Hello, all. I'm afraid I've been dropped into the deep end even though I am an Asterisk novice. I've set up a few tiny, tiny systems in the past and have now been asked to pull together Asterisk, FreePBX, Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service. After googling and reading for most of the last 24 hours, I finally have my head around the components and how they work but am a little stumped by password synchronization using existing LDAP accounts. Maintaining separate accounts with a shared database between Kamailio and Asterisk seems quite reasonable. Integrating with the existing LDAP database seems like much more of a challenge. I did find http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html and http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/ very helpful. For security reasons, we keep internal UIDs different from public email IDs. Thus, we might use john.doe internally and jd at example.com for email. Since it is a multi-tenant environment, I'd imagine we will use the Kamailio domain module, make the SIP domain match the email domain, and use the email user portion of the email address as the SIP ID. I think this is straightforward using LDAP and Kamailio as we would query LDAP for the email address and have return the password. Asterisk seems a little trickier. I've looked at the schema extensions and it looks like we add an auxiliary objectclass of AstSIPUser. I suppose we would add this objectclass to a structure inetOrgPerson object. We could then use the email name for the AstAccountName (or whatever the actual attribute is) but the password befuddles me. I notice we add an AstAccountRealmedPassword attribute. I suppose this is because of the need to furnish SIP a hash derived from username:realm:password. We would prefer our users only need to change their passwords in one place. Is there anyway beside deploying something like IPA to have Asterisk use the regular posix password stored in LDAP rather than a separate AstAccountRealmedPassword? I'm looking forward to diving in; I just wish it was with a little less time pressure! Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
Where do they currently change their password? If it's somewhere you control, why not add some to create the realmed password? Gavin. On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:> Hello, all. I'm afraid I've been dropped into the deep end even though > I am an Asterisk novice. I've set up a few tiny, tiny systems in the > past and have now been asked to pull together Asterisk, FreePBX, > Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service. > > After googling and reading for most of the last 24 hours, I finally have > my head around the components and how they work but am a little stumped > by password synchronization using existing LDAP accounts. Maintaining > separate accounts with a shared database between Kamailio and Asterisk > seems quite reasonable. Integrating with the existing LDAP database > seems like much more of a challenge. > > I did find > http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html > and > http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/ > very helpful. > > For security reasons, we keep internal UIDs different from public email > IDs. Thus, we might use john.doe internally and jd at example.com for > email. Since it is a multi-tenant environment, I'd imagine we will use > the Kamailio domain module, make the SIP domain match the email domain, > and use the email user portion of the email address as the SIP ID. I > think this is straightforward using LDAP and Kamailio as we would query > LDAP for the email address and have return the password. > > Asterisk seems a little trickier. I've looked at the schema extensions > and it looks like we add an auxiliary objectclass of AstSIPUser. I > suppose we would add this objectclass to a structure inetOrgPerson > object. We could then use the email name for the AstAccountName (or > whatever the actual attribute is) but the password befuddles me. > > I notice we add an AstAccountRealmedPassword attribute. I suppose this > is because of the need to furnish SIP a hash derived from > username:realm:password. We would prefer our users only need to change > their passwords in one place. Is there anyway beside deploying > something like IPA to have Asterisk use the regular posix password > stored in LDAP rather than a separate AstAccountRealmedPassword? > > I'm looking forward to diving in; I just wish it was with a little less > time pressure! Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Sent from my mobile device http://www.suretecsystems.com/services/openldap/
It also depends where you are registering your users. If merely using Asterisk for a media server, do the auth via LDAP in Kamailio, which will just use the userPassword attribute (or however the Kamailio LDAP module binds to check auth or what you script it to do) then a normal password change will do. On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:> Hello, all. I'm afraid I've been dropped into the deep end even though > I am an Asterisk novice. I've set up a few tiny, tiny systems in the > past and have now been asked to pull together Asterisk, FreePBX, > Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service. > > After googling and reading for most of the last 24 hours, I finally have > my head around the components and how they work but am a little stumped > by password synchronization using existing LDAP accounts. Maintaining > separate accounts with a shared database between Kamailio and Asterisk > seems quite reasonable. Integrating with the existing LDAP database > seems like much more of a challenge. > > I did find > http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html > and > http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/ > very helpful. > > For security reasons, we keep internal UIDs different from public email > IDs. Thus, we might use john.doe internally and jd at example.com for > email. Since it is a multi-tenant environment, I'd imagine we will use > the Kamailio domain module, make the SIP domain match the email domain, > and use the email user portion of the email address as the SIP ID. I > think this is straightforward using LDAP and Kamailio as we would query > LDAP for the email address and have return the password. > > Asterisk seems a little trickier. I've looked at the schema extensions > and it looks like we add an auxiliary objectclass of AstSIPUser. I > suppose we would add this objectclass to a structure inetOrgPerson > object. We could then use the email name for the AstAccountName (or > whatever the actual attribute is) but the password befuddles me. > > I notice we add an AstAccountRealmedPassword attribute. I suppose this > is because of the need to furnish SIP a hash derived from > username:realm:password. We would prefer our users only need to change > their passwords in one place. Is there anyway beside deploying > something like IPA to have Asterisk use the regular posix password > stored in LDAP rather than a separate AstAccountRealmedPassword? > > I'm looking forward to diving in; I just wish it was with a little less > time pressure! Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Sent from my mobile device http://www.suretecsystems.com/services/openldap/
Sorry, lastly I defined it as auxilary to do exactly that; add it to any existing entry. Thanks. On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:> Hello, all. I'm afraid I've been dropped into the deep end even though > I am an Asterisk novice. I've set up a few tiny, tiny systems in the > past and have now been asked to pull together Asterisk, FreePBX, > Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service. > > After googling and reading for most of the last 24 hours, I finally have > my head around the components and how they work but am a little stumped > by password synchronization using existing LDAP accounts. Maintaining > separate accounts with a shared database between Kamailio and Asterisk > seems quite reasonable. Integrating with the existing LDAP database > seems like much more of a challenge. > > I did find > http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html > and > http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/ > very helpful. > > For security reasons, we keep internal UIDs different from public email > IDs. Thus, we might use john.doe internally and jd at example.com for > email. Since it is a multi-tenant environment, I'd imagine we will use > the Kamailio domain module, make the SIP domain match the email domain, > and use the email user portion of the email address as the SIP ID. I > think this is straightforward using LDAP and Kamailio as we would query > LDAP for the email address and have return the password. > > Asterisk seems a little trickier. I've looked at the schema extensions > and it looks like we add an auxiliary objectclass of AstSIPUser. I > suppose we would add this objectclass to a structure inetOrgPerson > object. We could then use the email name for the AstAccountName (or > whatever the actual attribute is) but the password befuddles me. > > I notice we add an AstAccountRealmedPassword attribute. I suppose this > is because of the need to furnish SIP a hash derived from > username:realm:password. We would prefer our users only need to change > their passwords in one place. Is there anyway beside deploying > something like IPA to have Asterisk use the regular posix password > stored in LDAP rather than a separate AstAccountRealmedPassword? > > I'm looking forward to diving in; I just wish it was with a little less > time pressure! Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Sent from my mobile device http://www.suretecsystems.com/services/openldap/
One last thing ;-) use OpenLDAP! On 02/06/2009, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:> Hello, all. I'm afraid I've been dropped into the deep end even though > I am an Asterisk novice. I've set up a few tiny, tiny systems in the > past and have now been asked to pull together Asterisk, FreePBX, > Kamailio, RTPProxy, and Fedora Directory Server into a VoIP service. > > After googling and reading for most of the last 24 hours, I finally have > my head around the components and how they work but am a little stumped > by password synchronization using existing LDAP accounts. Maintaining > separate accounts with a shared database between Kamailio and Asterisk > seems quite reasonable. Integrating with the existing LDAP database > seems like much more of a challenge. > > I did find > http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html > and > http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/ > very helpful. > > For security reasons, we keep internal UIDs different from public email > IDs. Thus, we might use john.doe internally and jd at example.com for > email. Since it is a multi-tenant environment, I'd imagine we will use > the Kamailio domain module, make the SIP domain match the email domain, > and use the email user portion of the email address as the SIP ID. I > think this is straightforward using LDAP and Kamailio as we would query > LDAP for the email address and have return the password. > > Asterisk seems a little trickier. I've looked at the schema extensions > and it looks like we add an auxiliary objectclass of AstSIPUser. I > suppose we would add this objectclass to a structure inetOrgPerson > object. We could then use the email name for the AstAccountName (or > whatever the actual attribute is) but the password befuddles me. > > I notice we add an AstAccountRealmedPassword attribute. I suppose this > is because of the need to furnish SIP a hash derived from > username:realm:password. We would prefer our users only need to change > their passwords in one place. Is there anyway beside deploying > something like IPA to have Asterisk use the regular posix password > stored in LDAP rather than a separate AstAccountRealmedPassword? > > I'm looking forward to diving in; I just wish it was with a little less > time pressure! Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Sent from my mobile device http://www.suretecsystems.com/services/openldap/