Asterisk LDAP
Introduction
Asterisk 1.6 can be configured to pull much of its configurations from LDAP. This document demonstrates how to set up Asterisk to read is SIP and extension configurations from an LDAP database.
Prerequisites
- asterisk and asterisk-ldap packages
- an LDAP server, the examples below are for the Fedora Directory Server
- the following ports must be opened in the server's firewall:
- UDP port 5060
Settings
/etc/asterisk/sip.conf
Configures Asterisk's SIP features.
[general] videosupport=yes allow=all bindaddr=0.0.0.0 realm=flyn.org
/etc/asterisk/extensions.conf
Configures Asterisk to pull its extension configurations from LDAP.
[users] switch => Realtime/@ [demo] switch => Realtime/@ [default] include => users include => demo
/etc/asterisk/extconfig.conf
Dictates from where Asterisk will read its configurations.
[settings] sipusers => ldap,"dc=flyn,dc=org",sip sippeers => ldap,"dc=flyn,dc=org",sip extensions => ldap,"dc=flyn,dc=org",extensions
/etc/asterisk/res_ldap.conf
Configures the behavior of Asterisk's LDAP backend.
[_general] url=ldaps://golem.flyn.org:636 protocol=3 basedn="dc=flyn,dc=org" pass=PASSWORD user=cn=Directory Manager [config] additionalFilter=(objectClass=AstConfig) filename = AstConfigFilename category = AstConfigCategory variable_name = AstConfigVariableName variable_value = AstConfigVariableValue cat_metric = AstConfigCategoryMetric commented = AstConfigCommented [extensions] context = AstContext exten = AstExtension priority = AstPriority app = AstApplication appdata = AstApplicationData additionalFilter=(objectClass=AsteriskExtension) [sip] name = cn amaflags = AstAccountAMAFlags callgroup = AstAccountCallGroup callerid = AstAccountCallerID canreinvite = AstAccountCanReinvite context = AstAccountContext dtmfmode = AstAccountDTMFMode fromuser = AstAccountFromUser fromdomain = AstAccountFromDomain fullcontact = AstAccountFullContact host = AstAccountHost ipaddr = AstAccountIPAddress insecure = AstAccountInsecure mailbox = AstAccountMailbox md5secret = AstAccountRealmedPassword nat = AstAccountNAT deny = AstAccountDeny permit = AstAccountPermit pickupgroup = AstAccountPickupGroup port = AstAccountPort qualify = AstAccountQualify restrictcid = AstAccountRestrictCID rtptimeout = AstAccountRTPTimeout rtpholdtimeout = AstAccountRTPHoldTimeout type = AstAccountType disallow = AstAccountDisallowedCodec allow = AstAccountAllowedCodec MusicOnHold = AstAccountMusicOnHold regseconds = AstAccountExpirationTimestamp regcontext = AstAccountRegistrationContext regexten = AstAccountRegistrationExten CanCallForward = AstAccountCanCallForward defaultuser = AstAccountDefaultUser regserver = AstAccountRegistrationServer additionalFilter = (objectClass=AsteriskSIPUser)
LDAP Schema
The following LDAP schema should be installed in /etc/dirsrv/ if you are using the Fedora Directory Server.
dn: cn=schema
attributeTypes: (
NAME 'AstContext'
DESC 'Asterisk Context'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstExtension'
DESC 'Asterisk Extension'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstPriority'
DESC 'Asterisk Priority'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstApplication'
DESC 'Asterisk Application'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstApplicationData'
DESC 'Asterisk Application Data'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountAMAFlags'
DESC 'Asterisk Account AMA Flags'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountCallerID'
DESC 'Asterisk Account CallerID'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountContext'
DESC 'Asterisk Account Context'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountMailbox'
DESC 'Asterisk Account Mailbox'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstMD5secret'
DESC 'Asterisk Account MD5 Secret'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountDeny'
DESC 'Asterisk Account Deny'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountPermit'
DESC 'Asterisk Account Permit'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountQualify'
DESC 'Asterisk Account Qualify'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountType'
DESC 'Asterisk Account Type'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountDisallowedCodec'
DESC 'Asterisk Account Disallowed Codec'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountExpirationTimestamp'
DESC 'Asterisk Account Allowed Codec'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountRegistrationContext'
DESC 'Asterisk Account AMA Flags'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountRegistrationExten'
DESC 'Asterisk Account AMA Flags'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountNoTransfer'
DESC 'Asterisk Account AMA Flags'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountCallGroup'
DESC 'Asterisk Account Call Group'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountCanReinvite'
DESC 'Asterisk Account Can Reinvite'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountDTMFMode'
DESC 'Asterisk Account DTMF Flags'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountFromUser'
DESC 'Asterisk Account From User'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountFromDomain'
DESC 'Asterisk Account From Domain'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountFullContact'
DESC 'Asterisk Account Full Contact'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountHost'
DESC 'Asterisk Account Host'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountInsecure'
DESC 'Asterisk Account Insecure'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountNAT'
DESC 'Asterisk Account NAT'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountPickupGroup'
DESC 'Asterisk Account PickupGroup'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountPort'
DESC 'Asterisk Account Port'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountRestrictCID'
DESC 'Asterisk Restrict CallerID'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountRTPTimeout'
DESC 'Asterisk RTP Timeout'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountRTPHoldTimeout'
DESC 'Asterisk RTP Hold Timeout'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountRealmedPassword'
DESC 'Asterisk RTP Hold Timeout'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountAllowedCodec'
DESC 'Asterisk Account Allowed Codec'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountMusicOnHold'
DESC 'Asterisk Account Allowed Codec'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountCanCallForward'
DESC 'Asterisk Can CAll Forward'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountSecret'
DESC 'Asterisk Can CAll Forward'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountName'
DESC 'Asterisk Account Username'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstConfigFilename'
DESC 'Asterisk LDAP Configuration Filename'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstConfigCategory'
DESC 'Asterisk LDAP Configuration Category'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstConfigCategoryMetric'
DESC 'Asterisk LDAP Configuration Category Metric'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstConfigVariableName'
DESC 'Asterisk LDAP Configuration Variable Name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstConfigVariableValue'
DESC 'Asterisk LDAP Configuration Variable Value'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstConfigCommented'
DESC 'Asterisk LDAP Configuration Commented'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountIPAddress'
DESC 'Asterisk Account IP Address'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountDefaultUser'
DESC 'Asterisk Account Default User'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
attributeTypes: (
NAME 'AstAccountRegistrationServer'
DESC 'Asterisk Account Registration Server'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
objectClasses: (
NAME 'AsteriskExtension'
DESC 'PBX Extension Information for Asterisk'
SUP top
AUXILIARY
MUST cn
MAY ( AstContext $ AstExtension $ AstPriority $ AstApplication
$ AstApplicationData )
)
objectClasses: (
NAME 'AsteriskIAXUser'
DESC 'IAX2 User information for Asterisk'
SUP AsteriskExtension
AUXILIARY
MUST cn
MAY ( AstAccountAMAFlags $ AstAccountCallerID $ AstAccountContext
$ AstAccountFullContact $ AstAccountHost $ AstAccountMailbox $ AstMD5secret
$ AstAccountDeny $ AstAccountPermit $ AstAccountPort $ AstAccountQualify
$ AstAccountType $ AstAccountDisallowedCodec $ AstAccountExpirationTimestamp
$ AstAccountRegistrationContext$ AstAccountRegistrationExten
$ AstAccountNoTransfer $ AstAccountName )
)
objectClasses: (
NAME 'AsteriskSIPUser'
DESC 'SIP User information for Asterisk'
SUP AsteriskExtension
AUXILIARY
MUST cn
MAY ( AstAccountAMAFlags $ AstAccountCallGroup $ AstAccountCallerID
$ AstAccountCanReinvite $ AstAccountContext $ AstAccountDefaultUser
$ AstAccountDTMFMode $ AstAccountFromUser $ AstAccountFromDomain
$ AstAccountFullContact $ AstAccountHost $ AstAccountInsecure
$ AstAccountIPAddress $ AstAccountMailbox $ AstAccountRealmedPassword
$ AstAccountNAT $ AstAccountDeny $ AstAccountPermit $ AstAccountPickupGroup
$ AstAccountPort $ AstAccountQualify $ AstAccountRestrictCID
$ AstAccountRTPTimeout $ AstAccountRTPHoldTimeout $ AstAccountType
$ AstAccountDisallowedCodec $ AstAccountAllowedCodec $ AstAccountMusicOnHold
$ AstAccountExpirationTimestamp $ AstAccountRegistrationContext
$ AstAccountRegistrationExten $ AstAccountRegistrationServer
$ AstAccountCanCallForward $ AstAccountSecret $ AstAccountName )
)
objectClasses: (
NAME 'AsteriskConfig'
DESC 'Asterisk configuration Information'
SUP top
AUXILIARY
MUST cn
MAY ( AstConfigFilename $ AstConfigCategory $ AstConfigCategoryMetric
$ AstConfigVariableName $ AstConfigVariableValue $ AstConfigCommented )
)
LDAP Data
Add records similar to the following to your LDAP database. The command ldapadd -x -D "cn=Directory Manager" -f data.ldif -W will add this LDIF data to a Fedora Directory Server.
dn: ou=sippeers,dc=flyn,dc=org
ou: sippeers
objectClass: top
objectClass: organizationalUnit
dn: cn=user1,ou=sippeers,dc=flyn,dc=org
objectClass: top
objectClass: AsteriskSIPUser
cn: user1
AstAccountFullContact: User 1 <2001>
AstAccountCallerID: 2001
AstAccountHost: dynamic
AstAccountRealmedPassword: {MD5}a94775781e5bb7d3e4ec047c56f0acc5
AstAccountContext: default
dn: cn=user2,ou=sippeers,dc=flyn,dc=org
objectClass: top
objectClass: AsteriskSIPUser
cn: user2
AstAccountFullContact: User 2 <2002>
AstAccountCallerID: 2002
AstAccountHost: dynamic
AstAccountRealmedPassword: {MD5}3c7806fa6e6c3416d57f2de223cdea5d
AstAccountContext: default
The traditional, text-based configuration backend configures extensions using statements with the following syntax: exten => extension,priority,application(application data). When using LDAP, each word is stored in a separate record:
dn: ou=extensions,dc=flyn,dc=org ou: extensions objectClass: top objectClass: organizationalUnit dn: cn=2001,ou=extensions,dc=flyn,dc=org cn: 2001 objectClass: top objectClass: AsteriskExtension AstContext: users AstExtension: 2001 AstPriority: 1 AstApplication: Dial AstApplicationData: SIP/user1 dn: cn=2002,ou=extensions,dc=flyn,dc=org cn: 2002 objectClass: top objectClass: AsteriskExtension AstContext: users AstExtension: 2002 AstPriority: 1 AstApplication: Dial AstApplicationData: SIP/user2
The following implements an echo test extension, 600.
dn: cn=600-1,ou=extensions,dc=flyn,dc=org cn: 600-1 objectClass: top objectClass: AsteriskExtension AstContext: demo AstExtension: 600 AstPriority: 1 AstApplication: Playback AstApplicationData: demo-echotest dn: cn=600-2,ou=extensions,dc=flyn,dc=org cn: 600-2 objectClass: top objectClass: AsteriskExtension AstContext: demo AstExtension: 600 AstPriority: 2 AstApplication: Echo dn: cn=600-3,ou=extensions,dc=flyn,dc=org cn: 600-3 objectClass: top objectClass: AsteriskExtension AstContext: demo AstExtension: 600 AstPriority: 3 AstApplication: Playback AstApplicationData: demo-echodone
This LDIF example makes use of the following options:
Definition of an Asterisk SIP User
- AstAccountFullContact
- SIP URI for a realtime peer.
- AstAccountCallerID
- Caller ID information.
- AstAccountHost
- Defines how a client is found. This may be an IP address for static configurations or the keyword dynamic. If the keyword dynamic is used, phones register themselves with Asterisk, providing the server with their IP address at run time.
- AstAccountRealmedPassword
- A user's authentication token. Populate the AccountRealmedPassword fields with the output of the command echo -n "SIPUSER:flyn.org:PASSWORD" | md5sum.
- AstAccountContext
- This is the context in which a SIP user exists. When a SIP user makes a call, that call is made from the user's AstAccountContext.
Definition of an Asterisk Extension (Building the Dialplan)
- AstContext
- The context in which a extension exists.
- AstExtension
- The name of an extension.
- AstPriority
- The priority is a sequence number used to assign order to the
execution of commands. Commands are executed begining with the
lowest sequence number and working up to the highest.
- AstApplication
- The name of a command to execute. The available commands may
be listed at the Asterisk command line by executing core show
applications. Details may be viewed by executing core show
application APPNAME.
- AstApplicationData
- A command parameter.
Testing
Execute the command asterisk -rv to start an Asterisk shell. At the asterisk prompt, type sip show peer mike load to display the details about the peer mike as stored in LDAP. This confirms that Asterisk can query the LDAP database and shows that the user mike's record is valid.
Issues
- Asterisk crashes with the default phoneprov.conf (See Red Hat bug #441895)
Asterisk crashes when retrieving password from LDAP (See Asterisk bug #12572)Asterisk provides an out of date example res_ldap.conf.sample (See Asterisk bug #12421)- Included example schema not compatible with res_config_ldap.c (See Asterisk bug #12860)
- No clear license for sound files (See Asterisk bug #12977)
res_config_ldap crashes consistently with "Illegal Instruction" (See Asterisk bug #12995)