Kerberize FreePBX Admin Console

Continuing my quest to kerberize everything I can, I’ve added FreePBX web-based administration to the list. I hadn’t really looked into kerberizing FreePBX because I had just assumed it would involve source code patching and endless debugging to get it working. Turns out that support for HTTP auth is baked in! /var/www/html/admin/libraries/gui_auth.php contains a case statement which looks for a setting to define the authentication source as either “database” or “webserver”. I headed over to /etc/amportal.conf and made the change to “AUTHTYPE”, restarted amportal, but no dice. I opened /etc/amportal.conf again only to see my setting overwritten; the settings must be in the mysql database used by FreePBX. The following will let you see the current value, along with a useful description…

SELECT * FROM asterisk.freepbx_settings WHERE keyword="authtype";

Authentication type to use for web admin. If type set to “database”, the primary AMP admin credentials will be the AMPDBUSER/AMPDBPASS above. When using database you can create users that are restricted to only certain module pages. When set to “none”, you should make sure you have provided security at the Apache level. When set to “webserver”, FreePBX will expect authentication to happen at the Apache level, but will take the user credentials and apply any restrictions as if it were in database mode.

For my needs, I selected “none”…

UPDATE asterisk.freepbx_settings SET value="none" WHERE keyword="authtype";

I set my /var/www/html/admin/.htaccess file to allow my domainadmins and admins_phone LDAP groups to be required for access. I put a freshly baked keytab in place, verified my LDAP lookups were working and, voila, it worked! Hope this helps someone else.