Pulling groups from Active Directory

FreePBX 13.0.192.19

I have an Active Directory connection (shows “connected”), and I am seeing some inconsistency with how it shows Groups in User Management -> Groups.

Scenario 1

Group DN: ou=security groups
Group object class: group
Group object filter: (objectCategory=Group)
Group members attribute: member

This shows a seemingly random set of 37 groups from the Security Groups OU in my AD. There is no correlation between what type of groups (Domain local, Global, & Universal).

Scenario 2

Group DN: ou=security groups
Group object class: group
Group object filter: (&(objectCategory=Group)(name=PBX))*
Group members attribute: member

This shows nothing. Obviously the filter change is what broke it, but I’m not sure what the logic is in either scenario. Also, I used a similar filter for the Users section in User Management, and it worked as expected.

Any help would be much appreciated!

Maybe something like DN=PBX*

I’m almost certain I have mine doing a wildcard, but don’t have access to it at the moment, mostly commenting so I can look it up tomorrow.

I’m almost certain all the groups will need to start with similar names, I only have two groups that gets imported into FreePBX

Well I was close,

My group filter is:
(&(objectCategory=group)(cn=Application Users - FreePBX*))

I don’t know if you cleaned up your Group DN for posting, but it needs to be fully qualified (ou=security groups,dc=domain,dc=net) or left blank.

I try to manage everything from active directory, I do a lot through LDAP, my user filter is insanely long, FreePBX has a great implementation (when it comes to customization).

Thanks for the reply. I tried this, and still no results:

Group DN: ou=Security Groups,dc=domain,dc=tld
Group object class: group
Group object filter: (&(objectCategory=Group)(cn=PBX*))
Group members attribute: member

I’ve tried the same setup (DN=Security Groups) and the search filter: (&(objectCategory=Group)(cn=PBX*)) using Softerra LDAP browser, and it correctly shows the 2 “PBX*” groups I’m interested in using.

[SOLVED!]

Alright, I figured it out, and thought I’d share it here for posterity. :smile:

Short Answer: The reason Scenario 1 showed seemingly “random” groups is because FreePBX is only displaying groups that have a “Description” in Active Directory. I found this out by running the ldap query (ldapsearch) from the console using fwconsole:

fwconsole userman --sync 2 --force --verbose

(https :// wiki.freepbx.org/display/FPG/How+to+Authenticate+User+Manager+via+Microsoft+Active+Directory)

You can run fwconsole userman --list to find out which number your LDAP source is.

After I ran the “–verbose” query, I saw the errors about group descriptions:

Updating All Groups
    ldapsearch <your ldapsearch query shows here>
Retrieving all groups...
Got 2 groups
    ERROR group is missing description attribute! Cant continue!!
    ERROR group is missing description attribute! Cant continue!!
Finished adding users from non-primary groups

Once I added a Description to those groups in AD, they populate in FreePBX GUI!

@Jordack thanks for your help on this!

I’d also fill out a bug report. While I encourage everyone to use description, it shouldn’t be a requirement.

Grats on getting it working.

1 Like

Thanks. I’ll do the bug report for sure.

Thanks, it help me out also!