Can anyone help me to enable active directory authentication in usermanager?

Hi all,
I’d like to enable active directory authentication in UCP/user manager.

I don’t know how Linux works, so it will be so hard to me to achieve a solution without help.

I think the first step is to disable anonymous access to the UCP login page and enable apache to ask for a active directory user/password.

The second step is to retrieve the name of the authenticated user and compare that name with the logon names in the userman database.

if the active directory user exist in userman database, grant access and assign all the permission to user.

For the first step I try to put the following authentication in /etc/httpd/conf.d/freepbx.conf

Directory /var/www/html/ucp>

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Accesso al Pannello Utente"
AuthLDAPURL "ldap://boprap306.prap-er.locale:3268/DC=prap-er,DC=locale?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "[email protected]"
Require valid-user

The UCP ask me for a active directory password, but after that, I get a “Internal Server Error”. I think that it is due to the fact the ucp has a proper authentication web page, and not a simple password request from apache.

For the second step I need to know where the UCP login page is stored, thus I’ll can try to modify the php code to retrieve the authenticated user name.
Can you help me?

Disable authentication in FreePBX then set Apache for LDAP authentication. Setup LDAP on MS domain and you are good to go.

In your words the task seems very simple.
Do you mean to completly disable freepbx authentication?
How can I protect user voicemail without a mapping between userman and active directory users?

You can’t do this right now. There is no external Authentication support in User Manager.

I’m not a developer and absolutly I don’t know PHP, but I think that you get username and password from the form in the UCP login web page and then you search in database if there is the same username**&password** in.

I’d like to disable your login form, and enable the classic apache login prompt.
If the active directory authentication goes well, you can retrieve the authenticated user logon name (in old asp classic was request.servervariables(“auth_user”), in php I suppose it will be something like $_SERVER[REMOTE_USER’];), and search in the database if there is the same username(not password) in.

I only need to know in which php file the authentication take place (hopefully at what line :))


You are oversimplifying how everything works. Enabling apache auth will destroy how everything works. Not to mention you can’t logout from apache auth except by closing the browser. Skip apache auth first and use the web form you could hack into that easier. If you want to enable apache auth then at this point I am no longer going to help because http auth is terrible. Just look it up online. Furthermore UCP is written around php sessions and cookies and tokens. Http auth does none of that (like I said over simplifying how it works)

Why can’t you just wait until August for something or for us to design external authentication engines? You wanting to do this during beta will be very stressful for you because many things are changing rapidly. Things will break and explode in your face

If you want to keep fighting this then I will provide you what you want but without any support. This is beta. Things will change and I hesitate to help you because I know how much work I will have to put into it. Now and in the future helping you with what you are doing. So forgive me ahead of time.

My english is very bad, and this thing always leads to misunderstoods.

It was not in my intention to oversimplifying how everything works and how hard is your work.

My intention was to find a momentaneous and rapid solution to give access to users with the same password as they use in active directory, with no special safety concerns because asterisk run in a little LAN.

Your advice is wise, so it’s certainly convenient to wait for the stable release before attempting to make any changes. In the meanwhile I can try to learn how PHP works, because my last developer experience was in the very far 2000-2004 in asp classic.

Thanks for all your suggestion

Hello. I came across this thread in a random search and saw your post. Was just wondering is this something that is actually being worked on by the FreePBX team and something we can expect to see in a future release?

I run a Samba 4 domain and ever since getting more into telephony had thought it would be really great to see this type of integration. The obvious things would be unified access to the UCP (w/ SSO would be great also). For the XMPP module this would be really nice also (SSO chat client). Remove duplication of many fields for admins like name, extension number, home/work/mobile numbers (could be pulled for find me/follow me), and so on. I’m sure there are a lot of pretty cool things that could be done with such integration.

Still in beta, Should be stable in the next month or so. (this is why developers don’t like release dates). Currently Active Directory is not on our roadmap:
Once we go stable we will start exploring the ability to hook in other services and exposing potential API’s and write developer focused documentation (likely in the developers corner)

This is open source so feel free to go read and play with the code. Keep in mind anything written that is not submitted back in has the potential to be broken as we are still working on things.