Kevin Long
2016-Jun-11 05:33 UTC
[asterisk-users] Asterisk 13 with LDAP ? (single sign on )
Is it possible to configure Asterisk such that numerical extensions and/or usernames, would be populated from LDAP, as well as authenticate the endpoints where the ?SIP secret? is equal to the user?s hashed password in LDAP? I?d like to use LDAP for single-signon as I do with a number of other applications, and am curious if anyone has a working example or if this is even possible? Thank you, Kevin Long
Willy Offermans
2016-Jun-11 11:08 UTC
[asterisk-users] Asterisk 13 with LDAP ? (single sign on )
Hello Kevin, hello asterisk friends, On Sat, Jun 11, 2016 at 05:33:54AM +0000, Kevin Long wrote:> > > Is it possible to configure Asterisk such that numerical extensions and/or usernames, would be populated from LDAP, as well as authenticate the endpoints where the ?SIP secret? is equal to the user?s hashed password in LDAP? > > > I?d like to use LDAP for single-signon as I do with a number of other applications, and am curious if anyone has a working example or if this is even possible? > > > Thank you, > > Kevin Long >I'm puzzling with a somehow similar problem. I like to couple asterisk's authentication, authorisation and accounting with a radius server. The radius server will use a ldap server as database for passwords and other data. The real benefit of this setup is that a ldap database is not designed for authentication, it is a kind of database. A radius server is designed for authentication. If I understand it correctly then SIP authentication works with HTTP digest authentication, a challenge response mechanism. A ldap database does not know what to do with this mechanism. It cannot deal with authentication mechanisms. A radius server, such as freeradius, can handle this mechanism of authentication. It is designed for this. I'm looking for info on how to setup this up: asterisk <--> freeradius <--> openldap and already asked for info or documentation on this list. However without any response so far. I also asked if asterisk supports pam for authentication. Also this question was not answered so far. Another strategy can be to use the ldap server to record all necessary data and asterisk to retrieve this data from the ldap database. With other words and have a look to https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver sippeers = ldap,"ou=sip,dc=example,dc=domain",sip sipusers = ldap,"ou=sip,dc=example,dc=domain",sip extensions = ldap,"ou=extensions,dc=example,dc=domain",extensions Asterisk will then deal with authentication, authorisation and accounting. This is how you imagined to set it up, if I understand it correctly. However, if you look at it from a distance and in detail, then asterisk should not concentrate on designing to handle this. A radius server can be involved for this work. Asterisk could then concentrate on its core business and that is managing voice and voice/video connections. The radius server does what it good at is: authentication, authorisation and accounting. I guess that most commercial implementations use something like asterisk <--> radius <--> database for authentication, authorisation and accounting. However, the underlying information on how to set this up is not willingly shared. If I cannot get more details on asterisk <--> freeradius <--> openldap, I will spent the next days to look in more detail to https://wiki.asterisk.org/wiki/display/AST/LDAP+Realtime+Driver I can keep you updated, if you are interested. -- Met vriendelijke groeten, With kind regards, Mit freundlichen Gruessen, De jrus wah, Will ************************************* W.K. Offermans Powered by .... (__) \\\'',) \/ \ ^ .\._/_) www.FreeBSD.org