[asterisk-users] Realtime LDAP passwords
Gavin Henry
gavin.henry at gmail.com
Tue Jun 2 15:07:10 CDT 2009
It also depends where you are registering your users. If merely using
Asterisk for a media server, do the auth via LDAP in Kamailio, which
will just use the userPassword attribute (or however the Kamailio LDAP
module binds to check auth or what you script it to do) then a normal
password change will do.
On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:
> Hello, all. I'm afraid I've been dropped into the deep end even though
> I am an Asterisk novice. I've set up a few tiny, tiny systems in the
> past and have now been asked to pull together Asterisk, FreePBX,
> Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service.
>
> After googling and reading for most of the last 24 hours, I finally have
> my head around the components and how they work but am a little stumped
> by password synchronization using existing LDAP accounts. Maintaining
> separate accounts with a shared database between Kamailio and Asterisk
> seems quite reasonable. Integrating with the existing LDAP database
> seems like much more of a challenge.
>
> I did find
> http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
> and
> http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/
> very helpful.
>
> For security reasons, we keep internal UIDs different from public email
> IDs. Thus, we might use john.doe internally and jd at example.com for
> email. Since it is a multi-tenant environment, I'd imagine we will use
> the Kamailio domain module, make the SIP domain match the email domain,
> and use the email user portion of the email address as the SIP ID. I
> think this is straightforward using LDAP and Kamailio as we would query
> LDAP for the email address and have return the password.
>
> Asterisk seems a little trickier. I've looked at the schema extensions
> and it looks like we add an auxiliary objectclass of AstSIPUser. I
> suppose we would add this objectclass to a structure inetOrgPerson
> object. We could then use the email name for the AstAccountName (or
> whatever the actual attribute is) but the password befuddles me.
>
> I notice we add an AstAccountRealmedPassword attribute. I suppose this
> is because of the need to furnish SIP a hash derived from
> username:realm:password. We would prefer our users only need to change
> their passwords in one place. Is there anyway beside deploying
> something like IPA to have Asterisk use the regular posix password
> stored in LDAP rather than a separate AstAccountRealmedPassword?
>
> I'm looking forward to diving in; I just wish it was with a little less
> time pressure! Thanks - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/
More information about the asterisk-users
mailing list