FOP2 Manager Access and Login Issue

  1. 4 years ago

    I've been successfully using FOP Version 2.28 (final) for CentOS and FOP2 Manager 1.0.4 and all has been great... until recently. FOP2 coexists on PBX in a Flash based Asterisk (Ver. 11.4.0).

    Just recently I've noticed access to FOP2 Manager works intermittently from select PC's. I'm prompted to log in and all attempts return a message of "Invalid Credentials".

    At the same time, I've noticed FOP2 Manager "can never be accessed" from select other PC's even though some others still can. All PC's are on the same internal network subnet and the symptom outlined is experienced regardless of the browser type used. I've tried Firefox, IE and Chrome from all PC's with the same exact results. Again, some PC's can successfully access FOP2 Manager while others cannot. At other times none of my PC's can access FOP2 Manager. I'm prompted to log in and all possible credentials fail.

    I've checked the FOP2.cfg and manager.conf files and all appears to be correct based on the FOP2 installation instructions. This particular system never used FOP1 and as stated everything has been fine until just recently.

    I've run the following commands and received the results shown. I "assume" the bind: Address already in use at script/fop2_server.pl line 11308 message is not normal.

    I've performed the usual, stop and restart FOP2, rebooting the entire server, PC's, clearing my browser cache and cookies, etc. The FOP2 client interface works fine. Only the FOP2 Manager experiences this condition.

    I welcome thoughts on how I may overcome this both intermittent and consistent FOP2 Manager failure. Thank you!

    root@pbxinaflash:~ $ /usr/local/fop2/fop2_server --test
    Flash Operator Panel 2 - White Label Version.
    Flash Operator Panel 2 - Valid License (7)

    Connection to manager OK!

    root@pbxinaflash:~ $ /usr/local/fop2/fop2_server -X 3
    Flash Operator Panel 2 - White Label Version.
    bind: Address already in use at script/fop2_server.pl line 11308.

  2. admin

    6 Mar 2015 Administrator

    Hi,

    The fop2 manager is a php application, totally independent from FOP2 itself. Restarting FOP2, running --test, trying to start it in debug, or anything like that, will not affect at all the access to the fop2 manager page.

    The bind address already in use you see is because FOP2 *is already* running, and you attempt to start another instance. That is not allowed, and it says so. It is also normal, you have to stop the running instance if you want to start it in debug mode without detaching from the console.

    Anyways, as I said before, the fop2 server in itself does not have anything to do with the ability to load the manager pages. Invalid credentials means what it means, and it does not make sense that you can access it from some machine/browser, and you can't do it from a different one. It is a web based application, ability to log or not is not dependant on the browser... you might need to enable cookies, not sure what would happen if cookies are not allowed... check that you do enable/allow cookies for that domain on those failing browsers.

    Best regards,

  3. Thank you for the response. I've made sure cookies are allowed on all PC's and browsers but continued to experience the issue described.

    While investigating further, the situation has unfortunately changed for the worse. Now none of the PC's on the same local subnet as the server can access FOP2 Manager using http://myserveripaddress/fop2/admin/. Every PC and browser is now prompted to log in as reflected within the attached screen shot. I've attempted to log in using all possible user names and passwords and receive an "Invalid Credentials" message as shown in the second screen shot also attached.

    Here's the general section from my current fop2.cfg file.

    [general]
    ; AMI definitions
    ; manager_host=localhost
    manager_host=127.0.0.1
    manager_port=5038
    manager_user=fop2
    manager_secret=myfop2secrethere
    ;event_mask=agent,call,command,system,user,dialplan

    Here's the FOP2 related sections from my current manager.conf file.

    [general]
    enabled = yes
    port = 5038
    bindaddr = 127.0.0.1

    [fop2]
    secret = myfop2secrethere
    deny = 0.0.0.0/0.0.0.0
    permit = 127.0.0.1/255.255.255.0
    read = all
    write = all
    writetimeout = 1000
    eventfilter=!Event: RTCP*
    eventfilter=!Event: VarSet
    eventfilter=!Event: Cdr
    eventfilter=!Event: DTMF
    eventfilter=!Event: AGIExec
    eventfilter=!Event: ExtensionStatus
    eventfilter=!Event: ChannelUpdate
    eventfilter=!Event: ChallengeSent
    eventfilter=!Event: SuccessfulAuth

    [admin]
    secret = myadminsecrethere
    deny=0.0.0.0/0.0.0.0
    permit=127.0.0.1/255.255.255.0
    read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
    write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
    writetimeout = 5000

    I read the following post and confirmed the group and owner of the /var/lib/php/session folder is asterisk asterisk. The current permissions on that folder is rwxrwx---.

    http://forum.fop2.com/3847-no-manager-login-anymore/0

    I completely understand your point that FOP2 Manager is a PHP application and should simply work from any internal PC or browser. At one point it did but it no longer does.

    I've been trying to figure out what would cause FOP2 Manager to prompt for credentials. Are there any logs I can view that might provide some insight?

    Thanks again.

  4. admin

    7 Mar 2015 Administrator

    What user/password are you using in the manager? Credentials for it are different than to login to the fop2 panel itself, it will use the FreePBX credentials if use_freepbx_auth is set to true in config.php, or it will use its own user/pass defined on that same config.php page if you do not use freepbx or the former setting is set to false.

    Anyways, if you cannot login from ANY machine, that is actually a good sign ,and an indication of that what you might have broken is not related to fop2 manager at all, but to your php sessions. Check your apache error log file, and look for session errors/problems.

    It is surprisingly usual when using some ready made distros, where they offer an apache web server that runs under the "asterisk" user, that is different from the regular distro web server that usually has a special user like nobody, www-data, or similar. Whe those systems update apache or php via yum or repositories, they might install the original distro package and not the modified asterisk distro one, so files and directories change ownership back to apache, www-data or whatever. However, the configuration file remains the same and runs under 'asterisk'. That effectively breaks php session handling

    The fix is usually changing ownership of the session variable, something like:

    chown asterisk.asterisk /var/lib/php/session

    Best regards,

  5. admin

    7 Mar 2015 Administrator

    What user/password are you using in the manager? Credentials for it are different than to login to the fop2 panel itself, it will use the FreePBX credentials if use_freepbx_auth is set to true in config.php, or it will use its own user/pass defined on that same config.php page if you do not use freepbx or the former setting is set to false.

    Anyways, if you cannot login from ANY machine, that is actually a good sign ,and an indication of that what you might have broken is not related to fop2 manager at all, but to your php sessions. Check your apache error log file, and look for session errors/problems.

    It is surprisingly usual when using some ready made distros, where they offer an apache web server that runs under the "asterisk" user, that is different from the regular distro web server that usually has a special user like nobody, www-data, or similar. Whe those systems update apache or php via yum or repositories, they might install the original distro package and not the modified asterisk distro one, so files and directories change ownership back to apache, www-data or whatever. However, the configuration file remains the same and runs under 'asterisk'. That effectively breaks php session handling

    The fix is usually changing ownership of the session variable, something like:

    chown asterisk.asterisk /var/lib/php/session

    Best regards,

  6. Edited 4 years ago by admin

    I've tried User: fop2admin Password: fop2admin as defined in /var/www/html/fop2/admin/config.php. I've also tried my normal PBX in a Flash / FreePBX credentials as well as all other accounts defined in manager.conf and manager_custom.conf.

    I've tried using both the internal host name as well as the server IP address. No change in FOP2 Manager behavior.

    I can successfully log in to the PBX in a Flash FreePBX interface just fine. All PC's and browsers being used can access all other applications and websites without issue, both internal and external.

    I've attached the associated access logs from within /var/log/httpd for your review. Nothing stood out to me. The error_log had nothing to report.

    By the way, I'm again experiencing intermittent FOP2 Manager access issues again. While typing this message I used a separate Firefox browser tab to perform another FOP2 Manager attempt and it worked. I closed that session and tried again from the same PC using IE and Chrome and they both prompted me to log in and failed. I then opened another Firefox tab and it failed there as well. This condition is only experienced when I access the FOP2 Manager interface.

    I've confirmed the /var/lib/php/session folder has asterisk as the owner (see attached). I also ran chown asterisk.asterisk /var/lib/php/session without any change in this behavior.

    Here are the access logs. Any other thoughts? Thank you!

  7. admin

    9 Mar 2015 Administrator

    Be careful on what you post, you might be disclosing sensitive information in a public forum. What do you have in config.php for the use_freepbx_auth define ? Set it to false if you want to log with fop2admin/fop2admin. What do you have there?

  8. Thank you for the post warning.

    Interesting. After changing the define('USE_FREEPBX_AUTH',true); to define('USE_FREEPBX_AUTH',false) attempting to access FOP2 Manager from any PC and browser does not present the login page, but it also doesn't present the FOP2 Manager page. Internet Explorer reports HTTP 500 The website cannot display the page •The website is under maintenance. •The website has a programming error. Firefox and Chrome simply present a blank page. Changing back to define('USE_FREEPBX_AUTH',true); again prompts me to log in to FOP2 Manager. As experience before, all credentials used come back as invalid. Hopefully this offers a hint as to what might be wrong.

    Thanks

  9. admin

    9 Mar 2015 Administrator

    If you see a blank page or a 500 error, then there MUST be a log line for php errors on your system, that is defined in php.ini itself. It is usually logged in the apache error_log file, so, as I pointed before, please look at your apache error log for possible php errros. I still suspect you have session permission issues in php of some sort, or maybe even you introduced some kind of syntax error when typing 'false' on that define line.

  10. It appears I did have a syntax error when I tried using define('USE_FREEPBX_AUTH',false). I just noticed the commented out entry I left in the file omitted the semicolon at the end. That was my error and it did create an entry the error_log file as one would suspect. I should have checked.

    I've since corrected the syntax issue and have it set to define('USE_FREEPBX_AUTH',false);. I'm again presented with the Fop2 Manager log in page but can now successfully log in using the admin credentials defined within /var/www/html/fop2/admin/config.php. I can now log into FOP2 Manager from all PC's and browsers that previously failed.

    It appears FOP2 is having difficulty detecting FreePBX. My PBX in a Flash system is currently running FreePBX 2.11.0.42.

  11. I subsequently noticed the following entries in my err_log file since changing to define('USE_FREEPBX_AUTH',false);. I'm not sure if these are somehow related.

    [Mon Mar 09 05:07:19 2015] [error] [client ::1] script not found or unable to stat: /var/www/cgi-bin/awstats.pl
    [Mon Mar 09 05:14:37 2015] [notice] caught SIGTERM, shutting down
    [Mon Mar 09 05:18:47 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
    [Mon Mar 09 05:18:47 2015] [notice] Digest: generating secret for digest authentication ...
    [Mon Mar 09 05:18:47 2015] [notice] Digest: done
    [Mon Mar 09 05:18:47 2015] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations
    [Mon Mar 09 05:37:49 2015] [error] [client 192.168.1.194] script not found or unable to stat: /var/www/cgi-bin/awstats.pl

  12. admin

    10 Mar 2015 Administrator

    I do not think the manager has issues, but you might not be using the freepbx users mechanism for authentication (auth type database)

    What is the output of this mysql query? (If you get results, do not post the sha1 pass, change it for xxxx)

    mysql -p asterisk -e "select * from ampusers"

    Best regards,

  13. When running that command it prompts me for the mysql password. Once the mysql password is entered the following is returned. I intentionally removed the sha pass.

    +-----------------+-----------------------------------------------+-----------------------+------------------------+-----------------+--------------+
    | username | password_sha1 | extension_low | extension_high | deptname | sections |
    +-----------------+-----------------------------------------------+-----------------------+------------------------+-----------------+---------------+
    | admin | | | | | * |
    +-----------------+-----------------------------------------------+-----------------------+-------------------------+-----------------+--------------+

  14. admin

    10 Mar 2015 Administrator
    Edited 4 years ago by admin

    Try this, using your admin password and compare the result to the stored password_sha1 field

    mysql -u root -p asterisk -e "select sha1('mypassword')"

    Do they match?

    My guess is that you are not using database based auth in freepbx, but .htaccess file based, and password stored in the DB is not the one stored in .htaccess , or something to that effect.

    In any case, just leave the use_freepbx_auth set to false and set whatever user/password you want in the config.php.

    Best regards,

  15. I receive two different sha1 results when invoking mysql -p asterisk -e "select * from ampusers" compared to invoking mysql -u root -p asterisk -e "select sha1('myadminpasswordhere')".

    Regardless, I'll simply leave the use_freepbx_auth setting to false in the config.php file and define a password of choice as suggested. All is good as long as I can access FOP2 Manager.

    Thank you very much for the outstanding support!

  16. admin

    10 Mar 2015 Administrator

    As I have suspected, you are NOT using freepbx database based authentication, and that is why the password you tried did not work. If you change the sha1 password in the users table, then it will work. It is not a problem with the fop2 manager in itself, so there is nothing to fix on it.

    Best regards,

or Sign Up to reply!