User LDAP authentication

FreePBX Tips and Tricks
1

I’ve been banging my head against walls finding an implementation where users authenticate against a LDAP store. – no succcess.
The user filter is basically in the bind() function. I filter for ou=VoIP but this can be modified to meet your admin LDAP structure.

Hence I went and did it myself. This allows AUTHTYPE=ldap in amportal.conf
this is the code:

admin/header_auth.php

case ‘ldap’:
if (!isset($_SESSION[‘AMP_user’]) && isset($_SERVER[‘PHP_AUTH_USER’]) && isset($_SERVER[‘PHP_AUTH_PW’]) && !isset($_REQUEST[‘logout’])) {
if (isset($_SESSION[‘logout’]) && $_SESSION[‘logout’]) {
unset($_SESSION[‘logout’]);
} else {
$_SESSION[‘AMP_user’] = new ampuser($_SERVER[‘PHP_AUTH_USER’]);
if (!$_SESSION[‘AMP_user’]->checkLdapPassword($_SERVER[‘PHP_AUTH_PW’])) {
if (($_SERVER[‘PHP_AUTH_USER’] == $amp_conf[‘AMPDBUSER’]) && ($_SERVER[‘PHP_AUTH_PW’] == $amp_conf[‘AMPDBPASS’])) {
$_SESSION[‘AMP_user’]->setAdmin();
} else {
unset($_SESSION[‘AMP_user’]);
}
} // else, succesfully logged in
}
}
if (!isset($SESSION[‘AMP_user’])) {
@header('WWW-Authenticate: Basic realm="FreePBX '.(‘Administration’).’"’);
@header(‘HTTP/1.0 401 Unauthorized’);
showview(“unauthorized”);
exit;
}
break;

functions.inc.php
function checkLdapPassword($password) {
$ldapData = $this->ldap_authenticate($this->username,$password);
if($ldapData[0][‘uid’][0] === $this->username){
$this->_password = $password;
$this->_extension_high = “”;
$this->_extension_low = “”;
$this->_deptname = “”;
$this->_sections = array("*");
return true;
} else {
$this->_password = false;
$this->_extension_high = “”;
$this->_extension_low = “”;
$this->_deptname = “”;
$this->_sections = array();
return false;
}

function ldap_authenticate($username,$password) {
if($connect = @ldap_connect(<ldap server IP/name goes here>)) {
$bind = $this->bind($connect,$username,$password);
if(!$bind){
return false;
} else {
return $bind;
}
} else {
ldap_error($connect);
return false;
}
@ldap_close($connect);
return(false);
}

function bind($connect,$username,$password="") {
$auth_user = “”;
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
if (@ldap_bind($connect, $auth_user, $password)) {
$ldap_query = “ou=VoIP”;
$search_id = ldap_search($connect, $auth_user, $ldap_query);
$alldata = ldap_get_entries($connect, $search_id);
return $alldata;
} else {
return false;
}
}

2

you might want to submit this as a proper patch file in a patch ticket on trac in case others find it useful and/or it is something worth trying to incorporate into FreePBX.

In the forums, it will quickly get “lost” as it gets out dated.