hi, I am using FreePBX 13.0.190.7. I would appreciate some help with active directory integration. i have read all the wiki’s and understand ldap pretty well, but the wiki’s are a little vague on some points. Does anyone know:
does user manager support ldaps (or ldap with ssl on port 636) I saw a brief mention of it in a wiki, but not how i should be implemented. what i mean is, do you prefix the host with ldaps:// or just set the port to 636?
if it does support ssl, does it support self signed certs on the active directory server, how do I tell it not to validate the cert?
does the username need to be the ldap username or the active directory username (sam)
do you have the ability to specify 2 active directory servers (for redundancy)?
features like this would not happen in a stable release so at best it would be in FreePBX 14. Best bet to know where its at is to ask in your feature ticket.
http://issues.freepbx.org/browse/FREEPBX-13904 is the feature request. Tonyclewis was correct it is slated for FreePBX 14. As for it being supported, it depends on what you mean. FreePBX isn’t supporting it yet, but Linux, PHP, and LDAP do support it. So in theory there is no reason you, or someone else, could go in and modify the code for the connection strings and add in the parameters for disable checking of ssl validation. Or ideally add in your CA cert to the cert store. Unfortunately I am Windows Sysadmin, and don’t have skills needed for further research, development, or deployment.
Tonyg, I can assist with the LDAP portion, as I have this up and working, but note it isn’t encrypted so it is a high risk. In my case I ended up creating an IPsec tunnel to our hosting provider so I could securely transmit the data. Let me know if you need any assistance.
Authentication Engine: Microsoft Active directory
Remote Authentication IP address: No idea what this is, looks like it was added after documentation was created
Synchronize: I have it set to 1 hour but your preference
Host: I am using the dotted IP address. No redundancy or documentation if it supports more than 1 Domain Controller
Username: use the samAccountName, of an account in the root of your AD OU, needs to have ldap Bind permission, Domain Users will work
Password: Password for the account used above
Base DN: Needs to be the base DN of the account used 2 steps earlier. Recursive is enabled and if you have the account anywhere but the top you will limit your results to the DN you specified here and lower.
Extension Link Attribute: I used ipPhone, but other values will work. YOu will need to populate AD with the users Extension.
Click submit and it should say connected and start the first sync.