SOLVED LDAP Integration problems

[crt0512]

Greetings, Since LDAP is commonly used here I'm trying to integrate it into the FusionPBX web interface.

Now I have gotten partially there in terms of integrating it using an image I found on another forum :


After adding and configuring these default settings an end user is able to sign in using their common name, however they are not added to any group which leaves them with a panel that doesn't even allow you to sign out after signing in using your LDAP account. Something like this:


Now in the ideal case an LDAP user should just be added to the group "user" and then get an extension automatically assigned to them but for now just being able to to sign in using an LDAP account and being added to the group "user" would be enough.

If anyone has suggestions on how I would achieve this I'd be very thankful.

Sincerely Mika

 

[crt0512]

Oh I forgot to add, There seems to be such plugin for MSAD: https://www.pbxforums.com/threads/setup-ldap-with-tls-for-user-authentication.478/#post-1894 but here we use OpenLDAP and my expertise isn't good enough to adapt this plugin for OpenLDAP

 

[Dast]

Based on the following link, it appears the ldap user is assigned to the `user` group like you want, assuming that username doesn't already exist in fusionpbx.

fusionpbx/core/authentication/resources/classes/plugins/ldap.php at 74b26dd1b3d683d6cd664addc1f1ac74af9cae71 · fusionpbx/fusionpbx

Official FusionPBX - A full-featured domain based multi-tenant PBX and voice switch for FreeSwitch. - fusionpbx/fusionpbx

github.com

To confirm this, create a "dump.php" in your fusion root directory (usually /var/www/fusionpbx/) with the following contents;

<?PHP
session_start();
if (isset($_SESSION["username"]) && $_GET["pw"] === "pbxforums") {
        echo '<pre>' . var_export($_SESSION, true) . '</pre>';
}

Ensure it is owned by the webserver user;

chown freeswitch:daemon dump.php

Then proceed to login to fusionpbx as the ldap user, then visit `http://your-fusionpbx.com/dump.php?pw=pbxforums` which will dump your session state, ctrl-f for "group_name" to see which group name is assigned to your current user.

Delete the dump.php file after you are done - it reveals sensitive data;

rm dump.php

 

[crt0512]

Based on the following link, it appears the ldap user is assigned to the `user` group like you want, assuming that username doesn't already exist in fusionpbx.

fusionpbx/core/authentication/resources/classes/plugins/ldap.php at 74b26dd1b3d683d6cd664addc1f1ac74af9cae71 · fusionpbx/fusionpbx

Official FusionPBX - A full-featured domain based multi-tenant PBX and voice switch for FreeSwitch. - fusionpbx/fusionpbx

github.com

To confirm this, create a "dump.php" in your fusion root directory (usually /var/www/fusionpbx/) with the following contents;

<?PHP
session_start();
if (isset($_SESSION["username"]) && $_GET["pw"] === "pbxforums") {
        echo '<pre>' . var_export($_SESSION, true) . '</pre>';
}

Ensure it is owned by the webserver user;

chown freeswitch:daemon dump.php

Then proceed to login to fusionpbx as the ldap user, then visit `http://your-fusionpbx.com/dump.php?pw=pbxforums` which will dump your session state, ctrl-f for "group_name" to see which group name is assigned to your current user.

Delete the dump.php file after you are done - it reveals sensitive data;

rm dump.php

Thank you for your reply, I did as you said and it seems that LDAP users are being added to the group "public"
Which dumb.php showed me like this : "'group_name' => 'public',"
The public group obviously doesn't have any permissions which is why we end up with such results. However what I find to be strange is that when I look at the members of the group public I dont see the LDAP user.

Would you know what would cause this or how I would be able to change that?

 

[Dast]

When looking at that ldap.php file, it appears the user is assigned to a new group as per this line;

$array['user_groups'][0]['user_group_uuid'] = uuid();

You could try replacing that line with;

$array['user_groups'][0]['user_group_uuid'] = (!is_null($_SESSION["ldap"]["assign_group_uuid"]) && strlen($_SESSION["ldap"]["assign_group_uuid"]) > 0) ? $_SESSION["ldap"]["assign_group_uuid"] : uuid();

Then create a new variable under Advanced > Default Settings, like so;


The value should be the uuid of the group you want the user assigned to. Save, and Reload.

I haven't tested any of this, and future updates would overwrite these changes. Ideally you would submit a pull request once you have it working, so it won't break future updates for you.

 

[crt0512]

When looking at that ldap.php file, it appears the user is assigned to a new group as per this line;

$array['user_groups'][0]['user_group_uuid'] = uuid();

You could try replacing that line with;

$array['user_groups'][0]['user_group_uuid'] = (!is_null($_SESSION["ldap"]["assign_group_uuid"]) && strlen($_SESSION["ldap"]["assign_group_uuid"]) > 0) ? $_SESSION["ldap"]["assign_group_uuid"] : uuid();

Then create a new variable under Advanced > Default Settings, like so;
View attachment 3052

The value should be the uuid of the group you want the user assigned to. Save, and Reload.

I haven't tested any of this, and future updates would overwrite these changes. Ideally you would submit a pull request once you have it working, so it won't break future updates for you.

Okay I've tried replacing that line you told me to replace but LDAP users still dont seem to be added to the group users
I have restarted the whole server just in case it had something to do with that but still the same.

  'username' => 'fusion',
  'template_full_path' => '/var/www/fusionpbx/themes/default/template.php',
  'groups' =>
  array (
    0 =>
    array (
      'group_name' => 'public',
    ),
  ),

When looking at dumb,php I get this for the user

It seems to be ignoring the uuid I set (which I got by signing in as a regular user and copying the group UUID from it ('user_uuid' => '046112fb-c289-4521-baa9-024272d7d5f6',)

Any idea?

 

[Dast]

You can get the group uuid by going to Advanced > Group Manager > click the group you want, copy the uuid from the url

It will look something like this;

 

[crt0512]

You can get the group uuid by going to Advanced > Group Manager > click the group you want, copy the uuid from the url

It will look something like this;
View attachment 3054

Yep I see, but that group uuid is indeed the same as the one that dumb.php gave me

 

[crt0512]

Yep I see, but that group uuid is indeed the same as the one that dumb.php gave me

Just to make sure the Issue isnt related to my FusionPBX installation I also tried the same thing on the FusionPBX instance I have running at home but still same issue, user isn't being added to any group other than public

 

[crt0512]

Just to make sure the Issue isnt related to my FusionPBX installation I also tried the same thing on the FusionPBX instance I have running at home but still same issue, user isn't being added to any group other than public

I have just now tried the MSAD plugin as well however that one is showing the same problems as the normal LDAP plugin, could it be that LDAP integration was broken in some update of FusionPBX ?

 

[crt0512]

I have just now tried the MSAD plugin as well however that one is showing the same problems as the normal LDAP plugin, could it be that LDAP integration was broken in some update of FusionPBX ?

I FIGURED IT OUT !!!

in /var/www/fusionpbx/core/authentication/resources/classes/plugins/ldap.php

In section "//build user group insert array" add the following line

$array['user_groups'][0]['group_uuid'] = 'your-group-uuid';

 

[Dast]

I FIGURED IT OUT !!!

in /var/www/fusionpbx/core/authentication/resources/classes/plugins/ldap.php

In section "//build user group insert array" add the following line

$array['user_groups'][0]['group_uuid'] = 'your-group-uuid';

Glad you figured it out.
As you mentioned, "user_group_uuid" was the key we were looking for.
You can either hardcode your uuid in the ldap.php file, or set it up to use a config variable as the uuid as per one of my last posts.

Be sure to undo/remove any test/debug stuff you added along the way, including that dump.php file.