LDAP Realtime Driver

Created by Malcolm Davenport, last modified by Joshua C. Colp on Oct 11, 2016

Asterisk Realtime Lightweight Directory Access Protocol (LDAP) Driver

With this driver Asterisk, using the Realtime Database Configuration, can access and update information in an LDAP directory. Asterisk can configure SIP/IAX2 users, extensions, queues, queue members, and entire configuration files. This guide assumes you have a working knowledge of LDAP and have an LDAP server with authentication already setup. Asterisk requires read and write permissions to update the directory.

See configs/res_ldap.conf.sample for a configuration file sample.
See contrib/scripts for the LDAP schema and ldif files needed for the LDAP server.

Icon

To use static realtime with certain core configuration files the realtime backend you wish to use must be preloaded in modules.conf.

From within your Asterisk source directory:

Let's edit the extconfig.conf file to specify LDAP as our realtime storage engine and where Asterisk will look for data.

Icon

You'll want to reference the Asterisk res_ldap.conf file which holds the LDAP mapping configuration when building your own record schema.

Basic sip users record layout which will need to be saved to a file (we'll use 'createduser.ldif' here as an example). This example record is for sip user '1000'. This example record is for sip user '1000'.

Let's add the record to the LDAP server:

When creating your own record schema, you'll obviously want to incorporate authentication. Asterisk + LDAP requires that the user secrets be stored as an MD5 hash. MD5 hashes can be created using 'md5sum'.

For AstAccountRealmedPassword authentication use this.

For AstMD5secret authentication use this.

No labels

7 Comments

ismail yenigul
echo "<secret goes here>" | md5sum
must be

echo -n "$username:$realm:$password" | md5sum

otherwise you will not able to login LDAP.

Also, If you do not use cnc=config OpenLDAP feature, you do not have to issue the following command:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./asterisk.ldif

Instead add include path/to/schema/asterisk.ldap-schema
to your slapd.conf
- Permalink
- Dec 31, 2012
1. Andrew Latham
  Can you confirm the platforms that this applies to?
  Permalink
  
  Dec 31, 2012
  1. ismail yenigul
    Asterisk 11.1.0
    Centos 6.3 x86_64
    OpenLDAP 2.4
    
    If you want to use objectclass person/inetOrgPerson with Asterisk objectclasses
    
    You have to change objectclass types from STRUCTURAL to AUXILIARY like following.
    Otherwise you will get " invalid structural object class chain > (AsteriskAccount/person)" error message.
    
    objectClass (
    AsteriskDialplan
    NAME 'AsteriskDialplan'
    DESC 'Asterisk Dialplan Information'
    SUP top AUXILIARY
    MUST ( AstExtension ) )
    
    objectClass (
    AsteriskAccount
    NAME 'AsteriskAccount'
    DESC 'Asterisk Account Information'
    SUP top AUXILIARY
    MUST ( AstAccountName ) )
    
    objectClass (
    AsteriskMailbox
    NAME 'AsteriskMailbox'
    DESC 'Asterisk Mailbox Information'
    SUP top AUXILIARY
    MUST ( AstVoicemailMailbox ) )
    
    Permalink
    
    Jan 01, 2013
ismail yenigul
This is a full user ldiff to login asterisk successfully with user 110 and password mypass

To generate a password for
user: 110
realm:172.16.45.90 (change with your realm value in sip.conf)
password: mypass
$ echo -n "110:172.16.45.90:mypass"| md5sum
cf570c6603b8567e3138357423ee266c -

Please note this note this is only to login asterisk. I will give more update about dial plan, context etc.

dn: [email protected],ou=surgatelabs.com,o=mail,dc=surmail
objectClass: top
objectClass: AsteriskAccount
objectClass: AsteriskExtension
objectClass: AsteriskSIPUser
objectClass: inetOrgPerson
objectClass: person
sn:ismail
mail: [email protected]
cn: ismail yenigul
uid: [email protected]
AstAccountName: 110
AstAccountDefaultUser: 0
AstAccountExpirationTimestamp: 0
AstAccountFullContact: 0
AstAccountHost: dynamic
AstAccountIPAddress: 0
AstAccountLastQualifyMilliseconds: 0
AstAccountPort: 0
AstAccountRegistrationServer: 0
AstAccountType: 0
AstAccountUserAgent: 0
AstExtension: 110
AstAccountRealmedPassword: {md5}cf570c6603b8567e3138357423ee266c

sip.conf:

realm=172.16.45.90

---

extconfig.conf

sippeers => ldap,"dc=surmail",sip
sipusers => ldap,"dc=surmail",sip

--

res_ldap.conf file:

[sip]
name = AstAccountName       ; We use the "cn" as the default value for name on the line above
                ; because objectClass=AsteriskSIPUser does not include a uid as an allowed field
                ; If your entry combines other objectClasses and uid is available, you may
                ; prefer to change the line to be name = uid, especially if your LDAP entries
                ; contain spaces in the cn field.
                ; You may also find it appropriate to use something completely different.
                ; This is possible by changing the line above to name = AstAccountName (or whatever you
                ; prefer).
                ;
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = AstAccountFullContact
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox

md5secret = AstAccountRealmedPassword          ; Must be an MD5 hash. Field value can start with{md5} but it is not required.
                                                ; Generate the password via the md5sum command, e.g.
                                                ; echo "my_password" | md5sum

nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds
additionalFilter=(objectClass=AsteriskSIPUser)
- Permalink
- Jan 01, 2013
ismail yenigul
Asterisk is changing the following ldap attr.
So you must define this attrs while you are creating a user account on LDAP. If you dont define this attrs you will get a log message about updating account info in asterisk logs.

attr=AstAccountIPAddress AstAccountPort AstAccountExpirationTimestamp AstAccountDefaultUser AstAccountUserAgent AstAccountLastQualifyMilliseconds AstAccountFullContact

Another problem is with default res_ldap.conf You have to disable fullcontact = gecos line
and add useragent ldap mapping like following.

fullcontact = AstAccountFullContact
;fullcontact = gecos
useragent = AstAccountUserAgent
- Permalink
- Jan 02, 2013
ismail yenigul
Also the following lines in res_ldap.conf.example is wrong. the attrs in red do not exist in asterisk.ldap-schema file.

; Extensions Table
;
[extensions]
context = AstExtensionContext
exten = AstExtensionExten
priority = AstExtensionPriority
app = AstExtensionApplication
appdata = AstExtensionApplicationData
additionalFilter=(objectClass=AstExtension)

The correct values:

[extensions]
context = AstContext
exten = AstExtension
priority = AstPriority
app = AstApplication
appdata = AstApplicationData
additionalFilter=(objectClass=AsteriskExtension)
- Permalink
- Jan 02, 2013
Claudio
any definitive installation guide there?
- Permalink
- Jan 07, 2013