LDAP/Active Directory Authentication

Discussion in 'Ideas' started by James Gauci, Jul 4, 2017.

LDAP/Active Directory Authentication 5 5 58votes
5/5, 58 votes

  1. James Gauci

    Joined:
    Jul 4, 2017
    Messages:
    2
    Likes Received:
    6
    Hi All,

    I am a prospective customer of 3CX for a team of 200 clients across a WAN, however one area that is essential for us is LDAP/Active directory authentication of users.

    While I see that LDAP integration is available for the web meeting system, the contact component of 3CX has is own seperate credentials database.

    Passwords can be revealed in clear text which I agree is a handy feature for some but a security concern in our environment.

    Furthermore, it means we need to manage two seperate directory username/password systems which is time consuming.

    Other competitive solutions have this functionality by default, however if this issue was resolved for us, we would jump onto 3CX tomorrow.
     
    Eliq91, Brad Cann, HH60 and 2 others like this.
  2. James Gauci

    Joined:
    Jul 4, 2017
    Messages:
    2
    Likes Received:
    6
    Furthermore to my last post, as the integration is trivial to include (Since there are many open source modules availbile), I could easily develop a module to do this if the resources in 3CX are available? (3CX admins feel free to clarify). Regards
     
    HH60 likes this.
  3. HH60

    Joined:
    Nov 29, 2016
    Messages:
    16
    Likes Received:
    5
  4. SupportRequestor

    Joined:
    Mar 23, 2016
    Messages:
    29
    Likes Received:
    11
    On the note of security concerns over password reveals, the account used for LDAP queries has its password in the clear in the parameters section.
     
  5. BayMitch

    Joined:
    Sep 3, 2013
    Messages:
    13
    Likes Received:
    5
    LDAP integration is also importend in perspective of security.
    for us +1
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Network Emad

    Joined:
    Oct 27, 2017
    Messages:
    33
    Likes Received:
    3
    dear are there any software make synchronization between 3CX Pro and Active Directory. i dont want to use the import AD option. i think there are different way to make this integration between AD User and 3CX users list active. if i disabled any user in active directory it will be disabled in 3cx and the client will not be able to use his IP Phone because this user is disabled in Active directory.
     
    Phillip Horn and craigreilly like this.
  7. narkumas

    narkumas New Member

    Joined:
    Nov 28, 2016
    Messages:
    227
    Likes Received:
    29
  8. mtech1

    Joined:
    Jan 25, 2010
    Messages:
    28
    Likes Received:
    5
  9. RogerS

    Joined:
    Dec 12, 2017
    Messages:
    13
    Likes Received:
    10
    This Active Directory integration is necessary for phone provisioning, but also SAML authentication. The availability of this integration would be great step ahead for the 3CX solution.
     
  10. Silly English Kniggit

    Joined:
    Sep 13, 2017
    Messages:
    220
    Likes Received:
    85
    I agree that this would ease the issues around adoption of the webclient.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    techclarity likes this.
  11. PaulusAgung

    Joined:
    Feb 16, 2018
    Messages:
    3
    Likes Received:
    1
  12. techclarity

    Joined:
    Nov 14, 2014
    Messages:
    98
    Likes Received:
    48
    Exactly. We have not really pushed the web client to our clients because we do not want to have to deal with another password that users will forget.
     
  13. DocTechAZ

    Joined:
    Nov 17, 2017
    Messages:
    50
    Likes Received:
    14
    I dont expect this will be seen any time soon, as to integrate this with the complex account structure 3cx uses currently would be a much larger hassle than i think you may realize. There are opensource implementations of LDAP yes, however those still would need to be further adapted to bridge the gap.

    Were not talking about linking LDAP accounts with unix/linux accounts which is trivial in most distros, were talking about a proprietary account system which 3cx uses.

    If anything, a sync tool might be simpler. But i definitely wont be holding my breath for it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Jason Spruill-Jenkins

    Joined:
    May 8, 2017
    Messages:
    4
    Likes Received:
    1
    you could use LDAP for just authentication and to read from which should be pretty simple to configure and setup.

    If you use the workflow of User in LDAP, Provision Phone, User logins. you can achieve this by a basic ldap query in the UI, when you make an extension, make a "Select user from LDAP" button, which will pull attributes like name, e-mail, ect. you give them an extension and it shoots off the e-mail. allowing the user to then login to the webUI with the samaccountname and it will check the password against ldap and give a pass/fail.

    if you wanted to take it a few steps farther, you could have it read from AD for disabled accounts in like a cron job or windows scheduled task, you could also check to see if the account still exits at all as well.

    if you took this approach, adding two items to the current user table should be all that is needed. 1. samaccountname / login, 2. a Boolean field to denote that extension to use ldap auth

    if you wanted to get all crazy with it, you could add in write back ability with a mapping feature, like with the SIP header mappings. where the DID can write back to Office Phone, the extension could write back to a field as well on creation or update.
     
    Phillip Horn likes this.
  15. Jean-Francois Godbout

    Joined:
    Jul 5, 2017
    Messages:
    5
    Likes Received:
    0
  16. palmaz

    Joined:
    Aug 22, 2017
    Messages:
    43
    Likes Received:
    13
    We are prospective client of 150 users, and this is a big issue for us too. AD authentication would be excellent. Many competitor pabx's already have this.
     
  17. Phillip Horn

    Joined:
    Sep 1, 2017
    Messages:
    12
    Likes Received:
    3
    Active Directory integration or Office365 integration would be phenomenal! I'm still searching for a basic script that I could use to add or change extensions based on AD accounts, but I haven't been successful. We're cautious about deploying the webclient in our environment as well, because we can't even get our helpdesk guys to remember their password - I'd hate to try it with hundreds of users.
    At the very least, a password sync from AD to 3CX web client for extension matches in AD would go a long way. We create users in an ERP system and then a script creates the AD account. If we could add 3CX accounts to the script and then sync the passwords, wow. Better still an automatic sync from 3CX to AD.. Or use LDAP to look authenticate rather than a 'local' password..
     
  18. Figment

    Joined:
    Apr 5, 2018
    Messages:
    4
    Likes Received:
    0
  19. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,321
    Likes Received:
    253
    unless you are clearing cache each night on the web browser... the webclient remembers the login.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. sentrianjames

    Joined:
    Feb 19, 2018
    Messages:
    15
    Likes Received:
    2