[asterisk-users] Realtime LDAP passwords

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Jun 2 15:14:25 CDT 2009


Most of the desktops are KDE and they use the KDE change password
facility.  It works via pam I believe.  Is there an Asterisk interface
with pam that would cause it to simultaneously change the Asterisk SIP
realm password? If there is, I wonder how we pass it the requisite
information? Thanks - John

On Tue, 2009-06-02 at 21:04 +0100, Gavin Henry wrote:
> Where do they currently change their password? If it's somewhere you
> control, why not add some to create the realmed password?
> 
> Gavin.
> 
> On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:
> > Hello, all.  I'm afraid I've been dropped into the deep end even though
> > I am an Asterisk novice.  I've set up a few tiny, tiny systems in the
> > past and have now been asked to pull together Asterisk, FreePBX,
> > Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service.
> >
> > After googling and reading for most of the last 24 hours, I finally have
> > my head around the components and how they work but am a little stumped
> > by password synchronization using existing LDAP accounts.  Maintaining
> > separate accounts with a shared database between Kamailio and Asterisk
> > seems quite reasonable.  Integrating with the existing LDAP database
> > seems like much more of a challenge.
> >
> > I did find
> > http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html
> > and
> > http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/
> > very helpful.
> >
> > For security reasons, we keep internal UIDs different from public email
> > IDs.  Thus, we might use john.doe internally and jd at example.com for
> > email.  Since it is a multi-tenant environment, I'd imagine we will use
> > the Kamailio domain module, make the SIP domain match the email domain,
> > and use the email user portion of the email address as the SIP ID.  I
> > think this is straightforward using LDAP and Kamailio as we would query
> > LDAP for the email address and have return the password.
> >
> > Asterisk seems a little trickier.  I've looked at the schema extensions
> > and it looks like we add an auxiliary objectclass of AstSIPUser.  I
> > suppose we would add this objectclass to a structure inetOrgPerson
> > object.  We could then use the email name for the AstAccountName (or
> > whatever the actual attribute is) but the password befuddles me.
> >
> > I notice we add an AstAccountRealmedPassword attribute.  I suppose this
> > is because of the need to furnish SIP a hash derived from
> > username:realm:password.  We would prefer our users only need to change
> > their passwords in one place.  Is there anyway beside deploying
> > something like IPA to have Asterisk use the regular posix password
> > stored in LDAP rather than a separate AstAccountRealmedPassword?
> >
> > I'm looking forward to diving in; I just wish it was with a little less
> > time pressure! Thanks - John
> > --
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan at opensourcedevel.com
> >
> > http://www.spiritualoutreach.com
> > Making Christianity intelligible to secular society
> >
> >
> > _______________________________________________
> > -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> >
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> >
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society




More information about the asterisk-users mailing list