I have some trouble.
I’d like to connect into FreePBX whole AD domain, not only some CN or OU. I write in BaseDN string “dc=domain,dc=local”. Status string is “Connected”. But nothig syncronizated. No user, no groups. When I write in BaseDN something like “ou=SomeOU,dc=domain,dc=local”, everething OK.
Can this module syncronize “dc=domain,dc=local”?
How can I write more then one OU in BaseDN string?
In Extension Link Attribute you should write “telephonenumber” not “telephoneNumber”. Then it works correct. With capital N doesn’t work.
I wasn’t sure if posting this here or creating a new thread, seems like this is the best place.
I’ve been playing with Active Directory Authentication / Synchronization, awesome feature! I have some questions / requests to improve this:
-
As others mentioned here, a way to filter what gets synchronized is really necessary would greatly increase the usability of this feature. I think the best would be to follow what other vendors do and add a field to the configuration to specify the name of a special group and only synchronize object (users and groups) that are member of that special group.
-
I can still login with my base administrator but I understand this will eventually stop once the Administrators pane has been fully migrated to User Manager. When this happens, will there any way to login to the FreePBX Administration as a failover if there is a problem with Active Directory Authentication? (domain controller down, etc.)
-
I noticed the Department is synchronized from AD, but the Title and Company are not, is this a problem with my setup or could this be synchronizing with different attributes? I’m using the regular fields in the Organization Tab for this…
-
Is there any documentation for this? the wiki page is just a quick guide to set it up but does not explain how it works. It would be great to have details about how synchronization works (fields and objects that sync), etc.
-
The password for the domain account used for synchronization is displayed in plain text and probably stored like that too, this should be at least masked with asterisks and if possible stored in an encrypted way too…
Thanks!
1 Like
I’m also keen on been able to make use of the AD module, but I need to be able to filter on a group. Is there a manual ‘work around’ or the likes of to make this possible?
Coming soon to a 13 system near you:
There’s a page size limit in 13 of 1000 objects. This doesn’t happen in 14.
Work being done here:
3 Likes
Woo! I can’t wait.
andrew, i would be happy to test this if you have a version for FreePBX 14. also, would you be able to add the LDAPS and self signed cert support?
thanks
I’ve posted some of these suggestions in other places, but I’ll add them here as well so that it’s all in one thread and to get feedback from the rather sensible people who are participating. We’re actually using a AD integration in production, but we’ve modified the code in Msad.php to suit our purposes (the joys of open source).
-
I think the “Multiple Base DN” requests are dead on. The alternative is to search the whole tree (or forest!), which is… problematic.
-
Filter for groups as well. We have about as many groups as users, and 97% of them have no use in a PBX.
-
I would add multiple LDAP servers, as they’re also used for UCP authentication. We’ve got lots of AD servers. Might as well put them to work.
-
Make auto-deletion optional. We’ve seen instances where an LDAP query failure resulted in object deletion (along with lots of settings), which was a bit of a pain to recover from. Our preferred workflow would be to flag / highligh objects that are no longer found in AD / LDAP and let us decide to either delete them or migrate the settings to a new user. If we specify the user’s extension in an AD attribute, then auto-migration could be a thing if the previous user no longer exists.
-
If you want to just pile on the awesome, then highlight / flag newly imported users and groups for administrative review.
-
Let us choose a default for how many items are displayed per page. Literally the first thing I do every time I open User Manager is up the count. This goes for Extensions as well. Again, if you want to pile on the awesome I’d prefer to just display everything and have an AJAX-style filter box we can type into.
-
It would be useful to think about tighter integration between endpoint, extension, and user management. I know this is a design minefield, but from an admin / automation standpoint it could be hugely useful. 95+% of our users have settings that could be template-driven; everything else is a corner case. I’d have zero problems with paying for a module that does useful things here.
-
I’ll probably bring the hate on myself, but AD integration should probably be a commercial module. For the people that use it, it’s extremely important and needs to be resourced accordingly. It’s only fair that Sangoma be paid for that. But don’t make it commercial until we’ve hit baseline usability - some of us still live and die on modifying Msad.php.
2 Likes
At this moment we are basing our implementation on Atlassian Crowd. Currently they don’t support multiple DNs (Log in with Atlassian account). How would this look in FreePBX? Comma separated doesnt work. What are you used to seeing here?
User and Group filters are in the new setting (see screenshot above)
Easy to put in right now (with the new work). As php already supports that (You can also provide multiple LDAP-URIs separated by a space as one string)
If you set sync to never that won’t happen anymore. But this is actually a failure in our code.
The filter box is already there.
Also. I have figured out a way to do delta sync. Which means that we only pickup new changes on every sync. Right now on every sync in FreePBX we pickup ALL of the users and groups. With this new method we will only pickup whats changed since the last time.
1 Like
(Sorry, I haven’t figured out how to do nice neat responses in this system)
-
The ideal “enterprise-y” way to do this would be with multiple, separate sets of Base DNs and LDAP/AD servers, with their own filters, etc. We would actually use this feature as some far-off branches of the organization are resisting being dragged into the main forest. I didn’t ask in the previous post because I strongly suspect we’re a corner case here. But maybe not. I’ll let others chime in.
-
My bad. I’ll get my eyes checked.
-
Yeah, but eventually we sync. This would also protect against admin mistakes, which are unfortunately a thing. Better paranoid than sorry.
-
My bad. I’ll get my eyes checked. I’m not kidding.
- works if you just use the base domain. AD automatically adds all DCs to the base so rather than specifying DC1.domain.com, just use domain.com and it will work. Then you don’t need multiple entries unless you have multiple forests you want to check against.
- works if you just use the base domain. AD automatically adds all DCs to the base so rather than specifying DC1.domain.com, just use domain.com and it will work. Then you don’t need multiple entries unless you have multiple forests you want to check against.
I thought about that, but I don’t know how PHP deals with that scenario if a server is unresponsive, and I’ve been too lazy to test. Also, I would prefer to keep queries local to the physical site - we have sufficient redundancy there to where there’s no point in bothering other locations (and dealing with all of the intranet firewall adjustments necessary to make it work).
I suppose the “right” way to do that would be to pull the DNS SRV records for:
__ldap.__tcp.MySite.__sites.dc.__msdcs.MyDomain.
Eh, I can’t get the stupid underscores to work. You know what I mean.
I think in this case you are asking for multiple Active Directory servers instead of just one. This is something we have planned down the line (eg multiple authentication engines active at the same time). Ergo you could just add two AD servers with different filters eg, this is how it’s done in Crowd at least.
1 Like
This generally doesn’t work when using LDAPS, unless there is a method to skip certificate checking.
At least that’s been my experience, and I’ve dealt with a lot of LDAP.
Yes, but I would not recommend it unless you’re competent and patient enough to debug PHP and MySQL issues yourself, and brave / crazy enough to run other people’s scripts as root. This is “Danger Zone” territory, as Archer would put it.
See the script I posted here:
https://issues.freepbx.org/browse/FREEPBX-12555
I would also comment out lines that auto-delete entities and handle that manually through MySQL. As is, it will auto-delete anything it doesn’t find in AD. This can be a Very Bad Thing, depending on your configuration.
1 Like
Hello
I filled openldap directory, it is well connected, I created an openldap group when I want to put users the box is grayed out