Nick Couchman
2006-Sep-21 14:45 UTC
[asterisk-users] Integrating Asterisk with LDAP Realtime
Hi, All: I'm starting to jump into the Asterisk world and try to figure out a VoIP solution for my company. I stumbled across the VoiceRD company/project, which is supposed to integrate Asterisk into Novell eDirectory (via LDAP). Unfortunately the project is in its very early stages, and it just doesn't work that well. I'm sure that will change as time goes on, but I'm not feeling real patient right now :-). I'm using Asterisk (1.2.12) with the LDAP Realtime driver (res_config_ldap.so), and I'm experiencing a few problems that I could really use some help solving. First of all, I'd like to configure Asterisk to talk to my LDAP servers securely. This is especially critical if I'm going to have to bind as something other than an anonymous bind (not just for my sake, but the eDirectory servers require confidentiality by default - and I don't want to change that). When I try to set the port to 636 in the res_ldap.conf file, I get bind errors ("Can't contact server..."). I imagine this is an issue with certificates and trust, but I'm not exactly sure where I need to put my CA certificate in order to make the ldap module happy. I have my global ldap.conf file (/etc/openldap/ldap.conf) set up to not require certificate checking, but this doesn't seem to make a difference with the res_config_ldap module. Anyone have any tips to help me figure out what's going on here? My second issue (that I've identified so far, anyway) is with the actual searches that LDAP does. I can get around the problem above my removing the username and password so that Asterisk binds anonymously on the insecure port (389). I set up the parts of the LDAP tree that Asterisk needs access to so that Anonymous binds can see all attributes (I know this isn't safe in a production environment, and that's not how I plan to do it in production, it was simply a temporary measure to see if I could actually get anything out of the LDAP tree). The module binds successfully and does some searches of the tree. Unfortunately, I can't tell my looking at any of the log files for asterisk whether or not it actually pulls any data out of the tree. The log files don't seem to list results for LDAP lookups (I've got full debugging turned on, so everything should be getting logged), so it's hard to tell what the LDAP server returned. I've tried to use tcpdump to see this data, but tcpdump doesn't grab the full packet, it truncates it at a certain point, so I can't see the data. Also, Asterisk seems to only query the .conf file entries from extconfig.conf and not the other entries (sipusers, extensions, etc.). Here's my extconfig.conf file (I did patch Asterisk to recognize the quotation marks for this file): [settings] ;voicemail => ldap,"o=SEAKR",voicemail voicemail => ldap,"ou=People,o=SEAKR",voicemail ;realtime_ext => ldap,"o=SEAKR",extensions realtime_ext => ldap,"ou=Extensions,ou=VoIP,ou=Servers,o=SEAKR",extensions voicemail.conf => ldap,"ou=Conf,ou=VoIP,ou=Servers,o=SEAKR",config ;voicemail.conf => ldap,"o=SEAKR",config meetme.conf => ldap,"ou=Conf,ou=VoIP,ou=Servers,o=SEAKR",config ;meetme.conf => ldap,"o=SEAKR",config sip.conf => ldap,"ou=Conf,ou=VoIP,ou=Servers,o=SEAKR",config ;sip.conf => ldap,"o=SEAKR",config extensions.conf => ldap,"ou=Conf,ou=VoIP,ou=Servers,o=SEAKR",config ;extensions.conf => ldap,o=SEAKR,config sipusers => ldap,"ou=People,o=SEAKR",sip sippeers => ldap,"ou=People,o=SEAKR",sip ;sipfriends => ldap,o=SEAKR,sip and here's the first part of the res_ldap.conf file (the rest of it identifies the attributes for each of the configuration "tables"): [_general] dbhost=my.ldap.host ; LDAP host(s) dbport=636 dbbasedn=o=SEAKR ; Base DN dbpass=SUPERSECRETWORD ; Bind password dbuser=cn=MYADMIN,ou=People,o=SEAKR ; Bind DN Please let me know if you need any further information. I have updated my LDAP schema with the schema for the LDAP realtime driver (so that is has all the oxy attributes plus a few VoiceRD attributes from the VoiceRD vendor). I've verified that I can do both anonymous binds and authenticated binds from the server command line (using ldapsearch) and that the anonymous binds return the attributes from the server that Asterisk needs to see. Thanks, Nick Couchman Systems Integrator SEAKR Engineering, Inc. 6221 South Racine Circle Centennial, CO 80111 Main: (303) 790-8499 Fax: (303) 790-8720 Web: http://www.seakr.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20060921/8620e5a7/attachment.htm
On Thu, 21 Sep 2006, Nick Couchman wrote:> When I try to set the port to 636 in the res_ldap.conf file, I get bind > errors ("Can't contact server..."). I imagine this is an issue with > certificates and trust, but I'm not exactly sure where I need to put my > CA certificate in order to make the ldap module happy.Probably wherever openssl looks for them. Try /etc/pki/tls/certs/, /etc/ssl/certs/ or /usr/share/ssl/certs/, depending on your distro. You'll also need to symlink the certificate to its hash, check the openssl docs if you haven't done this before.> I've tried to use tcpdump to see this data, but tcpdump doesn't grab the > full packet, it truncates it at a certain point, so I can't see the > data.Try doing your tcpdump with "-s 0" - it tells tcpdump to "snarf" the whole packet Even better, use wireshark (the new name for ethereal). It'll do a very nice job (I tend to find better than tcpdump) at showing you the contents of you ldap queries and responses. I haven't gotten around to playing with direct integration with asterisk and ldap, so I can't help on your other issues. Nick
Nick Couchman
2006-Sep-23 14:37 UTC
[asterisk-users] Integrating Asterisk with LDAP Realtime
Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3378 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20060923/7e031862/smime.bin