Asterisk And openLDAP

Home » Asterisk Users » Asterisk And openLDAP
Asterisk Users 14 Comments

Hello guys, i would like to implement authentication for my SIP extension with an openLDAP server. Following this guide http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/ExternalServices_id291590.html i see a template named [sip] to map the information of sip peers into ldap.

But i’m not interested to create a template, i would only authenticate sip extensions using username and password stored in ldap database.

How can i configure this mechanism?

Thanks in advice, Regards.

14 thoughts on - Asterisk And openLDAP

  • You just need a program(C, PHP, Perl) to query LDAP and update SIP. The example you list requires realtime, but if you “roll your own”, you could update /etc/asterisk/sip.conf and issue an ‘asterisk -rx “sip reload’ to update when needed.

    —–Original Message—

  • 2012/10/31 Danny Nicholas :

    Thanks for your help, i’ve only a question. How do i configure extensions?

  • With this configuration, the peer doesn’t authenticate with ldap, right?

    2012/10/31 Danny Nicholas :

  • Correct. LDAP can be queried to update the Asterisk configuration, but Asterisk itself is “unaware” of LDAP.

    —–Original Message—

  • Based on my knowledge, the general section provides an interface to your LDAP server and the sipuser section sets up one static user.

    —–Original Message—

  • I don’t want update Asterisk configuration, i want to query LDAP only for name and secret field.

  • I don’t understand why in [_general] section of res_ldap.conf i need to put user and pass when i want to authenticate my extensions.

    2012/10/31 Danny Nicholas :

  • This allows asterisk to open an LDAP connection. Have you reviewed res_ldap.conf.sample in the configs folder?

    —–Original Message—

  • Yes, but i think that’s better to open an LDAP connection with extensions user and password. Or not?

    2012/10/31 Danny Nicholas :

  • Don’t really know. My knowledge scale on this one is 99 percent asterisk 1
    percent LDAP.

    —–Original Message—

  • Giuseppe wrote:

    Better is not the right way to look at it. You questions is about early or late binding. Early binding requires a dedicated username and password to connect to LDAP before it can perform a query, and late can use the user provided credentials.

    I find that many applications will support only one or the other, so the choice is made for you. I do not know if Asterisk supports only early binding, but I suspect that it would be a better long term match for you.

    Dan

  • 31 okt 2012 kl. 15:07 skrev Giuseppe Longo :

    Currently Asterisk can’t do that. If you add Kamailio as a proxy in front of Asterisk, you can easily authenticate with LDAP this way. There was some work by Philippe Sultan in this area done years ago, but was never completed.

    In SIP, the MD5 Digest authentication is based on the cleartext password being available to calculate the hash. Therefore we can’t use the LDAP authentication for binding as an authentication mechanism in SIP. As long as we can have a binding (authentication for the server itself)
    and query and in the result get a cleartext authentication username and secret, kamailio should be able to do the job.

    The Asterisk realtime driver assumes that you use a [peer] or [user] object like the ones we use in a database – or that you query from the dialplan with the realtime function. However, as stated earlier, this doesn’t work in the SIP authentication that is based on the data in peers and users.

    Regards,
    /Olle