Skip to end of metadata
Go to start of metadata

Asterisk Realtime Lightweight Directory Access Protocol (LDAP) Driver

With this driver Asterisk, using the Realtime Database Configuration, can access and update information in an LDAP directory. Asterisk can configure SIP/IAX2 users, extensions, queues, queue members, and entire configuration files. This guide assumes you have a working knowledge of LDAP and have an LDAP server with authentication already setup. Asterisk requires read and write permissions to update the directory.

See configs/res_ldap.conf.sample for a configuration file sample.
See contrib/scripts for the LDAP schema and ldif files needed for the LDAP server.


To use static realtime with certain core configuration files the realtime backend you wish to use must be preloaded in modules.conf.

From within your Asterisk source directory:

Let's edit the extconfig.conf file to specify LDAP as our realtime storage engine and where Asterisk will look for data.


You'll want to reference the Asterisk res_ldap.conf file which holds the LDAP mapping configuration when building your own record schema.

Basic sip users record layout which will need to be saved to a file (we'll use 'createduser.ldif' here as an example). This example record is for sip user '1000'. This example record is for sip user '1000'.

Let's add the record to the LDAP server:

When creating your own record schema, you'll obviously want to incorporate authentication. Asterisk + LDAP requires that the user secrets be stored as an MD5 hash. MD5 hashes can be created using 'md5sum'.

For AstAccountRealmedPassword authentication use this.

For AstMD5secret authentication use this.

  • No labels


  1. echo "<secret goes here>" | md5sum
    must be

    echo -n "$username:$realm:$password" | md5sum

    otherwise you will not able to login LDAP.

    Also, If you do not use cnc=config OpenLDAP feature, you do not have to issue the following command:

    sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./asterisk.ldif

    Instead add include path/to/schema/asterisk.ldap-schema
    to your slapd.conf

    1. Can you confirm the platforms that this applies to?

      1. Asterisk 11.1.0
        Centos 6.3 x86_64
        OpenLDAP 2.4

        If you want to use objectclass person/inetOrgPerson with Asterisk objectclasses

        You have to change objectclass types from STRUCTURAL to AUXILIARY like following.
        Otherwise you will get " invalid structural object class chain > (AsteriskAccount/person)" error message.

        objectClass (
        NAME 'AsteriskDialplan'
        DESC 'Asterisk Dialplan Information'
        SUP top AUXILIARY
        MUST ( AstExtension ) )

        objectClass (
        NAME 'AsteriskAccount'
        DESC 'Asterisk Account Information'
        SUP top AUXILIARY
        MUST ( AstAccountName ) )

        objectClass (
        NAME 'AsteriskMailbox'
        DESC 'Asterisk Mailbox Information'
        SUP top AUXILIARY
        MUST ( AstVoicemailMailbox ) )

  2. This is a full user ldiff to login asterisk successfully with user 110 and password mypass

    To generate a password for
    user: 110
    realm: (change with your realm value in sip.conf)
    password: mypass
    $ echo -n "110:"| md5sum
    cf570c6603b8567e3138357423ee266c -

    Please note this note this is only to login asterisk. I will give more update about dial plan, context etc.

    dn: [email protected],,o=mail,dc=surmail
    objectClass: top
    objectClass: AsteriskAccount
    objectClass: AsteriskExtension
    objectClass: AsteriskSIPUser
    objectClass: inetOrgPerson
    objectClass: person
    mail: [email protected]
    cn: ismail yenigul
    uid: [email protected]
    AstAccountName: 110
    AstAccountDefaultUser: 0
    AstAccountExpirationTimestamp: 0
    AstAccountFullContact: 0
    AstAccountHost: dynamic
    AstAccountIPAddress: 0
    AstAccountLastQualifyMilliseconds: 0
    AstAccountPort: 0
    AstAccountRegistrationServer: 0
    AstAccountType: 0
    AstAccountUserAgent: 0
    AstExtension: 110
    AstAccountRealmedPassword: {md5}cf570c6603b8567e3138357423ee266c





    sippeers => ldap,"dc=surmail",sip
    sipusers => ldap,"dc=surmail",sip


    res_ldap.conf file:

    name = AstAccountName       ; We use the "cn" as the default value for name on the line above
                    ; because objectClass=AsteriskSIPUser does not include a uid as an allowed field
                    ; If your entry combines other objectClasses and uid is available, you may
                    ; prefer to change the line to be name = uid, especially if your LDAP entries
                    ; contain spaces in the cn field.
                    ; You may also find it appropriate to use something completely different.
                    ; This is possible by changing the line above to name = AstAccountName (or whatever you
                    ; prefer).
    amaflags = AstAccountAMAFlags
    callgroup = AstAccountCallGroup
    callerid = AstAccountCallerID
    directmedia = AstAccountDirectMedia
    context = AstAccountContext
    dtmfmode = AstAccountDTMFMode
    fromuser = AstAccountFromUser
    fromdomain = AstAccountFromDomain
    fullcontact = AstAccountFullContact
    fullcontact = gecos
    host = AstAccountHost
    insecure = AstAccountInsecure
    mailbox = AstAccountMailbox

    md5secret = AstAccountRealmedPassword          ; Must be an MD5 hash. Field value can start with{md5} but it is not required.
                                                    ; Generate the password via the md5sum command, e.g.
                                                    ; echo "my_password" | md5sum

    nat = AstAccountNAT
    deny = AstAccountDeny
    permit = AstAccountPermit
    pickupgroup = AstAccountPickupGroup
    port = AstAccountPort
    qualify = AstAccountQualify
    restrictcid = AstAccountRestrictCID
    rtptimeout = AstAccountRTPTimeout
    rtpholdtimeout = AstAccountRTPHoldTimeout
    type = AstAccountType
    disallow = AstAccountDisallowedCodec
    allow = AstAccountAllowedCodec
    MusicOnHold = AstAccountMusicOnHold
    regseconds = AstAccountExpirationTimestamp
    regcontext = AstAccountRegistrationContext
    regexten = AstAccountRegistrationExten
    CanCallForward = AstAccountCanCallForward
    ipaddr = AstAccountIPAddress
    defaultuser = AstAccountDefaultUser
    regserver = AstAccountRegistrationServer
    lastms = AstAccountLastQualifyMilliseconds

  3. Asterisk is changing the following ldap attr.
    So you must define this attrs while you are creating a user account on LDAP. If you dont define this attrs you will get a log message about updating account info in asterisk logs.

    attr=AstAccountIPAddress AstAccountPort AstAccountExpirationTimestamp AstAccountDefaultUser AstAccountUserAgent AstAccountLastQualifyMilliseconds AstAccountFullContact

    Another problem is with default res_ldap.conf You have to disable fullcontact = gecos line
    and add useragent ldap mapping like following.

    fullcontact = AstAccountFullContact
    ;fullcontact = gecos
    useragent = AstAccountUserAgent

  4. Also the following lines in res_ldap.conf.example is wrong. the attrs in red do not exist in asterisk.ldap-schema file.

    ; Extensions Table
    context = AstExtensionContext
    exten = AstExtensionExten
    priority = AstExtensionPriority
    app = AstExtensionApplication
    appdata = AstExtensionApplicationData

    The correct values:

    context = AstContext
    exten = AstExtension
    priority = AstPriority
    app = AstApplication
    appdata = AstApplicationData

  5. any definitive installation guide there?