Asterisk Project : LDAP Realtime Driver

Asterisk Realtime Lightweight Directory Access Protocol (LDAP) Driver

With this driver Asterisk, using the Realtime Database Configuration, can access and update information in an LDAP directory. Asterisk can configure SIP/IAX2 users, extensions, queues, queue members, and entire configuration files. This guide assumes you have a working knowledge of LDAP and have an LDAP server with authentication already setup. Asterisk requires read and write permissions to update the directory.

See configs/res_ldap.conf.sample for a configuration file sample.
See contrib/scripts for the LDAP schema and ldif files needed for the LDAP server.

Icon

To use static realtime with certain core configuration files the realtime backend you wish to use must be preloaded in modules.conf.

From within your Asterisk source directory:

cd contrib/scripts
sudo cp asterisk.ldap-schema /etc/ldap/schema/
sudo service slapd restart
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./asterisk.ldif

Let's edit the extconfig.conf file to specify LDAP as our realtime storage engine and where Asterisk will look for data.

sippeers = ldap,"ou=sip,dc=example,dc=domain",sip
sipusers = ldap,"ou=sip,dc=example,dc=domain",sip
extensions = ldap,"ou=extensions,dc=example,dc=domain",extensions
Icon

You'll want to reference the Asterisk res_ldap.conf file which holds the LDAP mapping configuration when building your own record schema.

Basic sip users record layout which will need to be saved to a file (we'll use 'createduser.ldif' here as an example). This example record is for sip user '1000'. This example record is for sip user '1000'.

dn: cn=1000,ou=sip,dc=digium,dc=internal
objectClass: AsteriskAccount
objectClass: AsteriskExtension
objectClass: AsteriskSIPUser
objectClass: top
AstAccountName: sip user
cn: 1000
AstAccountDefaultUser: 0
AstAccountExpirationTimestamp: 0
AstAccountFullContact: 0
AstAccountHost: dynamic
AstAccountIPAddress: 0
AstAccountLastQualifyMilliseconds: 0
AstAccountPort: 0
AstAccountRegistrationServer: 0
AstAccountType: 0
AstAccountUserAgent: 0
AstExtension: 1000

Let's add the record to the LDAP server:

sudo ldapadd -D "cn=admin,dc=example,dc=domain" -x -W -f createduser.ldif

When creating your own record schema, you'll obviously want to incorporate authentication. Asterisk + LDAP requires that the user secrets be stored as an MD5 hash. MD5 hashes can be created using 'md5sum'.

For AstAccountRealmedPassword authentication use this.

printf "<secret composed of username, realm, and password goes here>" | md5sum

For AstMD5secret authentication use this.

printf "password" | md5sum

Comments:

echo "<secret goes here>" | md5sum
must be

echo -n "$username:$realm:$password" | md5sum

otherwise you will not able to login LDAP.

Also, If you do not use cnc=config OpenLDAP feature, you do not have to issue the following command:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./asterisk.ldif

Instead add include path/to/schema/asterisk.ldap-schema
to your slapd.conf

Posted by ismail.yenigul at Dec 31, 2012 15:03

Can you confirm the platforms that this applies to?

Posted by lathama at Dec 31, 2012 15:40

Asterisk 11.1.0
Centos 6.3 x86_64
OpenLDAP 2.4

If you want to use objectclass person/inetOrgPerson with Asterisk objectclasses

You have to change objectclass types from STRUCTURAL to AUXILIARY like following.
Otherwise you will get " invalid structural object class chain > (AsteriskAccount/person)" error message.

objectClass (
AsteriskDialplan
NAME 'AsteriskDialplan'
DESC 'Asterisk Dialplan Information'
SUP top AUXILIARY
MUST ( AstExtension ) )

objectClass (
AsteriskAccount
NAME 'AsteriskAccount'
DESC 'Asterisk Account Information'
SUP top AUXILIARY
MUST ( AstAccountName ) )

objectClass (
AsteriskMailbox
NAME 'AsteriskMailbox'
DESC 'Asterisk Mailbox Information'
SUP top AUXILIARY
MUST ( AstVoicemailMailbox ) )

Posted by ismail.yenigul at Jan 01, 2013 02:06

This is a full user ldiff to login asterisk successfully with user 110 and password mypass

To generate a password for
user: 110
realm:172.16.45.90 (change with your realm value in sip.conf)
password: mypass
$ echo -n "110:172.16.45.90:mypass"| md5sum
cf570c6603b8567e3138357423ee266c -

Please note this note this is only to login asterisk. I will give more update about dial plan, context etc.

dn: uid=ismail@surgatelabs.com,ou=surgatelabs.com,o=mail,dc=surmail
objectClass: top
objectClass: AsteriskAccount
objectClass: AsteriskExtension
objectClass: AsteriskSIPUser
objectClass: inetOrgPerson
objectClass: person
sn:ismail
mail: ismail@surgatelabs.com
cn: ismail yenigul
uid: ismail@surgatelabs.com
AstAccountName: 110
AstAccountDefaultUser: 0
AstAccountExpirationTimestamp: 0
AstAccountFullContact: 0
AstAccountHost: dynamic
AstAccountIPAddress: 0
AstAccountLastQualifyMilliseconds: 0
AstAccountPort: 0
AstAccountRegistrationServer: 0
AstAccountType: 0
AstAccountUserAgent: 0
AstExtension: 110
AstAccountRealmedPassword: {md5}cf570c6603b8567e3138357423ee266c

sip.conf:

realm=172.16.45.90

---

extconfig.conf

sippeers => ldap,"dc=surmail",sip
sipusers => ldap,"dc=surmail",sip

--

res_ldap.conf file:

[sip]
name = AstAccountName       ; We use the "cn" as the default value for name on the line above
                ; because objectClass=AsteriskSIPUser does not include a uid as an allowed field
                ; If your entry combines other objectClasses and uid is available, you may
                ; prefer to change the line to be name = uid, especially if your LDAP entries
                ; contain spaces in the cn field.
                ; You may also find it appropriate to use something completely different.
                ; This is possible by changing the line above to name = AstAccountName (or whatever you
                ; prefer).
                ;
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = AstAccountFullContact
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox

md5secret = AstAccountRealmedPassword          ; Must be an MD5 hash. Field value can start with{md5} but it is not required.
                                                ; Generate the password via the md5sum command, e.g.
                                                ; echo "my_password" | md5sum

nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds
additionalFilter=(objectClass=AsteriskSIPUser)

Posted by ismail.yenigul at Jan 01, 2013 12:25

Asterisk is changing the following ldap attr.
So you must define this attrs while you are creating a user account on LDAP. If you dont define this attrs you will get a log message about updating account info in asterisk logs.

attr=AstAccountIPAddress AstAccountPort AstAccountExpirationTimestamp AstAccountDefaultUser AstAccountUserAgent AstAccountLastQualifyMilliseconds AstAccountFullContact

Another problem is with default res_ldap.conf You have to disable fullcontact = gecos line
and add useragent ldap mapping like following.

fullcontact = AstAccountFullContact
;fullcontact = gecos
useragent = AstAccountUserAgent

Posted by ismail.yenigul at Jan 02, 2013 06:58

Also the following lines in res_ldap.conf.example is wrong. the attrs in red do not exist in asterisk.ldap-schema file.

; Extensions Table
;
[extensions]
context = AstExtensionContext
exten = AstExtensionExten
priority = AstExtensionPriority
app = AstExtensionApplication
appdata = AstExtensionApplicationData
additionalFilter=(objectClass=AstExtension)

The correct values:

[extensions]
context = AstContext
exten = AstExtension
priority = AstPriority
app = AstApplication
appdata = AstApplicationData
additionalFilter=(objectClass=AsteriskExtension)

Posted by ismail.yenigul at Jan 02, 2013 16:57

any definitive installation guide there?

Posted by cguzmana@gmail.com at Jan 07, 2013 08:00