[asterisk-users] Realtime LDAP passwords

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Jun 2 15:19:08 CDT 2009


<grin> OpenLDAP isn't an option. And thanks very much for all the
responses.  I've not had a chance to mock it up yet and see how it works
hands on.  I am planning that the users ultimately interface SIP to
Kamailio and use Asterisk for the call tree, voice mail, conference,
etc.  I was assuming they would need to authenticate to Asterisk as well
as Kamailio but I suppose it may be more a matter of Asterisk trusting
Kamailio rather than the individual users.  I would also assume voice
mail passwords will be very different from user passwords as they should
be designed to be entered from a phone keypad rather than a keyboard (I
told you I'm a real Asterisk newbie!).  I guess I'll find out as I start
to set it up.

As I want to build it piecemeal and add complexity rather than diving
into the end product (RTPProxy, Kamailio, Asterisk, FreePBX with
interaction as described above), any suggestions on whether I should
build and test Kamailio or Asterisk first? Thanks - John

On Tue, 2009-06-02 at 21:08 +0100, Gavin Henry wrote:
> One last thing ;-) use OpenLDAP!
> 
> On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:
> > Hello, all.  I'm afraid I've been dropped into the deep end even though
> > I am an Asterisk novice.  I've set up a few tiny, tiny systems in the
> > past and have now been asked to pull together Asterisk, FreePBX,
> > Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service.
> >
> > After googling and reading for most of the last 24 hours, I finally have
> > my head around the components and how they work but am a little stumped
> > by password synchronization using existing LDAP accounts.  Maintaining
> > separate accounts with a shared database between Kamailio and Asterisk
> > seems quite reasonable.  Integrating with the existing LDAP database
> > seems like much more of a challenge.
> >
> > I did find
> > http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
> > and
> > http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/
> > very helpful.
> >
> > For security reasons, we keep internal UIDs different from public email
> > IDs.  Thus, we might use john.doe internally and jd at example.com for
> > email.  Since it is a multi-tenant environment, I'd imagine we will use
> > the Kamailio domain module, make the SIP domain match the email domain,
> > and use the email user portion of the email address as the SIP ID.  I
> > think this is straightforward using LDAP and Kamailio as we would query
> > LDAP for the email address and have return the password.
> >
> > Asterisk seems a little trickier.  I've looked at the schema extensions
> > and it looks like we add an auxiliary objectclass of AstSIPUser.  I
> > suppose we would add this objectclass to a structure inetOrgPerson
> > object.  We could then use the email name for the AstAccountName (or
> > whatever the actual attribute is) but the password befuddles me.
> >
> > I notice we add an AstAccountRealmedPassword attribute.  I suppose this
> > is because of the need to furnish SIP a hash derived from
> > username:realm:password.  We would prefer our users only need to change
> > their passwords in one place.  Is there anyway beside deploying
> > something like IPA to have Asterisk use the regular posix password
> > stored in LDAP rather than a separate AstAccountRealmedPassword?
> >
> > I'm looking forward to diving in; I just wish it was with a little less
> > time pressure! Thanks - John
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan at opensourcedevel.com
> >
> > http://www.spiritualoutreach.com
> > Making Christianity intelligible to secular society
> >
> >
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society




More information about the asterisk-users mailing list