PBX GUI - How to Authenticate User Manager via Microsoft Active Directory
Specific steps below can be used to connect and test active directory setups to your PBX
Step-by-step guide
The following steps were tested with a Microsoft Server 2012 Essentials, your mileage may vary. Requires version 13 or higher of the PBX software.
Make sure you have access to AD on TCP port 389 from the PBX to the AD system
use dsquery to get correct base DN; from the windows server command line run the following
C:\Users\master> dsquery user -name validADusername "CN=validADusername,CN=Users,DC=domain,DC=local"*
The base DN derived from above will be:
DC=domain,DC=local
The User DN and Group DN will be:
CN=Users
Then armed with the base DN begin filling out the required information
Host: enter the IP address of the AD server
Port: defaults to 389 which should be fine in most cases
Username: a valid AD user
Password: that valid AD users password
Domain: the AD domain, in my case domain.local
Base DN: the base DN derived from step 2
User DN: The filter string where users live (can be an OU)
Group DN: The filter string where groups live (can be an OU)
This was tested using a hosted PBX with a local instance of server 2012 essentials; It was configured with a port forward on the local router to take requests for 389 from the PBX and redirect those to the AD server and insured they had no issues speaking with each other.
Manual Syncing
Manual Syncing can be preformed by running the following command
[root@freepbxdev4 framework]# fwconsole userman --syncall --force
Directory 'PBX Internal Directory' does not support syncing
Starting Sync on directory 'Markham Blade AD'...
Finished
Starting Sync on directory 'zflex server'...
Finished |
Troubleshooting
Using a directory browser
An LDAP directory browser is a great way to get a visual overview of your directory. Directory browsers can also be used to check authentication. Apache Directory Studio was used in the development of Active Directory in User Manager.
Welcome to Apache Directory Studio — Apache Directory
Using the PBX CLI
You can troubleshoot User Manager Active Directory syncing by running from the CLI with a few options
[root@freepbxdev4 framework]# fwconsole userman --help
______ _____ ______ __
| ____| | __ \| _ \ \ / /
| |__ _ __ ___ ___| |__) | |_) \ V /
| __| '__/ _ \/ _ \ ___/| _ < > <
| | | | | __/ __/ | | |_) / . \
|_| |_| \___|\___|_| |____/_/ \_\
Usage:
userman [options]
Options:
--syncall Syncronize all directories
--sync=SYNC Syncronize a single directory by id (obtained from --list)
--force Force syncronization
--list List directories
-h, --help Display this help message
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
-n, --no-interaction Do not ask any interactive question
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
Help:
User Manager |
List Directories
[root@freepbxdev4 framework]# fwconsole userman --list
+----+------------------------+
| ID | Name |
+----+------------------------+
| 9 | PBX Internal Directory |
| 2 | Markham Blade AD |
| 3 | zflex server |
+----+------------------------+ |
Sync all directories
[root@freepbxdev4 framework]# fwconsole userman --syncall
Directory 'PBX Internal Directory' does not support syncing
Not syncing directory for another 5598 seconds
Not syncing directory for another 1998 seconds |
Force Sync all directories
[root@freepbxdev4 framework]# fwconsole userman --syncall --force
Directory 'PBX Internal Directory' does not support syncing
Starting Sync on directory 'Markham Blade AD'...
Finished
Starting Sync on directory 'zflex server'...
Finished |
Force sync a single directory with verbose logging
This will then return exactly what user manager is doing while syncing.
For certain queries an ldapsearch statement will be returned. You can copy and paste this command and run it locally to see what is returned on the search using the filters you supplied in setup
[root@freepbxdev4 framework]# fwconsole userman --sync 2 --force --verbose
Starting Sync on directory 'Markham Blade AD'...
Updating All Users
ldapsearch -w password -h 1.1.1.1 -p 3389 -D "administrator@domain.local" -b "cn=users,dc=domain,dc=local" -s sub "(&(&(objectcategory=person)(samaccountname=*))(objectclass=user))"
Retrieving all users...
Got 6 users
Updating anagy
Extension 1050 does not exist, skipping link
Updating backup
Updating lookup
Updating krbtgt
Updating Guest
Updating Administrator
Updating All Groups
ldapsearch -w password -h 1.1.1.1 -p 3389 -D "administrator@domain.local" -b "cn=users,dc=domain,dc=local" -s sub "(&(objectcategory=group)(objectclass=group))"
Retrieving all groups...
Got 19 groups
Working on Read-only Domain Controllers
Updating Read-only Domain Controllers
Working on Denied RODC Password Replication Group
Adding krbtgt to group
Updating Denied RODC Password Replication Group
Working on Allowed RODC Password Replication Group
Updating Allowed RODC Password Replication Group
Working on Enterprise Read-only Domain Controllers
Updating Enterprise Read-only Domain Controllers
Working on Cloneable Domain Controllers
Updating Cloneable Domain Controllers
Working on DnsUpdateProxy
Updating DnsUpdateProxy
Working on DnsAdmins
Updating DnsAdmins
Working on Protected Users
Updating Protected Users
Working on RAS and IAS Servers
Updating RAS and IAS Servers
Working on Group Policy Creator Owners
Adding Administrator to group
Updating Group Policy Creator Owners
Working on Schema Admins
Adding Administrator to group
Updating Schema Admins
Working on Domain Controllers
Updating Domain Controllers
Working on Domain Computers
Updating Domain Computers
Working on Enterprise Admins
Adding Administrator to group
Updating Enterprise Admins
Working on Cert Publishers
Updating Cert Publishers
Working on Domain Guests
Updating Domain Guests
Working on Domain Users
Updating Domain Users
Working on Domain Admins
Adding Administrator to group
Updating Domain Admins
Working on WinRMRemoteWMIUsers__
Updating WinRMRemoteWMIUsers__
Finished adding users from non-primary groups
Updating Primary Groups
Adding anagy to Domain Users...Done
Adding backup to Domain Users...Done
Adding lookup to Domain Users...Done
Adding krbtgt to Domain Users...Done
Adding Guest to Domain Guests...Done
Adding Administrator to Domain Users...Done
Executing User Manager Hooks
Updating User anagy...done
Updating User backup...done
Updating User lookup...done
Updating User krbtgt...done
Updating User Guest...done
Updating User Administrator...done
Updating Group Read-only Domain Controllers...done
Updating Group Denied RODC Password Replication Group...done
Updating Group Allowed RODC Password Replication Group...done
Updating Group Enterprise Read-only Domain Controllers...done
Updating Group Cloneable Domain Controllers...done
Updating Group DnsUpdateProxy...done
Updating Group DnsAdmins...done
Updating Group Protected Users...done
Updating Group RAS and IAS Servers...done
Updating Group Group Policy Creator Owners...done
Updating Group Schema Admins...done
Updating Group Domain Controllers...done
Updating Group Domain Computers...done
Updating Group Enterprise Admins...done
Updating Group Cert Publishers...done
Updating Group Domain Guests...done
Updating Group Domain Users...done
Updating Group Domain Admins...done
Updating Group WinRMRemoteWMIUsers__...done
Finished |
Return to Documentation Home | Sangoma Support