Hi, I’m trying to configure the LDAP authentication against our OpenLDAP server. The FreePBX platform is: Sangoma Linux release 7.8.2003 (Core); Asterisk 13.36.0.
Now I want to enable the users to login to the UCP. From what I researched the LDAP authentication should work, if the synchronisation also works. Is that right or do you have to configure two, three or seven more things in order to make it work?
The LDAP server itself works flawlessly. I have a lot of external systems authenticating the users without issues to it.
Trying to login with a test user in the web browser I get the error message that I have to look into the error console. This is what is being written to it whenever I try to authenticate an user:
The LDAP server’s log openldap.log does not show anything about the failed login attempts so it is clear that the request doesn’t even leave the FreePBX. Any hints to track down the issue?
BTW: SSL is not implemented and I payed attention to the ports list https://wiki.freepbx.org/display/PPS/Ports+used+on+your+PBX thus it does not include LDAP authentication (port 389). Apart from that, I assume that outbound traffic is not being filtered by the FreePBX’ local firewall, is it?
The LDAP server and the PBX are within the same subnet. They are running even on the same Hypervisor and are connected with the same cables to the switches. There is no router between them.
Is there sth. wrong with the official FreePBX LDAP authentication manual? Or why should I use the AD authentication guide?
I dumped the traffic on TCP 389 on authentication trial and it shows that sth. is happening. So, the systems communicate and the issue apparently has sth. to do with wrong configuration, not with the network.
There are some differences in the OpenLDAP authentication guide and my configuration regarding the groups. Is the group configuration mandatory for FreePBX’ LDAP authentication to work properly?
Are the group configurations mandatory to make LDAP authentication work? (Currently we do not use any group configurations in the FreePBX and we don’t need them, we don’t want any groups, just users being able to authenticate against the OpenLDAP server in order to administer their extensions’ FollowMe lists.)
@slobera: Could you please answer my question why I should use the AD authentication guide. Is there sth. wrong with the LDAP authentication guide I referred to?
Sorry for the late @sipsepp I didn’t see you followed the LDAP guide.
It should be the same, not sure why this is not working, I have a LDAP server on my lab and UCP, Zulu and Xactview are working just fine.
Thank you for your reply.
Did you confgure also the group related fields accordingly? Do you know if they are relevant for the authentication mechanism? I assumed that, as the synchronisation of the users work flawlessly, the LDAP authentication also should, shouldn’t it?
Another admin had the issue that FreePBX obviously didn’t like to use the LDAP attribute “mail” for authentication. Changing to “sAMAccountName” the authentication worked for him. See: Active Directory and UCP Authentication
sAMAccountName is not available on my OpenLDAP server and of course I won’t extend the schema only for FreePBX.
Can anybody confirm that FreePBX’ built-in LDAP client authentication only works with specific attributes?
As different systems in our network can authenticate flwalessly using “mail” attribute as well as “uid” attribute, it is sure that the issue cannot be located on the LDAP server.
I found this one User Manager LDAP Authentication , indicating that there were a bug in FreePBX’ LDAP authentication mechanism. Reportedly it fails building correct DN pathes consisting of the base DN, the user DN and the user name attribute.