[asterisk-users] Asterisk 13 with LDAP ? (single sign on )
Willy Offermans
asterisk at Offermans.Rompen.nl
Sat Jun 11 06:08:09 CDT 2016
Hello Kevin, hello asterisk friends,
On Sat, Jun 11, 2016 at 05:33:54AM +0000, Kevin Long wrote:
>
>
> Is it possible to configure Asterisk such that numerical extensions and/or usernames, would be populated from LDAP, as well as authenticate the endpoints where the “SIP secret” is equal to the user’s hashed password in LDAP?
>
>
> I’d like to use LDAP for single-signon as I do with a number of other applications, and am curious if anyone has a working example or if this is even possible?
>
>
> Thank you,
>
> Kevin Long
>
I'm puzzling with a somehow similar problem. I like to couple asterisk's
authentication, authorisation and accounting with a radius server. The
radius server will use a ldap server as database for passwords and other
data. The real benefit of this setup is that a ldap database is not
designed for authentication, it is a kind of database. A radius server is
designed for authentication. If I understand it correctly then SIP
authentication works with HTTP digest authentication, a challenge response
mechanism. A ldap database does not know what to do with this mechanism. It
cannot deal with authentication mechanisms. A radius server, such as
freeradius, can handle this mechanism of authentication. It is designed for
this.
I'm looking for info on how to setup this up: asterisk <--> freeradius <-->
openldap and already asked for info or documentation on this list. However
without any response so far. I also asked if asterisk supports pam for
authentication. Also this question was not answered so far.
Another strategy can be to use the ldap server to record all necessary data
and asterisk to retrieve this data from the ldap database. With other words
and have a look to
https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver
sippeers = ldap,"ou=sip,dc=example,dc=domain",sip
sipusers = ldap,"ou=sip,dc=example,dc=domain",sip
extensions = ldap,"ou=extensions,dc=example,dc=domain",extensions
Asterisk will then deal with authentication, authorisation and accounting.
This is how you imagined to set it up, if I understand it correctly.
However, if you look at it from a distance and in detail, then asterisk
should not concentrate on designing to handle this. A radius server can be
involved for this work. Asterisk could then concentrate on its core
business and that is managing voice and voice/video connections. The radius
server does what it good at is: authentication, authorisation and
accounting.
I guess that most commercial implementations use something like asterisk
<--> radius <--> database for authentication, authorisation and accounting.
However, the underlying information on how to set this up is not willingly
shared.
If I cannot get more details on asterisk <--> freeradius <--> openldap, I
will spent the next days to look in more detail to
https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver
I can keep you updated, if you are interested.
--
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,
De jrus wah,
Will
*************************************
W.K. Offermans
Powered by ....
(__)
\\\'',)
\/ \ ^
.\._/_)
www.FreeBSD.org
More information about the asterisk-users
mailing list