[asterisk-users] Asterisk 13 with LDAP ? (single sign on )

Sat Jun 11 06:08:09 CDT 2016

Hello Kevin, hello asterisk friends,

On Sat, Jun 11, 2016 at 05:33:54AM +0000, Kevin Long wrote:
> 
> 
> Is it possible to configure Asterisk such that numerical extensions and/or usernames,   would be populated from LDAP,  as well as authenticate the endpoints where the “SIP secret” is equal to the user’s hashed password in LDAP?
> 
> 
> I’d like to use LDAP for single-signon as I do with a number of other applications,  and am curious if anyone has a working example or if this is even possible?
> 
> 
> Thank you,
> 
> Kevin Long
> 

I'm puzzling with a somehow similar problem. I like to couple asterisk's 
authentication, authorisation and accounting with a radius server. The 
radius server will use a ldap server as database for passwords and other 
data. The real benefit of this setup is that a ldap database is not 
designed for authentication, it is a kind of database. A radius server is 
designed for authentication. If I understand it correctly then SIP 
authentication works with HTTP digest authentication, a challenge response 
mechanism. A ldap database does not know what to do with this mechanism. It 
cannot deal with authentication mechanisms. A radius server, such as 
freeradius, can handle this mechanism of authentication. It is designed for 
this.

I'm looking for info on how to setup this up: asterisk <--> freeradius <--> 
openldap and already asked for info or documentation on this list. However 
without any response so far. I also asked if asterisk supports pam for 
authentication. Also this question was not answered so far.

Another strategy can be to use the ldap server to record all necessary data 
and asterisk to retrieve this data from the ldap database. With other words 
and have a look to

https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver

sippeers = ldap,"ou=sip,dc=example,dc=domain",sip
sipusers = ldap,"ou=sip,dc=example,dc=domain",sip
extensions = ldap,"ou=extensions,dc=example,dc=domain",extensions

Asterisk will then deal with authentication, authorisation and accounting.  
This is how you imagined to set it up, if I understand it correctly.
However, if you look at it from a distance and in detail, then asterisk 
should not concentrate on designing to handle this. A radius server can be 
involved for this work. Asterisk could then concentrate on its core 
business and that is managing voice and voice/video connections. The radius 
server does what it good at is: authentication, authorisation and 
accounting.

I guess that most commercial implementations use something like asterisk 
<--> radius <--> database for authentication, authorisation and accounting.  
However, the underlying information on how to set this up is not willingly 
shared.

If I cannot get more details on asterisk <--> freeradius <--> openldap, I 
will spent the next days to look in more detail to 
https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver

I can keep you updated, if you are interested.

-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,

Will

*************************************
 W.K. Offermans

                                       Powered by ....

                                            (__)
                                         \\\'',)
                                           \/  \ ^
                                           .\._/_)

                                       www.FreeBSD.org