User manager to active directory via ldaps

hi, I am using FreePBX I would appreciate some help with active directory integration. i have read all the wiki’s and understand ldap pretty well, but the wiki’s are a little vague on some points. Does anyone know:

  1. does user manager support ldaps (or ldap with ssl on port 636) I saw a brief mention of it in a wiki, but not how i should be implemented. what i mean is, do you prefix the host with ldaps:// or just set the port to 636?
  2. if it does support ssl, does it support self signed certs on the active directory server, how do I tell it not to validate the cert?
  3. does the username need to be the ldap username or the active directory username (sam)
  4. do you have the ability to specify 2 active directory servers (for redundancy)?

thanks in advance for your help!

Any update on LDAPs? I submitted a feature request for it but looking for other options if available.

features like this would not happen in a stable release so at best it would be in FreePBX 14. Best bet to know where its at is to ask in your feature ticket.

Hi, so, can you confirm if ldaps is or is not supported in 13? i still cannot find a clear answer. also, if so, are self signed certs supported?


skip189, did you ever follow up with your feature request? what are they saying?


Again we support AD with User Manager in FreePBX 13 so that should work with LDAP but you would need to test and see.

tony, i would love to test, but as there seems to be no documentation, i dont know where to start…what would be the syntax to test? is the feature request. Tonyclewis was correct it is slated for FreePBX 14. As for it being supported, it depends on what you mean. FreePBX isn’t supporting it yet, but Linux, PHP, and LDAP do support it. So in theory there is no reason you, or someone else, could go in and modify the code for the connection strings and add in the parameters for disable checking of ssl validation. Or ideally add in your CA cert to the cert store. Unfortunately I am Windows Sysadmin, and don’t have skills needed for further research, development, or deployment.

Tonyg, I can assist with the LDAP portion, as I have this up and working, but note it isn’t encrypted so it is a high risk. In my case I ended up creating an IPsec tunnel to our hosting provider so I could securely transmit the data. Let me know if you need any assistance.

Authentication Engine: Microsoft Active directory
Remote Authentication IP address: No idea what this is, looks like it was added after documentation was created
Synchronize: I have it set to 1 hour but your preference
Host: I am using the dotted IP address. No redundancy or documentation if it supports more than 1 Domain Controller
Username: use the samAccountName, of an account in the root of your AD OU, needs to have ldap Bind permission, Domain Users will work
Password: Password for the account used above
Base DN: Needs to be the base DN of the account used 2 steps earlier. Recursive is enabled and if you have the account anywhere but the top you will limit your results to the DN you specified here and lower.
Extension Link Attribute: I used ipPhone, but other values will work. YOu will need to populate AD with the users Extension.
Click submit and it should say connected and start the first sync.

I use AD for user with and it works great I can post my confit from my test box if you like.

So was closed out for being duplicated to But that one was already closed out. With both tickets closed I would guess that it isn’t going to be worked on. Is this correct thinking?

Did you read at all?

Fixed in 14

thanks for the offer, but I do already have it working. The problem is that without TLS, it is a security nightmare.

thanks again

I just read it, too bad it will not be available in 13