Centrex/Asterisk with multiple distincts AD - active-directory

A little bit of context, I'm currently working on a school project, and I have to set up a "Centrex" style Asterisk server, preparing and tunning thing to reach a production ready installation.
So far I've found informations about coupling your Asterisk to 1 LDAP/AD, with an LDIF file and some configuration of the Asterisk server.
But is it even feasible to use multiple distinct LDAP/AD ? Or are you supposed to connect to only one LDAP/AD per Asterisk server ?
If possible, how much of an hassle would it be to set up ?
I am running CentOS 7.7 with a fresh install of Asterisk 16.

Asterisk is opensource soft. Since almost nobody need connect 2 or more AD to server, this feature have no implementation.
There is 2 possible solution for this
1) read and modifiy ldap driver in asterisk. Just copy/paste to make second with other name. Require c/c++ programming experience
2) read openldap documentation and do do changes in it. Like make sub-trees etc. Require openldap/AD administration experience.
Both seams like require advanced experience.

I would say that typically, LDAP-aware applications only connect to one LDAP tree at a time. This has to do with differences in search locations, schema, etc.
Looking at the Asterisk LDAP integration docs, it looks like it follows the same pattern: it can integrate with one LDAP tree.
If you really want to link multiple ADs / LDAP directory trees, you might be able to use LDAP referrals but that requires quite a lot of knowledge.

Related

Query default Domain Controller OU LDAP

I am trying to figure out how to query a domain to find out where the default domain controllers OU via LDAP. I am consultant and do know that 99.9% of domains I will come across with have their the standard OU=domain controllers,DC=domain,DC=root. However, I'm trying to account for that .1% of admins that for what ever reason have moved it to like OU=why,OU=canteven,DC=domain,DC=root. I know that PowerShell can do this with Get-ADDomain but the tool my development team uses is Python. POSH will print a line like:
DomainControllersContainer : OU=Domain Controllers,DC=test,DC=lab
But again, the tools my developers are working on uses python so I'm stuck with traditional LDAP. Does anyone know where this is stored in AD? I just need the attribute path so I know where to point my Dev team. Thanks!
You might be better to utilize DNS for location of Domain Controllers.
You might be able to use some of this information:
https://ldapwiki.com/wiki/How%20Domain%20Controllers%20Are%20Located%20in%20Windows
As far as I know, there is no "default". The concept of "sites" is done from a ip segment condition.
You can also locate a lot of information about domain controllers via LDAP Queries.

What are the benefits of running Kerberos with an authorization-backing server like LDAP/Active Directory/SPNEGO?

I've been tasked with implementing a Single Sign-On solution in an environment which uses Kerberos with an Active Directory server for the actual storing of the users and their groups. I understand that Kerberos does not support privileges/groups and that this is the reason to be forced to use a backing server like, for example, LDAP, or Active Directory. This is all fine and clear, but what I don't quite understand is why you would still be using Kerberos, when you could simply be connecting to LDAP or Active Directory directly instead and dropping the whole overhead of yet another server.
What am I missing here...? Please advise! Many thanks in advance!
Their is no overhead for another server. Active Directory combines all necessary services in one product.
Kerberos has tremendous benenfits:
One login for all systems
Transparent subsequent login
Ciphered ticket exchange, even full transport encryption is possible
Delegation of credential is supported out of the box
Implemented and well documented in Unix and Windows for almost two decades
I use Kerberos via AD for years in Java and C on Unix and Windows with great success. I wouldn't use anything else in a corporate environment.

RFC 2307 vs Identity Management for UNIX

I'm trying to learn about AD schema extensions, and I've encountered those 2.
what exactly is the difference ? are they contained in each other ?
thanks.
RFC2307 are the standard attributes and classes used generically in LDAP complaint systems.
Identity Management for Unix implies some services and other bits on Active Directory. I think you also get an MMC extension that shows some of them.
RFC2307(bis) is, at its heart, a schema developed by Sun and others, most notably PADL, in an attempt to use LDAP as a network information service, not to be confused with NIS or NIS+.

Grabbing passwords on a Win 2003 domain

I've recently been given the task at a school which runs a local domain to grab a copy of all the passwords when we reset them this week (students and staff).
The reasoning for this is because we wish to have them in sync with our local proxy server passwords and 3rd party user based applications.
I've had a look into passwdhk but haven't been able to get it running cleanly on our machines. We have 1x Windows Server 2008 RC2 machine and 1x Windows Server 2003 machine - we're running a 2003 domain because of this.
I'm wondering if anyone can help. I'm looking at something similar to passwdhk - some sort of custom password filter. However I'm not a higher level programmer and wouldn't be able to write this in C or C++. Can anyone point me in the direction of one I could easily modify or point out another solution?
The other option I was thinking of was to force all users to log into an intranet page with an ASP.NET backend that presented them with a form and sent it via a WSO or something - that way I'd have a plain text copy.
Your thoughts and input would be highly, highly appreciated!
Thanks!
You would need a custom password filter, or a password sync product. Forefront Identity Manager is one which can do this but you're not going to get this (or likely any solution) setup in a week.
A web based self service interface is pretty common, but, you won't be able to use the native Windows functionality to communicate password expiry.

Spring security LDAP compatible implementations

I've written a web applciation for a client in which authentication/authorization is done by spring security based on the 'internal' database. Now, the client has asked to switch to using their Active Directory instead. I'm a green as can be where LDAP is concerned but looking at the sample code and such it doesn't seem too difficult.
I do have a more general question concerning LDAP. As I gather this is a network protocol for which several implementations are available (among those Active Directory). Now, installing AD on my PC doesn't realy appeal to me (if it is even possible?). However, if all implementations follow the LDAP protocol I would assume that I could simply install Apache Directory on my PC, write the 'code' and then deploy this on a environment with Active Directory and (apart from some config changes) this should work.
Can any one confirm/deny this?
Thanks,
Stijn
It would be lovely if the LDAP standard was implemented the same on all major platforms, but while true in general, there are sufficient differences that you should plan on working against the target LDAP server instance in development.
For Active Directory you could run a Domain Controller in a VM on your workstation (since you cannot install AD on a workstation). You could install ADAM which is a standalone'ish AD like service. But even that is not a 100% match.
Usually the core issues are related to authentication but the generic functionality for querying with filters and so on are the same cross backend server.

Resources