Admin panel throws whoops error when loging in with AD user

Please update all modules to the edge mode. Especially user manager.

andrew, i attempted to update all to edge, half way through, i got this: i cannot get into module admin any more, it wants me to install usermanager

Do it on the cli then.

andrew, ok, i was able to install from command line, i then i went to modules and finished updating the modules. i noticed that i can no longer login at all with AD creds. i looked at userman and i see this in the status of my AD directory entry:

You must provide a configuration array or an instance of Adldap\Connections\ProviderInterface.

…i pressed the red ‘apply’ button, do i need to reboot? or is there something else wrong?

thanks

Not sure. You may have to start over. We haven’t see than in qa yet. But perhaps you should be more verbose on where that error is coming from.

andrew, I see the directory tab is all new. so i removed my old (imported) AD entry and created a new one. that one connects yeh! I went into groups and i see my AD groups, and i set the default attributes (like enable admin panel etc) but there is no submit or save button, i am not able to save anything on the edit screen of the group details

ok, i see, the message says its being locked while synchronizing…so, is there a way to force this or do it manually and see results, because i don’t think it would normally take this long.

ok, i found the command and i think this might be an issue:

[root@uepbx1 ~]# fwconsole userman --list
±—±---------------------------+
| ID | Name |
±—±---------------------------+
| 1 | Imported freepbx directory |
| 3 | Ultra-Fei |
±—±---------------------------+

[root@uepbx1 ~]# fwconsole userman --sync 3 --force
Starting Sync on directory ‘Ultra-Fei’…
PHP Fatal error: Call to a member function getConvertedGuid() on null in /var/www/html/admin/modules/userman/functions.inc/auth/modules/Msad2.php on line 506
Whoops\Exception\ErrorException: Call to a member function getConvertedGuid() on null in file /var/www/html/admin/modules/userman/functions.inc/auth/modules/Msad2.php on line 506
Stack trace:

  1. Whoops\Exception\ErrorException->() /var/www/html/admin/modules/userman/functions.inc/auth/modules/Msad2.php:506

You don’t have primary groups assigned to some users. Try to fix that on your server.

Otherwise this is already fixed in userman edge. (https://github.com/FreePBX/userman/blob/release/14.0/functions.inc/auth/modules/Msad2.php#L509)

Running with --verbose will give you more information as well.

Also if you don’t have the submit buttons then you didn’t hit apply config. That links the javascript.

andrew, yes, i will start to sift through our users to find which one doesn’t have a primary group, it would be nice to have that update. do you know when it will be in edge? i have 14.0.3.9 and it is not in that.

thanks for all your help today!

andrew, fyi, i looked at all users and could find none that were missing the primary group. It looks like the code you referenced adds more verbose logging to indicate what user it had a problem with? that would be helpful, i could then zero in on a user. Do you know when that code might be in edge?

thanks

All done

great, thanks, i will try now

andrew, that update fixed a lot for me, i now can complete a sync, all the users and groups are there. in addition, the status messages are pointing me to the problem, when i do an update --verbose, i see this:

Updating Primary Groups
Unable to find reed1283’s primary group

i get this for all users. i have checked and these users do have a primary group assigned, it is “Domain Users” (the default). Is this an issue for FreePBX? this is the default config for all AD installs, why does it not like Domain Users?

thanks

andrew, I tried to login to admin with an ldap user. i was not able (invalid creds). so i did a packet trace and i see the issue:

as you can see, the creds freepbx is sending to my ldap server have my domain twice. so, did i configure something wrong or is this a bug? btw, i did not enter my domain at the login prompt, i just entered ‘tonyg’

thanks

I would have to see your configuration. Anything else would be a guess

The primary group code works fine for me. It does a lookup of the group based on gid. This is in the library code it’s not something I can fix.

andrew, here is my directory config. i have reviewed the settings and I don’t see anything that would result in the domain being appended twice.



userman v14.0.3.11 fixes the login issue

It will also report back the SID it tried to lookup for the primary group

Andrew, with 14.0.3.11 i now able to login with ad cred again, thanks for hanging in with this. I wanted to document some of the issues i ran into in my testing, i hope this is the right avenue for it, if you would like this somewhere else, please let me know. Also, I imagine you already know about this stuff, but I wanted to provide all I found, in hopes it would help.

  1. ssl connection does not accept self signed certs. I have packet capture i can send you that illustrates this, usually, there is a “verify server certificate” switch in the config. if this is set to “no”, then the code will accept any cert. Here is the stack trace

Exception trace:
() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Auth/Guard.php:80
Adldap\Auth\Guard->bind() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Auth/Guard.php:94
Adldap\Auth\Guard->bindAsAdministrator() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Connections/Provider.php:213
Adldap\Connections\Provider->connect() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Adldap.php:113
Adldap\Adldap->connect() at /var/www/html/admin/modules/userman/functions.inc/auth/modules/Msad2.php:251
FreePBX\modules\Userman\Auth\Msad2->connect() at /var/www/html/admin/modules/userman/functions.inc/auth/modules/Msad2.php:285
FreePBX\modules\Userman\Auth\Msad2->sync() at /var/www/html/admin/modules/userman/Console/Userman.class.php:103
FreePBX\Console\Command\Userman->syncDirectory() at /var/www/html/admin/modules/userman/Console/Userman.class.php:58
FreePBX\Console\Command\Userman->execute() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Command/Command.php:264
Symfony\Component\Console\Command\Command->run() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Application.php:835
Symfony\Component\Console\Application->doRunCommand() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Application.php:200
Symfony\Component\Console\Application->doRun() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Application.php:124
Symfony\Component\Console\Application->run() at /var/lib/asterisk/bin/fwconsole:137

  1. tls does not seem to work either…probably for the same reason as 1. but instead of failing, it seems to succeed. I see in the packet capture that it does sync, but not using tls.

  2. I started this thread out with a whoops error when i login with ad creds to the admin panel, I am still getting that, the error has not changed.

  3. On the issue of primary group. I think where userman is getting hung up is that in AD, the group “domain users” is a special “default” group. It does not appear in a group search so I think userman is thinking it does not exist, but it does. if the primary group on a Microsoft directory is set to 513, then userman should assume the group is domain users.
    https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx

again, thanks for all your efforts on this, ldap is an important module to me. if there is any way i can help, by gathering logs or packet traces etc, please let me know, i am happy to help.

This works fine on my system using AD on Windows Server 2012… You will have to bring it up with the maintainer on github (who doesn’t work for Sangoma). It also searches by Group SID not by any group search. The default for me is 513 as well and like I said. Shows up. So I dunno sorry. You can talk to the maintainer here: GitHub - Adldap2/Adldap2: A PHP LDAP Package for humans.

https://issues.freepbx.org/browse/FREEPBX-15088

Fixed in Framework 14.0.1rc1.23

This does not exist in the library we are using. Please understand that we use a library that we have no control over. https://github.com/Adldap2/Adldap2/blob/master/docs/configuration.md

Also see: php - Authenticating a self-signed certificate for LDAPS connection - Stack Overflow