Howto13r1:LDAP IP Phones Directory Services via Reverse Proxy
This article is about How to enable LDAP search at innovaphone IP Phones via Reverse Proxy.
Status per default after Install
Currently by default IP phones registered via Reverse Proxy are NOT able to search in the PBX users and in the external LDAP resource (for example the Contacts database) To enable the LDAP search on the Phones we have to do some manual modification.
Steps to do
- Create an LDAP user in the PBX under services, LDAP
- Retrieve the Contacts App username and password.
- Modify the IP Phone or the Template used for the IP Phones that register via the Reverse Proxy.
- Modify the Reverse Proxy entries manual!
Create a LDAP user
Steps to do: Under Services, LDAP, Server
- 1. Create a ldapuser account under Services, LDAP, Server (for example pbx.system.com/ldap-guest)
- 2. Define a secret password and store it in a save place. You need it later on. And press OK to save. You can also use the same password as used in step B. because this is the same as used in the default ldap-guest
Find your Contacts ldap password
Steps to do: In PBX manager, Plugin AP contacts.
- 1. Click on AP contacts plugin and click in the right pane on configuration.
- 2. Check the Display Password(LDAP).
- 3. Copy the Password and store it for later use. This password is the same as used for the default ldap-guest
Create Phone Template or change phone settings
Steps to do: Under Phone, Directories or Template, config, Phone, Directories.
- 1. Check Enable and Use TLS and change the PBX section server to pbx.system.com (of course use your own pbx, domain and systemnames, pbx.yoursystemname.com 😉)
- 2. Port 636 for LDAPS
- 3. Username change it to pbx.system.com/ldapuser (the user created in section a.)
- 4. Enter the password off the ldapuser (created in the section a.)
- 5. External LDAP Server, Check enable and Use TLS and enter the Servers dnsname apps.system.com
- 6. Port 636 for LDAPS
- 7. LDAP username which is the username contacts from the App contacts
- 8. The password, which is the password copied from the Plugin AP contacts
If you created a new template, make sure you assign this template to the appropriate users!
Reverse Proxy manual modifications
In the Reverse Proxy we have to do some manual changes. (After these changes make a backup and DO NOT use the PBX manager plugin for the Reverse Proxy anymore. Otherwise your manual changes will be broken when saving via the RP plugin)
This has to be verified because it seems to be OK in V13r1sr8
In this example the Reverse Proxy runs on the PBX itself and listens to the standard default ports +10 Make sure that on your router/firewall the default ports will be redirected to these defaults ports +10
Steps to do in the Reverse Proxy:
- 1. Change the apps.system.com line and add LDAPS port 636 and redirect it to the IP address of the App Platform. This redirection is used for the external LDAP users search in the App Platform, Contacts database.
- 2. Change the line with pbx.system.com and add LDAPS port 636 and redirect it to the IP address of the PBX. This redirection is used for the search internal LDAP database, PBX users.
- 3. Change the line with system.com add LDAPS port 636 and redirect it to the IP address of the App Platform. This redirection is used for the authentication and bind request to the Contacts App.
When opening the Reverse Proxy via the PBXmanger Plugin it will be shown as in the following picture.
Directory search on the IP phone
A directory search on the IP Phone should now result in a search within the PBX internal users and in the Contacts database with External Contacts.
In example 1 a search is done to kpe which shows the results from the PBX (upper result) and the results from the Contacts (other lines)
In example 2 the search is done to almost the complete name to show only the line from the external contacts.
The examples shows you also how you can make a LCD dump of the Phone, this is also possible remotely via the Devices App, Admin UI of the Phone.
For Debugging if you get no search results, use Wireshark and trace for example on the IP Phone.
Open the Phones Admin UI, Maintenance, Diagnostic, Tracing and tick the boxes All IPv4 TCP/UDP Traffic, All IPv4 TLS Traffic, Enable RPCAP.
Open the Webpage of the IP Phone https://x.x.x.x/debug.xml and tick the checkbox, Directories.
Start the wireshark trace and capture a Directory request from your IP Phone.
Filter the data with the filter: tcp.port==636 Find a packet containing the destination port 636 and right-click, choose decode-as and add the source and destination port to the ldap protocol.
Now you should be also able to filter also directly on the ldap protocol.
An example of a succesfull LDAP request is shown in the picture below.