FreePBX 13: User Managment with AD

munozj · August 28, 2015, 2:06pm

Testing out FreePBX 13’s AD connector for the User Manager. I was able to get a “connected” message after following the instructions on the wiki (http://wiki.freepbx.org/display/F2/How+to+Authenticate+User+Manager+via+Microsoft+Active+Directory)

I’m finding that my user list is empty and so is my group list. I’m seeing, “no matching records found” The add button is no longer there so i’m assuming the user list shows all the AD users in the base DN?

My base DN is a little longer than what is listed in the wiki page:
OU=city,OU=region,OU=Employees,DC=university,DC=domain,DC=edu

Not sure what i’m doing wrong. This feature has been on the top of my wish list so we are excited to try it out and try and help contribute to it’s development.

munozj · August 28, 2015, 3:58pm

Found my problem. Added the context “CN=Users” to the beginning of the base DN and it worked!

tm1000 · August 28, 2015, 6:01pm

There was actually a bug that required you submit the page twice before it sync’d just fixed that now. I’ve also added a new configuration field to define the name of an attribute from Active Directory that will link the user to an extension in freepbx (“Link Extension”).

I’m actually at the point where-as if you added a user into Active Directory, set an attribute with an extension, sync’d, FreePBX would then add the extension… automatically. I haven’t completed it yet because there are about a thousand different attributes for the extension so not sure what the typical defaults are or would be for something like that. Or if user manager should do it or not

munozj · August 31, 2015, 4:35pm

Having some trouble actually logging in as an AD user.

Visited the UCP on my VM and tried logging in with my AD user name and password but wasn’t able to login.

Selected a user, clicked on edit and the UCP tab, allowed login currently set to inherit (inherit from what) changed to yes and clicked “Submit and send update” No email was sent and the field i changed previously reverted to the original state.

Repeated the change but this time i hit “Submit” Now the apply button lit up. I hit that and tried the UCP login again. It still failed.

I found the user in the user list of user-manager, click the check box by the name and hit send email. This time an email came showing the user name as the Display Name of the user rather than his ad login name.

Hi Firstname,

Congratulations! Your FreePBX account has been created! You can now use the
credentials below:

	Username: Firstname Lastname
	Password: Obfuscated. To reset use the reset link in this email

To login to the following services:

	User Control Panel: http://10.211.55.3:81

Password Reset Link (Valid Until: 05:11:51 PM):
http://10.211.55.3:81/?forgot=6f1434aeb99ddba9226df4450e131

I tried logging in with the user name Firstname Lastname and the actual AD username firstname.lastname
neither of which worked.

I noticed that this user is a member for 4 groups and the group settings for those groups had UCP set to No
I tried to edit the group UCP permission to Yes but after i hit submit and got this error message. https://dl.dropboxusercontent.com/u/4310421/GroupEditError.jpg

tm1000 · August 31, 2015, 5:11pm

From the group that this user is assigned to.

Thanks. Thats a bug, but sending an email would provide no advantage to you in an AD environment

This screenshot is completely unusable. Help a brother out. Include the full screen error. Thanks

I just logged in successfully using an AD user. No issues. Sounds like you have a really strange Active Directory setup

munozj · August 31, 2015, 5:35pm

Here is the full screen error

Whoops \ Exception \ ErrorException (E_ERROR)
HELP
Call to undefined function restapi_user_get_user_tokens()
/var/www/html/admin/modules/restapi/Restapi.class.php
Server/Request Data
HTACCESS on
HTTP_HOST 10.211.55.3
CONTENT_TYPE application/x-www-form-urlencoded
HTTP_ORIGIN http://10.211.55.3
HTTP_COOKIE lang=en_US; __utma=240938883.2079736169.1440704402.1440779832.1441037371.5; __utmb=240938883.23.10.1441037371; __utmc=240938883; __utmt=1; __utmz=240938883.1440704402.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=60vk6ak82274g8bplbmfinaff5
CONTENT_LENGTH 195
HTTP_CONNECTION keep-alive
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
HTTP_USER_AGENT Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9
HTTP_REFERER http://10.211.55.3/admin/config.php?display=userman&action=showgroup&group=1
HTTP_ACCEPT_LANGUAGE en-us
HTTP_ACCEPT_ENCODING gzip, deflate
PATH /sbin:/usr/sbin:/bin:/usr/bin
SERVER_SIGNATURE Apache/2.2.15 (CentOS) Server at 10.211.55.3 Port 80
SERVER_SOFTWARE Apache/2.2.15 (CentOS)
SERVER_NAME 10.211.55.3
SERVER_ADDR 10.211.55.3
SERVER_PORT 80
REMOTE_ADDR 10.211.55.2
DOCUMENT_ROOT /var/www/html
SERVER_ADMIN root@localhost
SCRIPT_FILENAME /var/www/html/admin/config.php
REMOTE_PORT 58960
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.1
REQUEST_METHOD POST
QUERY_STRING display=userman
REQUEST_URI /admin/config.php?display=userman
SCRIPT_NAME /admin/config.php
PHP_SELF /admin/config.php
REQUEST_TIME 1441038743
GET Data
display userman
POST Data
type group
prevGroupname Everyone_dallas
group 1
submittype gui
contactmanager_show true
faxenabled false
ucp_login true
ucp_originate no
cel_enable no
presencestate_enable no
voicemail_enable no
Files
empty
Cookies
lang en_US
__utma 240938883.2079736169.1440704402.1440779832.1441037371.5
__utmb 240938883.23.10.1441037371
__utmc 240938883
__utmt 1
__utmz 240938883.1440704402.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
PHPSESSID 60vk6ak82274g8bplbmfinaff5
Session
module_name userman
module_page userman
AMP_user ampuser Object ( [username] => admin [id] => [password:ampuser:private] => 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 [extension_high:ampuser:private] => [extension_low:ampuser:private] => [sections:ampuser:private] => Array ( [0] => * ) [mode:ampuser:private] => database [_lastactivity] => 1441038743 )
UCP_isMobile
UCP_isTablet
UCP_login_token 2de5c6cb875d1a2e7b494d972bf56f7c
Environment Variables
empty
Registered Handlers
0. Whoops\Handler\PrettyPageHandler

tm1000 · August 31, 2015, 5:52pm

Are you using “restapi”

munozj · August 31, 2015, 6:20pm

It appears to have been enabled when i loaded the disto. Disabled restsapps and restapi and tried updating the groups again. This time it appears to have taken.

Enabled UCP in the groups that the user is a member of and tried logging again but still getting “Invalid Login Credentials” tried with both the ad user name “first.last” and the login name listed in the User Manager “First Last”

tm1000 · August 31, 2015, 6:22pm

I’m working in the module right now with an Active Directory account and can not replicate your issue. Our support lead can’t replicate it either. We can login just fine

munozj · August 31, 2015, 6:42pm

Is there a UCP audit log that I could try and use to find out what i’m doing wrong?

tm1000 · August 31, 2015, 6:44pm

There is no audit log. It seems as though your CN has been setup to use Display Names instead of what I am used to (which is usernames). I will have to use samaccountname instead moving forward to fix it for you

tm1000 · September 1, 2015, 1:07am

This should be resolved in userman 13.0.15

munozj · September 1, 2015, 2:50pm

Thanks Andrew! That update fixed our issue. If your ever in the DFW area I owe you dinner.

munozj · September 1, 2015, 3:41pm

The login is working great now. It’s using the actual SAM login name and we’ve been able to login now. I’m seeing that none of the groups are populating now (where previously they did). Not that big of a deal but it doesn’t give the option to create our own groups when using AD auth and setting permissions per user one at a time could be time consuming.

tm1000 · September 1, 2015, 4:23pm

Nothing was changed or touched in relation to groups. If you want them to re-sync then go back to the active directory configuration page and hit submit

tm1000 · September 1, 2015, 4:26pm

Just fully verified that group syncing works 100%

tm1000 · September 1, 2015, 5:40pm

Looks like users wren’t added to their primary groups. However this has always been an issue and wasn’t something new. Fixed in 12.0.16

munozj · September 1, 2015, 8:14pm

reloaded the VM from a snapshot, re-entered the settings and now it looks like the users and groups are showing. Thanks again for all your effort on this.

munozj · September 16, 2015, 7:33pm

Just reloaded a fresh ISO of the 13.0.1RC1.4
The first thing i did was reconnect to AD. All of my users populated but none of the groups did. Rebuilt a few times and had the same result.
If i clicked on a users details their group membership is empty.

tm1000 · September 16, 2015, 8:36pm

Works fine here. Not sure what to say sorry. The code is open for you to modify if you need.