userman v14.0.3.11 fixes the login issue
It will also report back the SID it tried to lookup for the primary group
Andrew, with 14.0.3.11 i now able to login with ad cred again, thanks for hanging in with this. I wanted to document some of the issues i ran into in my testing, i hope this is the right avenue for it, if you would like this somewhere else, please let me know. Also, I imagine you already know about this stuff, but I wanted to provide all I found, in hopes it would help.
- ssl connection does not accept self signed certs. I have packet capture i can send you that illustrates this, usually, there is a “verify server certificate” switch in the config. if this is set to “no”, then the code will accept any cert. Here is the stack trace
Exception trace:
() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Auth/Guard.php:80
Adldap\Auth\Guard->bind() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Auth/Guard.php:94
Adldap\Auth\Guard->bindAsAdministrator() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Connections/Provider.php:213
Adldap\Connections\Provider->connect() at /var/www/html/admin/modules/userman/vendor/adldap2/adldap2/src/Adldap.php:113
Adldap\Adldap->connect() at /var/www/html/admin/modules/userman/functions.inc/auth/modules/Msad2.php:251
FreePBX\modules\Userman\Auth\Msad2->connect() at /var/www/html/admin/modules/userman/functions.inc/auth/modules/Msad2.php:285
FreePBX\modules\Userman\Auth\Msad2->sync() at /var/www/html/admin/modules/userman/Console/Userman.class.php:103
FreePBX\Console\Command\Userman->syncDirectory() at /var/www/html/admin/modules/userman/Console/Userman.class.php:58
FreePBX\Console\Command\Userman->execute() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Command/Command.php:264
Symfony\Component\Console\Command\Command->run() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Application.php:835
Symfony\Component\Console\Application->doRunCommand() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Application.php:200
Symfony\Component\Console\Application->doRun() at /var/www/html/admin/libraries/Composer/vendor/symfony/console/Application.php:124
Symfony\Component\Console\Application->run() at /var/lib/asterisk/bin/fwconsole:137
-
tls does not seem to work either…probably for the same reason as 1. but instead of failing, it seems to succeed. I see in the packet capture that it does sync, but not using tls.
-
I started this thread out with a whoops error when i login with ad creds to the admin panel, I am still getting that, the error has not changed.
-
On the issue of primary group. I think where userman is getting hung up is that in AD, the group “domain users” is a special “default” group. It does not appear in a group search so I think userman is thinking it does not exist, but it does. if the primary group on a Microsoft directory is set to 513, then userman should assume the group is domain users.
https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx
again, thanks for all your efforts on this, ldap is an important module to me. if there is any way i can help, by gathering logs or packet traces etc, please let me know, i am happy to help.
This works fine on my system using AD on Windows Server 2012… You will have to bring it up with the maintainer on github (who doesn’t work for Sangoma). It also searches by Group SID not by any group search. The default for me is 513 as well and like I said. Shows up. So I dunno sorry. You can talk to the maintainer here: GitHub - Adldap2/Adldap2: A PHP LDAP Package for humans.
https://issues.freepbx.org/browse/FREEPBX-15088
Fixed in Framework 14.0.1rc1.23
This does not exist in the library we are using. Please understand that we use a library that we have no control over. https://github.com/Adldap2/Adldap2/blob/master/docs/configuration.md
Also see: php - Authenticating a self-signed certificate for LDAPS connection - Stack Overflow