I need) running on linux without the Microsoft expense.

From working with other AD integration tools, I’d say consider how ejabberd integrates with LDAP/AD for an idea of both what to do and not to do. The “official” module(s) are really good but fall just short of being completely flexible for all AD setups. They have created multiple modules for each part of LDAP/AD integration. One handles LDAP authentication. Another handles shared rosters (what and how users/groups show up in your XMPP client). And another handled vcard data (mapping AD attributes to vcard fields). The only really issue I have with what they offer is the mod_shared_roster_ldap module, which lacks the necessary filtering. Someone modified it (wish they would merge or adopt the changes) and offered a TON of flexibility (see HERE).

I think you could go down a similar path. The authentication part is pretty much there. From that you would expand by offering something like the “shared_roster” plugin which defined with users/groups to pull and let people really structure the LDAP query to only get what they want. And finally something like vcard, which defines a mapping of LDAP/AD attributes to FreePBX attributes.

I just upgraded to 13 on a new deployment that I have to get setup by the end of the month and this was one of the main reasons I took the jump instead of waiting and dealing with the transition after the fact. I wish I had more time to discuss this feature because I think it is a major plus to FreePBX and I would certainly pay for a well fleshed out LDAP/AD implementation (especially with GUI setup).

[quote=“tm1000, post:7, topic:31099, full:true”]
Also note that it might be pretty buggy (removing a user from AD doesnt remove them from FreePBX [a bug!]),[/quote]

Just to check with others, this bug still exists correct?

I sync’ed with an AD that mixed security accounts with regular user accounts (I didn’t do it, I’m just cleaning up the mess) and now I have a bunch of users and groups that I don’t need in FreePBX. Doesn’t seem like you can “delete” an account sync’ed from AD. I’ve removed the user/groups from the AD Base DN location specified and tried to resubmit from the authentication page but nothing changes. Any workaround for this right now?

Thanks.

PS: perhaps I don’t understand the Extension Link Attribute, but I don’t think it is working for me.
I define the extension link attribute as telephoneNumber (AD attribute). I create a user and provide an extension and name. I expected them to “link” based on this extension link attribute setting but they haven’t. Am I missing something?

Yes. I’m going to fix it but haven’t gotten around to doing so yet. It’s sort of a deal breaker I know.

Strange. It works for me. However, as previously mentioned I need to add in some debug functionality so you can see what FreePBX sees.

I have some trouble.
I’d like to connect into FreePBX whole AD domain, not only some CN or OU. I write in BaseDN string “dc=domain,dc=local”. Status string is “Connected”. But nothig syncronizated. No user, no groups. When I write in BaseDN something like “ou=SomeOU,dc=domain,dc=local”, everething OK.
Can this module syncronize “dc=domain,dc=local”?
How can I write more then one OU in BaseDN string?

In Extension Link Attribute you should write “telephonenumber” not “telephoneNumber”. Then it works correct. With capital N doesn’t work.

I wasn’t sure if posting this here or creating a new thread, seems like this is the best place.

I’ve been playing with Active Directory Authentication / Synchronization, awesome feature! I have some questions / requests to improve this:

• As others mentioned here, a way to filter what gets synchronized is really necessary would greatly increase the usability of this feature. I think the best would be to follow what other vendors do and add a field to the configuration to specify the name of a special group and only synchronize object (users and groups) that are member of that special group.

• I can still login with my base administrator but I understand this will eventually stop once the Administrators pane has been fully migrated to User Manager. When this happens, will there any way to login to the FreePBX Administration as a failover if there is a problem with Active Directory Authentication? (domain controller down, etc.)

• I noticed the Department is synchronized from AD, but the Title and Company are not, is this a problem with my setup or could this be synchronizing with different attributes? I’m using the regular fields in the Organization Tab for this…

• Is there any documentation for this? the wiki page is just a quick guide to set it up but does not explain how it works. It would be great to have details about how synchronization works (fields and objects that sync), etc.

• The password for the domain account used for synchronization is displayed in plain text and probably stored like that too, this should be at least masked with asterisks and if possible stored in an encrypted way too…

Thanks!

I’m also keen on been able to make use of the AD module, but I need to be able to filter on a group. Is there a manual ‘work around’ or the likes of to make this possible?

Coming soon to a 13 system near you:

image.png1677×845 61.1 KB

image.png1675×401 31.2 KB

There’s a page size limit in 13 of 1000 objects. This doesn’t happen in 14.

Work being done here:

Woo! I can’t wait.

andrew, i would be happy to test this if you have a version for FreePBX 14. also, would you be able to add the LDAPS and self signed cert support?

thanks

I’ve posted some of these suggestions in other places, but I’ll add them here as well so that it’s all in one thread and to get feedback from the rather sensible people who are participating. We’re actually using a AD integration in production, but we’ve modified the code in Msad.php to suit our purposes (the joys of open source).

1. I think the “Multiple Base DN” requests are dead on. The alternative is to search the whole tree (or forest!), which is… problematic.

2. Filter for groups as well. We have about as many groups as users, and 97% of them have no use in a PBX.

3. I would add multiple LDAP servers, as they’re also used for UCP authentication. We’ve got lots of AD servers. Might as well put them to work.

4. Make auto-deletion optional. We’ve seen instances where an LDAP query failure resulted in object deletion (along with lots of settings), which was a bit of a pain to recover from. Our preferred workflow would be to flag / highligh objects that are no longer found in AD / LDAP and let us decide to either delete them or migrate the settings to a new user. If we specify the user’s extension in an AD attribute, then auto-migration could be a thing if the previous user no longer exists.

5. If you want to just pile on the awesome, then highlight / flag newly imported users and groups for administrative review.

6. Let us choose a default for how many items are displayed per page. Literally the first thing I do every time I open User Manager is up the count. This goes for Extensions as well. Again, if you want to pile on the awesome I’d prefer to just display everything and have an AJAX-style filter box we can type into.

7. It would be useful to think about tighter integration between endpoint, extension, and user management. I know this is a design minefield, but from an admin / automation standpoint it could be hugely useful. 95+% of our users have settings that could be template-driven; everything else is a corner case. I’d have zero problems with paying for a module that does useful things here.

8. I’ll probably bring the hate on myself, but AD integration should probably be a commercial module. For the people that use it, it’s extremely important and needs to be resourced accordingly. It’s only fair that Sangoma be paid for that. But don’t make it commercial until we’ve hit baseline usability - some of us still live and die on modifying Msad.php.

At this moment we are basing our implementation on Atlassian Crowd. Currently they don’t support multiple DNs (Log in with Atlassian account). How would this look in FreePBX? Comma separated doesnt work. What are you used to seeing here?

User and Group filters are in the new setting (see screenshot above)

Easy to put in right now (with the new work). As php already supports that (You can also provide multiple LDAP-URIs separated by a space as one string)

If you set sync to never that won’t happen anymore. But this is actually a failure in our code.

The filter box is already there.

Also. I have figured out a way to do delta sync. Which means that we only pickup new changes on every sync. Right now on every sync in FreePBX we pickup ALL of the users and groups. With this new method we will only pickup whats changed since the last time.

(Sorry, I haven’t figured out how to do nice neat responses in this system)

1. The ideal “enterprise-y” way to do this would be with multiple, separate sets of Base DNs and LDAP/AD servers, with their own filters, etc. We would actually use this feature as some far-off branches of the organization are resisting being dragged into the main forest. I didn’t ask in the previous post because I strongly suspect we’re a corner case here. But maybe not. I’ll let others chime in.

2. My bad. I’ll get my eyes checked.

3. Yeah, but eventually we sync. This would also protect against admin mistakes, which are unfortunately a thing. Better paranoid than sorry.

4. My bad. I’ll get my eyes checked. I’m not kidding.

3. works if you just use the base domain. AD automatically adds all DCs to the base so rather than specifying DC1.domain.com, just use domain.com and it will work. Then you don’t need multiple entries unless you have multiple forests you want to check against.

3. works if you just use the base domain. AD automatically adds all DCs to the base so rather than specifying DC1.domain.com, just use domain.com and it will work. Then you don’t need multiple entries unless you have multiple forests you want to check against.

I thought about that, but I don’t know how PHP deals with that scenario if a server is unresponsive, and I’ve been too lazy to test. Also, I would prefer to keep queries local to the physical site - we have sufficient redundancy there to where there’s no point in bothering other locations (and dealing with all of the intranet firewall adjustments necessary to make it work).

I suppose the “right” way to do that would be to pull the DNS SRV records for:
__ldap.__tcp.MySite.__sites.dc.__msdcs.MyDomain.

Eh, I can’t get the stupid underscores to work. You know what I mean.

I think in this case you are asking for multiple Active Directory servers instead of just one. This is something we have planned down the line (eg multiple authentication engines active at the same time). Ergo you could just add two AD servers with different filters eg, this is how it’s done in Crowd at least.