SOLVED Setup LDAP with TLS for User Authentication


Sep 12, 2017
I've seen hints that FusionPBX supports the use of LDAP for user authentication (not necessarily for adding to dialplan stuff). I was wondering how might we enable a feature like this?


Sep 12, 2017
Since there's literally no documentation on the topic of LDAP user authentication, nor on FusionPBX Authentication Plugins in general, I set out to learn it the hard way! After three solid days of studying and experimenting with the PHP behind FusionPBX, I've come up with a solution that works for us! The LDAP plugin that comes with FusionPBX was not sufficient for us because it doesn't use TLS to communicate with the LDAP server, it uses the DN of the user instead of the sAMAccountName + domain name when binding to the server, and it doesn't create a real contact for the user when the user is added to the system.

So here's a summary of features/functionality with my plugin:
  • Starts a TLS connection before the binding attempt
  • Attempts binding with a username format of <sAMAccountName>@<domain> (useful when users log in with a username that is different from their CN)
  • Creates a user in FusionPBX so you can do things like linking an extension to them, etc.
  • Creates a real contact for the user in FusionPBX that includes first name, last name, and email address
  • Provides option to specify what group a user should be added to when they're created in the FusionPBX database by the plugin
  • It does not update information about the user when the respective account is changed in AD DS. The only exception is the password, which is re-checked every time the user logs in. If a username changes, this plugin will create a new account in FusionPBX.
It's based on the LDAP authentication plugin that comes with FusionPBX. So thanks to whoever contributed to that! (I saw no indication in the file of who did)
Some basic legal stuff: I have not thoroughly tested this code. I provide no guarantee with this code. I won't be held liable for any undesirable results from using it. If anyone has any improvements, please share!

To use this plugin:
  1. Download the attached zip folder, extract the php file from it and place it in <FusionPBX root dir>/core/authentication/resources/classes/plugins/
  2. Configure LDAP in the operating system (I used info from this post:
  3. In FusionPBX > Advanced > Default Settings, add/edit the following entries (format: <Category>, <Subcategory>, <Type>, <Value>, <Order, if applicable>):
    • authentication, methods, array, msad_ldap, 000
    • authentication, methods, array, database, 001 (VERY IMPORTANT! This ensures you still have access to the built-in admin account(s)!)
    • ldap, default_user_type, text, (what kind of user they should be when first created, e.g. user)
    • ldap, msad_domain, text, (AD DS domain in which to search for the username sent to FusionPBX)
    • ldap, server_host, text, (LDAP server IP address or hostname)
    • ldap, server_port, numeric, (LDAP server's port, usually 389)
    • ldap, user_attribute, text, (account's username attribute, usually sAMAccountName)
    • ldap, user_dn, text, (DN of where users are located in the directory, used when finding the name and email values for creating the contact in FusionPBX)
  4. Restart nginx (it seemed like I might have needed to restart the whole system, so do that if you can, just to be sure)
  5. Verify authentication!
If you're having authentication issues, it's most likely related to the TLS configuration part of connecting to the LDAP server. I haven't worked with that part of our set up in quite some time, so I'm afraid I can't help you troubleshoot that (that's outside of the scope of this forum, anyway). I will say that you can verify that TLS is the issue by commenting line #53 in my plugin (the one that starts TLS) and seeing if that allows you to authenticate. You can also use the example PHP file is step 5 of the comment I liked to in step 2 above. And as always, when in doubt, reboot. ;-)



    2.2 KB · Views: 102


New Member
Jul 1, 2021
FWIW, this still appears to work. The only thing that tripped me up was choosing port 636 instead of 389, having TLS on the brain lately.