Summary:ASTERISK-20886: [patch] LDAP configuration and documentation updates
Reporter:Andrew Latham (lathama)Labels:patch
Date Opened:2013-01-04 09:50:38.000-0600Date Closed:
Versions:SVN 13.18.4 Frequency of
is related toASTERISK-16321 Asterisk LDAP Modify
Environment:LInux with LDAP service.Attachments:( 0) asterisk.ldap-schema.diff
( 1) asterisk.ldif.diff
( 2) install_prereq.diff
( 3) ldap_1.8.diff
( 4) res_config_ldap.c.diff
( 5) res_ldap.conf.sample.diff
Description:Ismail Yenigul added several notes related to issuse with LDAP Realtime to the wiki.  This ticket is to track and update the documentation for these discoveries.  Testing with various LDAP servers would be needed before commit.

* Validation of ldif and schema files
* Validation and updates of res_config.conf.sample
* Documentation update and addition to res_config_ldap.c
* Updates to Asterisk wiki page

Comments:By: Andrew Latham (lathama) 2013-01-04 10:40:38.793-0600

Copy and Paste from the wiki comments

By: ismail yenigul
echo "<secret goes here>" | md5sum
must be

echo -n "$username:$realm:$password" | md5sum

otherwise you will not able to login LDAP.

Also, If you do not use cnc=config OpenLDAP feature, you do not have to issue the following command:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ./asterisk.ldif

Instead add include path/to/schema/asterisk.ldap-schema
to your slapd.conf


Asterisk 11.1.0
Centos 6.3 x86_64
OpenLDAP 2.4

If you want to use objectclass person/inetOrgPerson with Asterisk objectclasses

You have to change objectclass types from STRUCTURAL to AUXILIARY like following.
Otherwise you will get " invalid structural object class chain > (AsteriskAccount/person)" error message.

objectClass (
NAME 'AsteriskDialplan'
DESC 'Asterisk Dialplan Information'
MUST ( AstExtension ) )

objectClass (
NAME 'AsteriskAccount'
DESC 'Asterisk Account Information'
MUST ( AstAccountName ) )

objectClass (
NAME 'AsteriskMailbox'
DESC 'Asterisk Mailbox Information'
MUST ( AstVoicemailMailbox ) )


This is a full user ldiff to login asterisk successfully with user 110 and password mypass

To generate a password for
user: 110
realm: (change with your realm value in sip.conf)
password: mypass
$ echo -n "110:"| md5sum
cf570c6603b8567e3138357423ee266c -

Please note this note this is only to login asterisk. I will give more update about dial plan, context etc.

dn: uid=ismail@surgatelabs.com,ou=surgatelabs.com,o=mail,dc=surmail
objectClass: top
objectClass: AsteriskAccount
objectClass: AsteriskExtension
objectClass: AsteriskSIPUser
objectClass: inetOrgPerson
objectClass: person
mail: ismail@surgatelabs.com
cn: ismail yenigul
uid: ismail@surgatelabs.com
AstAccountName: 110
AstAccountDefaultUser: 0
AstAccountExpirationTimestamp: 0
AstAccountFullContact: 0
AstAccountHost: dynamic
AstAccountIPAddress: 0
AstAccountLastQualifyMilliseconds: 0
AstAccountPort: 0
AstAccountRegistrationServer: 0
AstAccountType: 0
AstAccountUserAgent: 0
AstExtension: 110
AstAccountRealmedPassword: {md5}cf570c6603b8567e3138357423ee266c





sippeers => ldap,"dc=surmail",sip
sipusers => ldap,"dc=surmail",sip


res_ldap.conf file:

name = AstAccountName       ; We use the "cn" as the default value for name on the line above
               ; because objectClass=AsteriskSIPUser does not include a uid as an allowed field
               ; If your entry combines other objectClasses and uid is available, you may
               ; prefer to change the line to be name = uid, especially if your LDAP entries
               ; contain spaces in the cn field.
               ; You may also find it appropriate to use something completely different.
               ; This is possible by changing the line above to name = AstAccountName (or whatever you
               ; prefer).
amaflags = AstAccountAMAFlags
callgroup = AstAccountCallGroup
callerid = AstAccountCallerID
directmedia = AstAccountDirectMedia
context = AstAccountContext
dtmfmode = AstAccountDTMFMode
fromuser = AstAccountFromUser
fromdomain = AstAccountFromDomain
fullcontact = AstAccountFullContact
fullcontact = gecos
host = AstAccountHost
insecure = AstAccountInsecure
mailbox = AstAccountMailbox

md5secret = AstAccountRealmedPassword          ; Must be an MD5 hash. Field value can start with{md5} but it is not required.
                                               ; Generate the password via the md5sum command, e.g.
                                               ; echo "my_password" | md5sum

nat = AstAccountNAT
deny = AstAccountDeny
permit = AstAccountPermit
pickupgroup = AstAccountPickupGroup
port = AstAccountPort
qualify = AstAccountQualify
restrictcid = AstAccountRestrictCID
rtptimeout = AstAccountRTPTimeout
rtpholdtimeout = AstAccountRTPHoldTimeout
type = AstAccountType
disallow = AstAccountDisallowedCodec
allow = AstAccountAllowedCodec
MusicOnHold = AstAccountMusicOnHold
regseconds = AstAccountExpirationTimestamp
regcontext = AstAccountRegistrationContext
regexten = AstAccountRegistrationExten
CanCallForward = AstAccountCanCallForward
ipaddr = AstAccountIPAddress
defaultuser = AstAccountDefaultUser
regserver = AstAccountRegistrationServer
lastms = AstAccountLastQualifyMilliseconds


Asterisk is changing the following ldap attr.
So you must define this attrs while you are creating a user account on LDAP. If you dont define this attrs you will get a log message about updating account info in asterisk logs.

attr=AstAccountIPAddress AstAccountPort AstAccountExpirationTimestamp AstAccountDefaultUser AstAccountUserAgent AstAccountLastQualifyMilliseconds AstAccountFullContact

Another problem is with default res_ldap.conf You have to disable fullcontact = gecos line
and add useragent ldap mapping like following.

fullcontact = AstAccountFullContact
;fullcontact = gecos
useragent = AstAccountUserAgent


Also the following lines in res_ldap.conf.example is wrong. the attrs in red do not exist in asterisk.ldap-schema file.

; Extensions Table
context = AstExtensionContext
exten = AstExtensionExten
priority = AstExtensionPriority
app = AstExtensionApplication
appdata = AstExtensionApplicationData

The correct values:

context = AstContext
exten = AstExtension
priority = AstPriority
app = AstApplication
appdata = AstApplicationData

By: ismail yenigul (ismailyenigul) 2013-01-04 14:52:40.841-0600

Here is the full ldap ldiff entry that login to lda successfully

dn: uid=ismail@surgatelabs.com, ou=surgatelabs.com, o=mail, dc=surmail
objectClass: top
objectClass: AsteriskAccount
objectClass: AsteriskExtension
objectClass: AsteriskSIPUser
objectClass: inetOrgPerson
objectClass: person
uid: ismail@surgatelabs.com
mail: ismail@surgatelabs.com
cn: ismail yenigul
sn: ismail
AstExtension: 110
AstAccountContext: surgate
AstAccountRegistrationServer: 0
AstAccountRealmedPassword: {md5}db1babff1100b174e90f1c35cef12497
AstAccountName: 110
AstAccountExpirationTimestamp: 1357147457
AstAccountFullContact: sip:110@;rinstance=0058bdbe4c550e26
AstAccountType: friend
AstAccountDefaultUser: 0
AstAccountPort: 5060
AstAccountHost: dynamic
AstAccountLastQualifyMilliseconds: 0
AstAccountUserAgent: X-Lite release 5.0.0 stamp 67284

Note: "surgate" context is not in ldap yet. I configured it in config file righ now.
Note 2:AstAccountFullContact format is very imported. You have to use the same format above. You can't just enter some text. It is AstAccountFullContact attribute requirement.

Note 3: Your ldap connection user must have a "write" permission on the following attributes:
AstAccountIPAddress AstAccountPort AstAccountExpirationTimestamp AstAccountDefaultUser AstAccountUserAgent AstAccountLastQualifyMilliseconds AstAccountFullContact
Because these attr are modified on every successful sip login.

By: Andrew Latham (lathama) 2013-01-15 21:26:28.110-0600

Patches and testing underway.  Working to validate on multiple LDAP directory servers.

By: Andrew Latham (lathama) 2013-01-15 21:48:53.234-0600

Reading ASTERISK-5620

By: Andrew Latham (lathama) 2013-01-15 23:12:14.311-0600

Here is an update for the config file.  I have discovered much more than first expected.

By: Andrew Latham (lathama) 2013-01-15 23:13:27.049-0600

Diff file that might be easier to look at.

By: Andrew Latham (lathama) 2013-01-15 23:25:10.230-0600

ldif file with AUXILIARY updates. I am still trying to verify this with multiple systems.  I would enjoy some input.

By: Andrew Latham (lathama) 2013-01-15 23:25:49.214-0600

And add the libraries for ldap in a Debian install.  Already existed for Redhat.

By: Andrew Latham (lathama) 2013-01-15 23:33:55.862-0600

Hacking around on the source

By: Andrew Latham (lathama) 2013-01-15 23:47:13.970-0600

Schema file diff.  Need to do more background checking to understand the AUXILIARY vs STRUCTURAL issue.

By: Andrew Latham (lathama) 2013-01-15 23:56:33.032-0600

Looking at and implementing queues and queue members...

By: ismail yenigul (ismailyenigul) 2013-01-16 03:26:01.783-0600

Don't forget to -n at echo password.
Otherwise you will get a different md5.

By the way, is it possible to define
{SSHA} hash instead of {md5}

as a value of AstMD5secret


By: Andrew Latham (lathama) 2013-01-16 10:06:20.782-0600

Ismail, the -n is not portable across all versions of "echo" and is not defined in the POSIX standards.  I will update the documentation later today.  The MD5 vs SHA can be done later.  The {md5} tag is optional but hardcoded in, which can be easily removed.

Update: changed to printf which is what we should have used anyway.

By: Andrew Latham (lathama) 2013-01-16 10:46:24.907-0600

Updated config file diff

By: Andrew Latham (lathama) 2013-01-16 10:46:53.709-0600

Updated C file diff

By: Andrew Latham (lathama) 2013-01-16 12:28:31.862-0600

Beware that the patch for ASTERISK-17386 may be in my diff but it would not be included in this ticket.

By: Andrew Latham (lathama) 2013-01-20 21:33:13.382-0600

Ismail mentioned to address the hardcoded md5 tag in the code.  Must add notes to the file to explain how the tag is handled.


Don't forget to -n at echo password.
Otherwise you will get a different md5.

By the way, is it possible to define

Unknown macro: {SSHA}
hash instead of

Unknown macro: {md5}
as a value of AstMD5secret


By: Andrew Latham (lathama) 2013-01-20 23:20:49.755-0600

For 1.8 branch to be merged forward.  This covers all the documentation issues plus normalizing the general config file tag. It is assumed that the change of the general tag would be too much for 1.8 and 11 but maybe trunk.

By: Andrew Latham (lathama) 2013-01-20 23:28:44.076-0600

Update, missed one _general

By: Andrew Latham (lathama) 2013-03-25 16:31:45.344-0500

ismail, have you had a chance to test any of this?  I need some testers to make me feel good about committing.

By: ismail yenigul (ismailyenigul) 2014-02-04 09:31:34.600-0600

Hi Andrew,

Sorry, I am very busy. I could not able to test again. Did you make any tests?
I will be available in next coming weeks.

Best Regards