[asterisk-users] Realtime LDAP passwords

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Jun 2 10:14:14 CDT 2009


Hello, all.  I'm afraid I've been dropped into the deep end even though
I am an Asterisk novice.  I've set up a few tiny, tiny systems in the
past and have now been asked to pull together Asterisk, FreePBX,
Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service.

After googling and reading for most of the last 24 hours, I finally have
my head around the components and how they work but am a little stumped
by password synchronization using existing LDAP accounts.  Maintaining
separate accounts with a shared database between Kamailio and Asterisk
seems quite reasonable.  Integrating with the existing LDAP database
seems like much more of a challenge.

I did find
http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html and http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/ very helpful.

For security reasons, we keep internal UIDs different from public email
IDs.  Thus, we might use john.doe internally and jd at example.com for
email.  Since it is a multi-tenant environment, I'd imagine we will use
the Kamailio domain module, make the SIP domain match the email domain,
and use the email user portion of the email address as the SIP ID.  I
think this is straightforward using LDAP and Kamailio as we would query
LDAP for the email address and have return the password.

Asterisk seems a little trickier.  I've looked at the schema extensions
and it looks like we add an auxiliary objectclass of AstSIPUser.  I
suppose we would add this objectclass to a structure inetOrgPerson
object.  We could then use the email name for the AstAccountName (or
whatever the actual attribute is) but the password befuddles me.

I notice we add an AstAccountRealmedPassword attribute.  I suppose this
is because of the need to furnish SIP a hash derived from
username:realm:password.  We would prefer our users only need to change
their passwords in one place.  Is there anyway beside deploying
something like IPA to have Asterisk use the regular posix password
stored in LDAP rather than a separate AstAccountRealmedPassword?

I'm looking forward to diving in; I just wish it was with a little less
time pressure! Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society




More information about the asterisk-users mailing list