Configuring LDAP authentication for UCP users


(Sip Sepp) #1

Hi, I’m trying to configure the LDAP authentication against our OpenLDAP server. The FreePBX platform is: Sangoma Linux release 7.8.2003 (Core); Asterisk 13.36.0.

I followed the manual https://wiki.freepbx.org/display/FPG/User+Management+with+OpenLDAP and synchronisation of the LDAP users to the FreePBX User Management works perfectly.

Now I want to enable the users to login to the UCP. From what I researched the LDAP authentication should work, if the synchronisation also works. Is that right or do you have to configure two, three or seven more things in order to make it work?

The LDAP server itself works flawlessly. I have a lot of external systems authenticating the users without issues to it.

Trying to login with a test user in the web browser I get the error message that I have to look into the error console. This is what is being written to it whenever I try to authenticate an user:

jquery-3.1.1.min.js?load_version=v14.0.3.13:4 POST http://myfreepbx.mycompany.de/ucp/ajax.php 403 (Forbidden)
send @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
ajax @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
jQuery.ajax @ jsphpg_ae2b33db35c56d3d87a2b8828c33b54c.js?load_version=v14.0.3.13:21
r.<computed> @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
(anonymous) @ jsphpg_ae2b33db35c56d3d87a2b8828c33b54c.js?load_version=v14.0.3.13:2439
dispatch @ jquery-3.1.1.min.js?load_version=v14.0.3.13:3
q.handle @ jquery-3.1.1.min.js?load_version=v14.0.3.13:3
jsphpg_ae2b33db35c56d3d87a2b8828c33b54c.js?load_version=v14.0.3.13:2431 Forbidden: ajaxRequest declined
(anonymous) @ jsphpg_ae2b33db35c56d3d87a2b8828c33b54c.js?load_version=v14.0.3.13:2431
setTimeout (async)
(anonymous) @ jsphpg_ae2b33db35c56d3d87a2b8828c33b54c.js?load_version=v14.0.3.13:2430
dispatch @ jquery-3.1.1.min.js?load_version=v14.0.3.13:3
q.handle @ jquery-3.1.1.min.js?load_version=v14.0.3.13:3
trigger @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
A @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
(anonymous) @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
load (async)
send @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
ajax @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
jQuery.ajax @ jsphpg_ae2b33db35c56d3d87a2b8828c33b54c.js?load_version=v14.0.3.13:21
r.<computed> @ jquery-3.1.1.min.js?load_version=v14.0.3.13:4
(anonymous) @ jsphpg_ae2b33db35c56d3d87a2b8828c33b54c.js?load_version=v14.0.3.13:2439
dispatch @ jquery-3.1.1.min.js?load_version=v14.0.3.13:3
q.handle @ jquery-3.1.1.min.js?load_version=v14.0.3.13:3

The LDAP server’s log openldap.log does not show anything about the failed login attempts so it is clear that the request doesn’t even leave the FreePBX. Any hints to track down the issue?

BTW: SSL is not implemented and I payed attention to the ports list https://wiki.freepbx.org/display/PPS/Ports+used+on+your+PBX thus it does not include LDAP authentication (port 389). Apart from that, I assume that outbound traffic is not being filtered by the FreePBX’ local firewall, is it?


(Sergio Lobera) #2

is it an external ldap server? or you are on the same network? (pbx and ldap) ?

You can follow this guide: https://wiki.freepbx.org/display/FDT/Installing+and+connecting+an+Active+Directory+Server+with+FreePBX


(Sip Sepp) #3

The LDAP server and the PBX are within the same subnet. They are running even on the same Hypervisor and are connected with the same cables to the switches. There is no router between them.

Is there sth. wrong with the official FreePBX LDAP authentication manual? Or why should I use the AD authentication guide?


(Sip Sepp) #4

I dumped the traffic on TCP 389 on authentication trial and it shows that sth. is happening. So, the systems communicate and the issue apparently has sth. to do with wrong configuration, not with the network.

There are some differences in the OpenLDAP authentication guide and my configuration regarding the groups. Is the group configuration mandatory for FreePBX’ LDAP authentication to work properly?


(Sip Sepp) #5

Please someone answer these questions:

  1. If the synchronisation of LDAP users work flawlessly, does it automatically mean that the authentication also should work?

  2. Regarding the guide https://wiki.freepbx.org/display/FPG/User+Management+with+OpenLDAP : Does this guide describe all required configurations on the FreePBX system in order to make LDAP authentication work or are there further configurations to be adapted?

  3. Are the group configurations mandatory to make LDAP authentication work? (Currently we do not use any group configurations in the FreePBX and we don’t need them, we don’t want any groups, just users being able to authenticate against the OpenLDAP server in order to administer their extensions’ FollowMe lists.)

Thanks for all replies!


(Sip Sepp) #6

OK, I’ll make it easier for you. First question:


(Sip Sepp) #7

@slobera: Could you please answer my question why I should use the AD authentication guide. Is there sth. wrong with the LDAP authentication guide I referred to?

Thank you!


(Sergio Lobera) #8

Sorry for the late @sipsepp I didn’t see you followed the LDAP guide.
It should be the same, not sure why this is not working, I have a LDAP server on my lab and UCP, Zulu and Xactview are working just fine.


(Sip Sepp) #9

Thank you for your reply.
Did you confgure also the group related fields accordingly? Do you know if they are relevant for the authentication mechanism? I assumed that, as the synchronisation of the users work flawlessly, the LDAP authentication also should, shouldn’t it?


(Sip Sepp) #10

Another admin had the issue that FreePBX obviously didn’t like to use the LDAP attribute “mail” for authentication. Changing to “sAMAccountName” the authentication worked for him. See: Active Directory and UCP Authentication
sAMAccountName is not available on my OpenLDAP server and of course I won’t extend the schema only for FreePBX.

Can anybody confirm that FreePBX’ built-in LDAP client authentication only works with specific attributes?

As different systems in our network can authenticate flwalessly using “mail” attribute as well as “uid” attribute, it is sure that the issue cannot be located on the LDAP server.


(Sip Sepp) #11

I found this one User Manager LDAP Authentication , indicating that there were a bug in FreePBX’ LDAP authentication mechanism. Reportedly it fails building correct DN pathes consisting of the base DN, the user DN and the user name attribute.

Can anybody confirm that?

I tried Ryan’s solution but without success.