NethVoice: PBX Report login fails (401 Unauthorized) for external AD users while CTI login works

[viktec]

Description

A user authenticated via external Active Directory can successfully log in to CTI, but cannot log in to PBX Report (/pbx-report). PBX Report returns 401 Unauthorized and the backend logs show PAM authentication failed ... exit status 49 (ldap_bind: Invalid credentials (49)), suggesting a bug/inconsistency in the reports authentication flow compared to CTI.

Steps to reproduce

1. Configure NethVoice with an external AD/LDAP as authentication source.
2. Ensure an AD user has “password never expires” and CTI access works.
3. Ensure the related CTI profile grants CDR permissions.
4. Open https://host.example.com/pbx-report and attempt login with the same AD credentials used for CTI.
5. Observe the login request to POST /pbx-report-api/login.

Expected behavior

User can log in to PBX Report using the same credentials that work for CTI.

Actual behavior

PBX Report login fails with 401 Unauthorized and UI error incorrect Username or Password.

Browser console shows:

POST https://host.example.com/pbx-report-api/login 401 (Unauthorized)
{message: 'incorrect Username or Password'}

Server journal shows:

reports-api: PAM authentication failed for user firewall: exit status 49
reports-api: [GIN] ... | 401 | ... | POST "/login"

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090527, comment: AcceptSecurityContext error, data 52e, v4563
exit=49

[edospadoni]

Testing image:

• ghcr.io/nethesis/nethvoice:fix-ldap-auth-ad-domain

Install command:

• api-cli run update-module --data '{"module_url":"ghcr.io/nethesis/nethvoice:fix-ldap-auth-ad-domain" , "instances":["nethvoice<ID>"], "force": true}'

[viktec]

verified