[asterisk-users] Realtime LDAP passwords

Gavin Henry gavin.henry at gmail.com
Tue Jun 2 15:04:14 CDT 2009


Where do they currently change their password? If it's somewhere you
control, why not add some to create the realmed password?

Gavin.

On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:
> Hello, all.  I'm afraid I've been dropped into the deep end even though
> I am an Asterisk novice.  I've set up a few tiny, tiny systems in the
> past and have now been asked to pull together Asterisk, FreePBX,
> Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service.
>
> After googling and reading for most of the last 24 hours, I finally have
> my head around the components and how they work but am a little stumped
> by password synchronization using existing LDAP accounts.  Maintaining
> separate accounts with a shared database between Kamailio and Asterisk
> seems quite reasonable.  Integrating with the existing LDAP database
> seems like much more of a challenge.
>
> I did find
> http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
> and
> http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/
> very helpful.
>
> For security reasons, we keep internal UIDs different from public email
> IDs.  Thus, we might use john.doe internally and jd at example.com for
> email.  Since it is a multi-tenant environment, I'd imagine we will use
> the Kamailio domain module, make the SIP domain match the email domain,
> and use the email user portion of the email address as the SIP ID.  I
> think this is straightforward using LDAP and Kamailio as we would query
> LDAP for the email address and have return the password.
>
> Asterisk seems a little trickier.  I've looked at the schema extensions
> and it looks like we add an auxiliary objectclass of AstSIPUser.  I
> suppose we would add this objectclass to a structure inetOrgPerson
> object.  We could then use the email name for the AstAccountName (or
> whatever the actual attribute is) but the password befuddles me.
>
> I notice we add an AstAccountRealmedPassword attribute.  I suppose this
> is because of the need to furnish SIP a hash derived from
> username:realm:password.  We would prefer our users only need to change
> their passwords in one place.  Is there anyway beside deploying
> something like IPA to have Asterisk use the regular posix password
> stored in LDAP rather than a separate AstAccountRealmedPassword?
>
> I'm looking forward to diving in; I just wish it was with a little less
> time pressure! Thanks - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

-- 
Sent from my mobile device

http://www.suretecsystems.com/services/openldap/



More information about the asterisk-users mailing list