Paulo Victor Fernandes da Silva
2013-Mar-10 15:37 UTC
[asterisk-users] Asterisk authentication on LDAP (SSHA and SHA passwords)
hello guys, I'm working on a federal university at Brasil, we already have an openLdap with all users and this base is used to authenticate several services like email, vpn, wireless (RADIUS), and we have also Shibboleth providing SSO. During my studies of Asterisk, i see a lot of people talking about the incapacity of asterisk (more precisely because of SIP) to authenticate against a ldap that uses password encrypted for anything other than MD5. I like to know if exist any how to use Asterisk + Ldap (using SSHA and SHA passwords). It can be achieved in some how? PS: Sorry for my bad english. Best Regards, Paulo V. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130310/ea4ae696/attachment.htm>
Andrew Latham
2013-Mar-10 17:04 UTC
[asterisk-users] Asterisk authentication on LDAP (SSHA and SHA passwords)
On Sun, Mar 10, 2013 at 11:37 AM, Paulo Victor Fernandes da Silva <paulovictorsilva at gmail.com> wrote:> hello guys, > > I'm working on a federal university at Brasil, we already have an openLdap > with all users and this base is used to authenticate several services like > email, vpn, wireless (RADIUS), and we have also Shibboleth providing SSO. > > During my studies of Asterisk, i see a lot of people talking about the > incapacity of asterisk (more precisely because of SIP) to authenticate > against a ldap that uses password encrypted for anything other than MD5. > > I like to know if exist any how to use Asterisk + Ldap (using SSHA and SHA > passwords). It can be achieved in some how? > > PS: Sorry for my bad english. > > Best Regards, > Paulo V.Paulo I was looking at that code a month or so ago. It should be possible to update res_config_ldap.c to use SHA instead of MD5 when talking to the OpenLDAP server. It is also possible, and a good idea. to maintain a separate password/secret object(MD5/SHA) for Asterisk/PBX to mitigate any toll fraud. Keep in mind that the password could be deployed over HTTPS configuration and be a combination of account info (typically MAC address of UA). Mass deployment is key in such an infrastructure. Also take the time to catalog the user devices/software devices that support SHA for direct LDAP directory look up. -- ~ Andrew "lathama" Latham lathama at gmail.com http://lathama.net ~