Internal Notes on PBX and OpenLDAP

 

 

Theory of use

  • PBX User Manager  module supports multiple LDAP directories.

    • Single LDAP directory must use top level OU in order to sync

    • If there are multiple OU, then admin would create multiple LDAP directories for each OU.

  • PBX username must be based on "CN"  

    • CN fields must NOT contain a space. 

    • This will break Chat feature.

    • Furthermore, LDAP protocol can only authenticate the user based on CN

  • Mandatory LDAP fields

    • telephoneNumber - the telephone number binds the LDAP user to an existing extension on the PBX

    • userPassword – PBX authenticates the user via LDAP using the password field

 

Installation

Update to latest User Manager module.
Minimum Version: 13.0.76.4 

  • GUI mode

    • Log into the GUI Module Admin 

    • Update User Manager module to latest. 

      • Minimum Framework version 13.0.191.13

         

  • Console Mode

    • Log into SSH

    • Run

      • fwconsole ma downloadinstall --edge userman

      • fwconsole ma downloadinstall framework --tag 13.0.191.13


PBX Extensions

Admin has two choices on how to manage extensions.

  • Auto create

    • LDAP synchronization can auto create extensions based on "telephoneNumber" field in the openLDAP

    • This is controlled by "Create Missing Extensions" in the LDAP Directory configuration.

  • Manually create

    • Admin can disable the  "Create Missing Extensions" and manually create extensions in the PBX.

    • This way only specific LDAP users will be bound to the PBX extensions based on "telephoneNumber" field.

    • The rest of the users will be imported as contacts only.

Create a LDAP Directory

  • Log into GUI

  • Navigate to User Management

  • Click on Directories: Click on Add

    • General Section

      • Directory Type: OpenLdap Directory    

        • Note: do not select (Legacy) one.

      • Directory Name: Specify arbitrary name

      • Enable Directory: Select Yes

      • Synchronize:  Default 1h

    • Directory Settings

  • Secure connection type: None (Default)

    • Host:  OpenLDAP server IP

    • Port:   OpenLDAP port number (Default is 389)

    • Bind DN:   Must be set to admin LDAP credentials

      • example:  cn=admin,dc=companydnsname,dc=com

    • Password: Admin password

    • Base DN:  Must be set to base LDAP DN

      • example: dc=companydnsname,dc=com

    • Status:  Displays the status of the ldap connection, will update after the LDAP configuration is submitted.

       

    • Operational Settings

      • Create Missing Extensions:  

        • PBX can auto create extensions based on the "telephoneNumber" field.

        • Default behavior is not do auto create and let the PBX admin create extensions manually before sync.

      • Manage Groups Locally:  Set to YES (Default)

        • This option will allow admin to create a group for the LDAP directory into which all LDAP users can be added to.

        • This is an easy way to add permissions to allLDAP directory users such as: Zulu, UCP etc.

    • User Configuration

      • User DN:  Must be populated with top level OU

        • example:  ou=Engineering Department

      • User object class:  inetOrgPerson

      • user object filter:   (objectclass=inetOrgPerson)

      • User name attribute: cn

        • Must be set to cn this is the only option

      • User extension Link attribute: telephoneNumber

        • This will bind the user to the existing extension, or will auto create extension if above "Create Missing Extensions" is enabled.

      • The Rest of the User Configuration fields should be set based on OpenLDAP user fields defined in LDAP directory.

    • Group Configuration

      • Leave as default as we will use Manage Groups Locally.

         

    • Click Submit to apply settings.

  • Specify the LDAP as Default directory in the Directory List.

    • On page refresh you the LDAP Status field should be green with status Connected.

Create a LDAP user group

  • From the GUI

  • Navigate to User Management

  • Click on Groups

    • Click on Group Filter ("All Directories")

    • Select the LDAP directory that was just created in above step

      • Click on Add Button.

      • Specify a group name

      • Select ALL users and add them to the group

      • Enable all PBX features such as Contacts, UCP, Zulu, XMPP

        • If contacts do not work in Zulu, you have not enabled Contacts in this section

          • For contact groups select ALL to allow all contacts in Zulu and UCP

        • If you cannot log into Zulu or UCP then you might not have permissions in this section.

      • Save

    • Note: If you cannot add a group for a Directory you did not set "Manage Groups Locally" to YES in the LDAP Directory configuration above.

 

Sync LDAP users

  • Log into SSH

  • List all userman directories

    • fwconsole userman --list

  • Run sync on the directory ID that relates to LDAP

    • fwconsole userman --syncall --force --verbose    

  • Reload Asterisk

    • fwconsole r     #This step is must be done or Zulu Softphone will not work  

  • At this point all users are sync

    • Log back into GUI

    • Navigate to User Management

    • Click on Users

      • Select on LDAP Directory filter

      • Admin should see all new imported users.

Change Asterisk HTTP max settings

  • Log into GUI

  • Advanced Settings

  • Session Limit: set to 10000 

  • Apply

Return to Documentation Home I Return to Sangoma Support