[asterisk-bugs] [JIRA] (ASTERISK-20886) LDAP configuration and documentation updates
Andrew Latham (JIRA)
noreply at issues.asterisk.org
Tue Jan 15 21:04:45 CST 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-20886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=201111#comment-201111 ]
Andrew Latham edited comment on ASTERISK-20886 at 1/15/13 9:02 PM:
-------------------------------------------------------------------
Copy and Paste from the wiki comments
By: ismail yenigul
echo "<secret goes here>" | md5sum
must be
echo -n "$username:$realm:$password" | md5sum
otherwise you will not able to login LDAP.
Also, If you do not use cnc=config OpenLDAP feature, you do not have to issue the following command:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./asterisk.ldif
Instead add include path/to/schema/asterisk.ldap-schema
to your slapd.conf
###
Asterisk 11.1.0
Centos 6.3 x86_64
OpenLDAP 2.4
If you want to use objectclass person/inetOrgPerson with Asterisk objectclasses
You have to change objectclass types from STRUCTURAL to AUXILIARY like following.
Otherwise you will get " invalid structural object class chain > (AsteriskAccount/person)" error message.
objectClass (
AsteriskDialplan
NAME 'AsteriskDialplan'
DESC 'Asterisk Dialplan Information'
SUP top AUXILIARY
MUST ( AstExtension ) )
objectClass (
AsteriskAccount
NAME 'AsteriskAccount'
DESC 'Asterisk Account Information'
SUP top AUXILIARY
MUST ( AstAccountName ) )
objectClass (
AsteriskMailbox
NAME 'AsteriskMailbox'
DESC 'Asterisk Mailbox Information'
SUP top AUXILIARY
MUST ( AstVoicemailMailbox ) )
###
This is a full user ldiff to login asterisk successfully with user 110 and password mypass
To generate a password for
user: 110
realm:172.16.45.90 (change with your realm value in sip.conf)
password: mypass
$ echo -n "110:172.16.45.90:mypass"| md5sum
cf570c6603b8567e3138357423ee266c -
Please note this note this is only to login asterisk. I will give more update about dial plan, context etc.
dn: uid=ismail at surgatelabs.com,ou=surgatelabs.com,o=mail,dc=surmail
objectClass: top
objectClass: AsteriskAccount
objectClass: AsteriskExtension
objectClass: AsteriskSIPUser
objectClass: inetOrgPerson
objectClass: person
sn:ismail
mail: ismail at surgatelabs.com
cn: ismail yenigul
uid: ismail at surgatelabs.com
AstAccountName: 110
AstAccountDefaultUser: 0
AstAccountExpirationTimestamp: 0
AstAccountFullContact: 0
AstAccountHost: dynamic
AstAccountIPAddress: 0
AstAccountLastQualifyMilliseconds: 0
AstAccountPort: 0
AstAccountRegistrationServer: 0
AstAccountType: 0
AstAccountUserAgent: 0
AstExtension: 110
AstAccountRealmedPassword: {md5}cf570c6603b8567e3138357423ee266c
sip.conf:
realm=172.16.45.90
---
extconfig.conf
sippeers => ldap,"dc=surmail",sip
sipusers => ldap,"dc=surmail",sip
--
res_ldap.conf file:
[sip]
name = AstAccountName ; We use the "cn" as the default value for name on the line above
; because objectClass=AsteriskSIPUser does not include a uid as an allowed field
; If your entry combines other objectClasses and uid is available, you may
; prefer to change the line to be name = uid, especially if your LDAP entries
; contain spaces in the cn field.
; You may also find it appropriate to use something completely different.
; This is possible by changing the line above to name = AstAccountName (or whatever you
; prefer).
;
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = AstAccountFullContact
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox
md5secret = AstAccountRealmedPassword ; Must be an MD5 hash. Field value can start with{md5} but it is not required.
; Generate the password via the md5sum command, e.g.
; echo "my_password" | md5sum
nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds
additionalFilter=(objectClass=AsteriskSIPUser)
###
Asterisk is changing the following ldap attr.
So you must define this attrs while you are creating a user account on LDAP. If you dont define this attrs you will get a log message about updating account info in asterisk logs.
attr=AstAccountIPAddress AstAccountPort AstAccountExpirationTimestamp AstAccountDefaultUser AstAccountUserAgent AstAccountLastQualifyMilliseconds AstAccountFullContact
Another problem is with default res_ldap.conf You have to disable fullcontact = gecos line
and add useragent ldap mapping like following.
fullcontact = AstAccountFullContact
;fullcontact = gecos
useragent = AstAccountUserAgent
###
Also the following lines in res_ldap.conf.example is wrong. the attrs in red do not exist in asterisk.ldap-schema file.
; Extensions Table
;
[extensions]
context = AstExtensionContext
exten = AstExtensionExten
priority = AstExtensionPriority
app = AstExtensionApplication
appdata = AstExtensionApplicationData
additionalFilter=(objectClass=AstExtension)
The correct values:
[extensions]
context = AstContext
exten = AstExtension
priority = AstPriority
app = AstApplication
appdata = AstApplicationData
additionalFilter=(objectClass=AsteriskExtension)
was (Author: lathama):
Copy and Paste from the wiki comments
By: ismail yenigul
echo "<secret goes here>" | md5sum
must be
echo -n "$username:$realm:$password" | md5sum
otherwise you will not able to login LDAP.
Also, If you do not use cnc=config OpenLDAP feature, you do not have to issue the following command:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./asterisk.ldif
Instead add include path/to/schema/asterisk.ldap-schema
to your slapd.conf
###
Asterisk 11.1.0
Centos 6.3 x86_64
OpenLDAP 2.4
If you want to use objectclass person/inetOrgPerson with Asterisk objectclasses
You have to change objectclass types from STRUCTURAL to AUXILIARY like following.
Otherwise you will get " invalid structural object class chain > (AsteriskAccount/person)" error message.
objectClass (
AsteriskDialplan
NAME 'AsteriskDialplan'
DESC 'Asterisk Dialplan Information'
SUP top AUXILIARY
MUST ( AstExtension ) )
objectClass (
AsteriskAccount
NAME 'AsteriskAccount'
DESC 'Asterisk Account Information'
SUP top AUXILIARY
MUST ( AstAccountName ) )
objectClass (
AsteriskMailbox
NAME 'AsteriskMailbox'
DESC 'Asterisk Mailbox Information'
SUP top AUXILIARY
MUST ( AstVoicemailMailbox ) )
###
This is a full user ldiff to login asterisk successfully with user 110 and password mypass
To generate a password for
user: 110
realm:172.16.45.90 (change with your realm value in sip.conf)
password: mypass
$ echo -n "110:172.16.45.90:mypass"| md5sum
cf570c6603b8567e3138357423ee266c -
Please note this note this is only to login asterisk. I will give more update about dial plan, context etc.
dn: uid=ismail at surgatelabs.com,ou=surgatelabs.com,o=mail,dc=surmail
objectClass: top
objectClass: AsteriskAccount
objectClass: AsteriskExtension
objectClass: AsteriskSIPUser
objectClass: inetOrgPerson
objectClass: person
sn:ismail
mail: ismail at surgatelabs.com
cn: ismail yenigul
uid: ismail at surgatelabs.com
AstAccountName: 110
AstAccountDefaultUser: 0
AstAccountExpirationTimestamp: 0
AstAccountFullContact: 0
AstAccountHost: dynamic
AstAccountIPAddress: 0
AstAccountLastQualifyMilliseconds: 0
AstAccountPort: 0
AstAccountRegistrationServer: 0
AstAccountType: 0
AstAccountUserAgent: 0
AstExtension: 110
AstAccountRealmedPassword: {md5}cf570c6603b8567e3138357423ee266c
sip.conf:
realm=172.16.45.90
---
extconfig.conf
sippeers => ldap,"dc=surmail",sip
sipusers => ldap,"dc=surmail",sip
--
res_ldap.conf file:
[sip]
name = AstAccountName ; We use the "cn" as the default value for name on the line above
; because objectClass=AsteriskSIPUser does not include a uid as an allowed field
; If your entry combines other objectClasses and uid is available, you may
; prefer to change the line to be name = uid, especially if your LDAP entries
; contain spaces in the cn field.
; You may also find it appropriate to use something completely different.
; This is possible by changing the line above to name = AstAccountName (or whatever you
; prefer).
;
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = AstAccountFullContact
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox
md5secret = AstAccountRealmedPassword ; Must be an MD5 hash. Field value can start with{md5} but it is not required.
; Generate the password via the md5sum command, e.g.
; echo "my_password" | md5sum
nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds
additionalFilter=(objectClass=AsteriskSIPUser)
###
Asterisk is changing the following ldap attr.
So you must define this attrs while you are creating a user account on LDAP. If you dont define this attrs you will get a log message about updating account info in asterisk logs.
attr=AstAccountIPAddress AstAccountPort AstAccountExpirationTimestamp AstAccountDefaultUser AstAccountUserAgent AstAccountLastQualifyMilliseconds AstAccountFullContact
Another problem is with default res_ldap.conf You have to disable fullcontact = gecos line
and add useragent ldap mapping like following.
fullcontact = AstAccountFullContact
;fullcontact = gecos
useragent = AstAccountUserAgent
###
Also the following lines in res_ldap.conf.example is wrong. the attrs in red do not exist in asterisk.ldap-schema file.
; Extensions Table
;
[extensions]
context = AstExtensionContext
exten = AstExtensionExten
priority = AstExtensionPriority
app = AstExtensionApplication
appdata = AstExtensionApplicationData
additionalFilter=(objectClass=AstExtension)
The correct values:
[extensions]
context = AstContext
exten = AstExtension
priority = AstPriority
app = AstApplication
appdata = AstApplicationData
additionalFilter=(objectClass=AsteriskExtension)Also the following lines in res_ldap.conf.example is wrong. the attrs in red do not exist in asterisk.ldap-schema file.
; Extensions Table
;
[extensions]
context = AstExtensionContext
exten = AstExtensionExten
priority = AstExtensionPriority
app = AstExtensionApplication
appdata = AstExtensionApplicationData
additionalFilter=(objectClass=AstExtension)
The correct values:
[extensions]
context = AstContext
exten = AstExtension
priority = AstPriority
app = AstApplication
appdata = AstApplicationData
additionalFilter=(objectClass=AsteriskExtension)
> LDAP configuration and documentation updates
> --------------------------------------------
>
> Key: ASTERISK-20886
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-20886
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Resources/res_config_ldap
> Affects Versions: SVN
> Environment: LInux with LDAP service.
> Reporter: Andrew Latham
> Assignee: Andrew Latham
> Severity: Minor
>
> Ismail Yenigul added several notes related to issuse with LDAP Realtime to the wiki. This ticket is to track and update the documentation for these discoveries. Testing with various LDAP servers would be needed before commit.
> https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list