Asterisk on Ubuntu 14.04 LTS with Google Voice and MySQL Realtime

First of all allow me to say that I don't issue any sort assurance that following will work for you. It did work for me and and I tested it few time and found it to be working every time. So now I am just sharing it the community, please let me know if you have any question(s) and I would be more than happy to answer them to best of knowledge.

Content

1. Basice Setup
2. Google Voice Setup
3. MySQL Realtime Setup

Be root rather than typing password on every single command or getting sudo error

sudo bash

Install the packages we need

sudo apt-get install apache2 libapache2-mod-php5 phpmyadmin mysql-server asterisk asterisk-doc asterisk-mysql -y

Configure mcrypt for php, otherwise you probably will get warning/error in phpmyadmin portal

php5enmod mcrypt; service apache2 restart

We will configure asterisk step by step and will test it on every stept to check our configuration. So lets start

Basic Setup

Backup the whole directory before we do any damage

cp -fr /etc/asterisk/ ~

Lets start with editing/updating rtp.conf. We need this regardless, you can just simply paste these values in terminal but DO NOT FORGET TO CHANGE THE VARIABLES ACCORDINLY

cat << EOT > /etc/asterisk/rtp.conf
[general]
icesupport=yes
rtpstart=10000
rtpend=20000
EOT

Nex, update the sip.conf file, make sure to adjust ip, port and mask for your enviornment aftward by edit /etc/asteris/sip.conf configuration file.

cat << EOT > /etc/freeradius/sip.conf
[general]
localnet=10.10.10.0/255.255.255.0
nat=force_rport,comedia
rtcachefriends=yes  
udpbindaddr=10.10.10.30:9065 
tcpenable=no
;tcpbindaddr=0.0.0.0
allowguest=yes                  
match_auth_username=yes         
allowoverlap=yes                
g726nonstandard=yes           
srvlookup=yes
pedantic=yes
useragent=Asterisk PBX
dtmfmode=rfc2833
;videosupport=yes
alwaysauthreject=yes
engine=asterisk 
disallow=all
allow=ilbc
;allow=g729
allow=gsm
;allow=g723
allow=ulaw
qualifyfreq=30
qualifygap=100
qualifypeers=1
  
[demo.10]
type=peer
secret=demo10
host=dynamic
context=internal

[demo.11]
type=peer
secret=demo11
host=dynamic
context=internal
EOT

Next, configure extensions.conf file

cat << EOT > /etc/asterisk/extensions.conf
[internal]
exten => 10,1,Dial(SIP/demo.10,,r)
exten => 11,1,Dial(SIP/demo.11,,r)
Hangup()
EOT

Restart service

service asterisk restart

At this poing you should be able to register two user (demo.10,demo11) and both should be able to call each other by dialing their extensions (10, 11)
Go to Top

Add Google Voice Support

Set google voice to make and receive calls. Lets starting configuring motif so edit motif.conf

cat << EOT > /etc/asterisk/motif.conf
[google]
context=incoming-motif
disallow=all
allow=ulaw
connection=google
EOT

Next file we need to configure is xmpp.conf

cat << EOT > /etc/asterisk/xmpp.conf
[general]
[google]
type=client
serverhost=talk.google.com
username=xxx@gmail.com
secret=xxx
priority=127
port=5222
usetls=yes
usesasl=yes
status=available
statusmessage="I am available"
timeout=5
EOT

Update extensions.conf to configure google support for inbound and outbound calls
Backup the original configuration file

mv /etc/asterisk/extensions.conf /etc/asterisk/extensions.conf.orig; nano /etc/asterisk/extensions.conf

Now paste the following in extensions.conf, save and exit out of it, dont forget to adjust the variables

[general]
[incoming-motif]
exten => s,1,Answer()
same => n,Wait(1)
same => n,SendDTMF(1)
same => n,Set(cid=${CALLERID(name)})
same => n,Set(cid=${CUT(cid,@,1)})
same => n,Set(CALLERID(all)=${cid})
same => n,Dial(SIP/demo.10,20,D(:1))
  
[internal]
exten => 10,1,Dial(SIP/demo.10,,r)
exten => 11,1,Dial(SIP/demo.11,,r)
exten => _1NXXNXXXXXX,1,Dial(Motif/google/${EXTEN}@voice.google.com,,r)
exten => _NXXNXXXXXX,1,Dial(Motif/google/1${EXTEN}@voice.google.com,,r)
exten => _NXXXXXX,1,Dial(Motif/google/1xxx${EXTEN}@voice.google.com,,r)
Hangup()

Restart the asterisk service

service asterisk restart

At this point you should be able to call your gooogle voice number and demo.10 extension should ring. Both extensions (demo.10 and demo.11) should be call outside as well. replace xxx before ${EXTEN} with your area code.
Go to Top

Add MySQL Support

Lets start with configuring call detail records (cdr)cdr_mysql.conf for realtime

cat << EOT > /etc/asterisk/cdr_mysql.conf
[global]
hostname = localhost
dbname = asterisk
table = astCDR
password = asterisk
user = asterisk
port = 3306
sock = /var/run/mysqld/mysqld.sock
EOT

Now lets configure extconfig.conf for realtime

cat << EOT > /etc/asterisk/extconfig.conf
[settings]
sippeers => mysql,asterisk,astAccounts
extensions => mysql,asterisk,astExtensions
voicemail => mysql,asterisk,astVoicemails
queues => mysql,asterisk,astQueue
queue_members => mysql,asterisk,astQueueMembers
meetme => mysql,asterisk,astMeetme
EOT

Now finally configure res_config_mysql.conf to make MySQL realtime connection

cat << EOT > /etc/asterisk/res_config_mysql.conf
[asterisk]
dbhost = localhost
dbname = asterisk
dbuser = asterisk
dbpass = asterisk
dbport = 3306
dbsock=/var/run/mysqld/mysqld.sock
dbcharset = latin1
requirements=warn ; or createclose or createchar
EOT

Update sip.conf to exclude user information

mv /etc/asterisk/sip.conf /etc/asterisk/sip.conf.orig
cat << EOT > /etc/asterisk/sip.conf
[general]
localnet=10.10.10.0/255.255.255.0
nat=force_rport,comedia
rtcachefriends=yes  
udpbindaddr=10.10.10.30:9065 
tcpenable=no
;tcpbindaddr=0.0.0.0
allowguest=yes                  
match_auth_username=yes         
allowoverlap=yes                
g726nonstandard=yes           
srvlookup=yes
pedantic=yes
useragent=Asterisk PBX
dtmfmode=rfc2833
;videosupport=yes
alwaysauthreject=yes
engine=asterisk 
disallow=all
allow=ilbc
;allow=g729
allow=gsm
;allow=g723
allow=ulaw
qualifyfreq=30
qualifygap=100
qualifypeers=1
  
;[demo.10]
;type=peer
;secret=demo10
;host=dynamic
;context=internal

;[demo.11]
;type=peer
;secret=demo11
;host=dynamic
;context=internal
EOT

Now update extensions.conf for realtime settings

mv /etc/asterisk/extensions.conf /etc/asterisk/extensions.conf.orig; nano /etc/asterisk/extensions.conf

Paste the following in it, basically tell asterisk to use mysql realtime database (asterisk) to read all configuration.

[general]
[incoming-motif]
;exten => s,1,Answer()
;same => n,Wait(1)
;same => n,SendDTMF(1)
;same => n,Set(cid=${CALLERID(name)})
;same => n,Set(cid=${CUT(cid,@,1)})
;same => n,Set(CALLERID(all)=${cid})
;same => n,Dial(SIP/demo.10,20,D(:1))
switch => Realtime/@
  
[internal]
;exten => 10,1,Dial(SIP/demo.10,,r)
;exten => 11,1,Dial(SIP/demo.11,,r)
;exten => _1NXXNXXXXXX,1,Dial(Motif/google/${EXTEN}@voice.google.com,,r)
;exten => _NXXNXXXXXX,1,Dial(Motif/google/1${EXTEN}@voice.google.com,,r)
;exten => _NXXXXXX,1,Dial(Motif/google/1xxx${EXTEN}@voice.google.com,,r)
;Hangup()
switch => Realtime/@

Now server is pretty much configured but we still need to create database.
I have the whole mysql script to add database and setup proper permission so download it first

wget http://ryaz.homeip.net/docs/conf/ast11.sql

Now login to mysql cli

mysql -u root -p

Create the database and setup permission

source ast11.sql; exit;

Finally restart the asterisk

service asterisk restart

Connect to asterisk console and check the realtime connection

asterisk -rvvv

Run the following command to see realtime status

realtime mysql status

Congratulation ! You have just configured asterisk for realtime and it is linked with your google account so enjoy making free calls forever.
Go to Top

This tutorial is also available on my website

Asterisk 1.8 with MySQL Realtime Support on Ubuntu 10.04 LTS

First of all lets make yourself root otherwise you have to use sudo with each command(s) and have to type password in most cases
sudo su
Update the system and apply updates if there are any
apt-get update
apt-get upgrade
Install all dependencies
sudo apt-get install python-software-properties -y
Import public key
sudo apt-key adv --keyserver pgp.mit.edu --recv-keys 175E41DF
Add repository so we can download asterisk 1.8
sudo add-apt-repository "deb http://packages.asterisk.org/deb `lsb_release -cs` main"
sudo add-apt-repository "deb-src http://packages.asterisk.org/deb `lsb_release -cs` main"
Update repository and install any update if needed
apt-get update
apt-get upgrade
Install Asterisk 1.8
sudo apt-get install asterisk-1.8 -y
Install DAHDI
sudo apt-get install asterisk-dahdi -y
That is it, we have sucessfully installed Asterisk 1.8
Next part is to install LAMP package
apt-get install mysql-server mysql-client apache2 php5 libapache2-mod-php5 phpmyadmin php5-mysql -y
Once done, restart all services or restart system
service asterisk restart
service mysql restart
service apache2 restart
Enjoy your new system and have fun with it
I have scripted the whole process, feel free to download it
wget http://ryaz.homeip.net/docs/conf/asterisk.sh
In next part we are going to set asterisk up for MySQL realtime
In this example, I am going to create two accounts and going to set them up so they can make/receive calls from each other. Both accounts will have voice mailboxes as well. I am using internal as my default context, feel free to change any setting
So lets start
Edit sip.conf file
nano /etc/asterisk/sip.conf
Add the following lines in it, the file is pretty long and has broad settings but everything is commented out of the box. Following line will set up basic operation to start and then later on you can go through the file and set the option(s) you need. You can add these lines right after [general] tag
context=internal
rtcachefriends=yes
disallow=all
allow=ulaw
allow=ilbc
Save the file and exit
Now we need to edit extensions.conf file so all use in internal context can make/receive calls
nano /etc/asterisk/extensions.conf
Add the following line right after [general] tag, again the file have broad settings but this will setup the basic context [internal]
[internal]
switch => Realtime/@
You can also add MySQL table name where all extensions are located i.e. switch => Realtime/@extensions
Save the file and exit out of it
Next we need to tell asterisk to look for MySQL database for users information
Edit extconfig.conf file
nano /etc/asterisk/extconfig.conf
Add the following lines in it, I would just add them at the end of the file
sipusers => mysql,asterisk,users ; SIP user
sippeers => mysql,asterisk,users ; SIP peers
extensions => mysql,asterisk,extensions ; SIP extensions
voicemail => mysql,asterisk,voicemails ; SIP voicemailboxes
queues => mysql,asterisk,queues ; SIP queue
queue_members => mysql,asterisk,queue_members ; SIP queue members
Now we need to tell asterisk to connect to MySQL to get all informations
So edit res_config_mysql.conf file
nano /etc/asterisk/res_config_mysql.conf
Our database for this example is asterisk so add the following in that file [append]
[asterisk]
dbhost = localhost
dbname = asterisk
dbuser = mysqluser
dbpass = mysqlpass
dbport = 3306
dbsock = /var/run/mysqld/mysqld.sock
requirements=warn ; or createclose or createchar
Adjust dbuser and dbpass to your settings, this is mysql user privilage account. You can always use root for testing if you are not sure about the account
Okay at this point our asterisk box is ready and all configured !
Lastly we need to create database in mysql
So connect to mysql and create database, first import the asterisk.sql script to create database and its related tables
wget http://ryaz.homeip.net/docs/conf/asterisk.sql
Now connect to mysql and create the database and its table using asterisk.sql script, replace mypassword with your root's password
mysql -u root -pmypassword
source asterisk.sql;
All done!

Configure hard/soft sip phones and have fun
As always feel free to email me if you have any question(s)

Did my efforts worked for you ? want to say thank you ?
You can buy me a beer, I would appreciate that !

Ldap & FreeRadius on Ubuntu 10.04 LTS

Setup Open-Ldap and FreeRadius on Ubuntu 10.04 LTS

There is no assurance that this will work for you, it did work for me and my setup is Ubuntu 10.04 LTS

Enough talking, lets get to work.
I am assuming that you already have Ubuntu 10.04 [server/desktop] with ssh up and running
I am also assuming that you have setup the static IP for your machine, not required though but good idea
The domain name/tree name we will be using in this examples is "dc=myldap,dc=ent"
The basic group which will hold our user accounts is "cn=Domain Users,ou=Groups,dc=myldap,dc=ent"
The users will be in Users OU "ou=Users,dc=myldap,dc=ent"
Feel free to change any of the above according to you setup So lets start
Be root instead of typing password everytime you use sudo
sudo bash Type your regular password
Check update and install if needed
apt-get update && apt-get upgrade
Install slapd and its utils
sudo apt-get install slapd ldap-utils -y
Add basic schemas in ldap database
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
Setup core
nano /tmp/mysetup.ldif
And paste the following in it, feel free to change the tree name
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=myldap,dc=ent
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=myldap,dc=ent
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=myldap,dc=ent" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=myldap,dc=ent" write by * read
Add the above ldif file
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/mysetup.ldif
Setup ldap for authentication
sudo apt-get --yes install ldap-auth-client
You will be asked few question, answer them very carefully and after reading.
LDAP server in this case is local host so it would ldap://127.0.0.1/
DN would be dc=myldap,dc=ent
Accept Version 3 as default
Answer Yes to next question
Answer No to next question
Ldap root account would be cn=admin,dc=myldap,dc=ent
And ldap root[admin in this case] password would be mypassword
Check setup
sudo auth-client-config -t nss -p lac_ldap There should not be any error at this point, if there is then something is not right Update pam for ldap authentication
sudo pam-auth-update ldap Make sure ldap is selected at least
Edit ldap.conf to adjust authentication option
nano /etc/ldap.conf
Uncomment line 24
Uncomment line 72 and replace hard with soft
Save the file and exit out of it
Copy this file to /etc/ldap/ directory
cp /etc/ldap/ldap.conf /etc/ldap/ldap.old
cp /etc/ldap.conf /etc/ldap/
Made home directory where user profiles will be places
mkdir /ldaphome
chmod 777 /ldaphome
Setup basic groups and users
nano /tmp/myldap.ldif
And paste the following in it
# Create top-level object in domain
dn: dc=myldap,dc=ent
objectClass: top
objectClass: dcObject
objectclass: organization
o: Ldap Enterprise
dc: MYLDAP
description: LDAP Enterprise

# Admin user.
dn: cn=admin,dc=myldap,dc=ent
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: mypassword

dn: ou=Groups,dc=myldap,dc=ent
objectClass: organizationalUnit
ou: Groups

dn: cn=Domain Users,ou=Groups,dc=myldap,dc=ent
objectClass: posixGroup
objectClass: top
cn: Domain Users
gidNumber: 513
description: Domain Users

dn: ou=Users,dc=myldap,dc=ent
objectClass: organizationalUnit
ou: Users

dn: uid=rkhan,ou=Users,dc=myldap,dc=ent
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: rkhan
sn: Khan
cn: Ryaz Khan
uidNumber: 30000
gidNumber: 513
userPassword: test
gecos: Ryaz Khan
loginShell: /bin/bash
homeDirectory: /ldaphome/rkhan
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
title: System Administrator
Now add the above ldif file/basic structure to ldap database
sudo ldapadd -x -D cn=admin,dc=myldap,dc=ent -w mypassword -f /tmp/myldap.ldif This should run without any error, if there is/are, something is not right
At this point you should be able to login to your system with user rkhan
You might get error about the home directory does not exists while doing ssh, you can create it manually or if you are using desktop, login with rkhan and it will create the directory. But this is not a show stopper any shape or form
Now lets move to our next setup [freeradius], lets install and setup this monster
apt-get install freeradius freeradius-ldap -y
Copy the openldap schema needed for freeradius to work to ldap schema directory
cp /usr/share/doc/freeradius/examples/openldap.schema /etc/ldap/schema/
Convert the above schema you just copied to ldif file so it can be added to ldap database
nano /tmp/schema_convert.ldif
And paste the following, delete any existing entries from the file, if there is any
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
Create ldif file
slapcat -f /tmp/schema_convert.ldif -F ~ -n0 -s "cn={7}openldap,cn=schema,cn=config" > /tmp/cn=openldap.ldif
Clean the above ldif file a bit
nano /tmp/cn\=openldap.ldif
Remove number and {} from first lines to make it like the following
dn: cn=openldap,cn=schema,cn=config
...
cn: openldap
And get rid of following lines, there is no use of these but they will/can cause trouble, they are located at the end of openldap.ldif
structuralObjectClass: olcSchemaConfig
entryUUID: c69d2a24-1274-1030-8c56-69db9ca637cf
creatorsName: cn=config
createTimestamp: 20110514125231Z
entryCSN: 20110514125231.473294Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110514125231Z
Now just add the above cleaned ldif file to ldap database
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=openldap.ldif Again there should not be any error
To make sure the schemas we have added so far are in place, issue the following
sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn You will get list of all schemas
Now ldap server is ready with frad schema, its time to configure it
I would simply restart both monster [ldap and freeradius] just to be safe, not required though
service slapd restart
service freeradius restart
Back to configuration
nano /etc/freeradius/modules/ldap
You want to make sure that at least followings are in place, rest of the file is good by default for out setup
server = "localhost"
identity = "cn=admin,dc=myldap,dc=ent"
password = mypassword
basedn = "ou=Users,dc=myldap,dc=ent"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
access_attr = "dialupAccess"
password_attribute = userPassword
Tell freeradius to use ldap for authentication by edit the following file
nano /etc/freeradius/sites-enabled/default
Uncomment ldap, located on line 170, 181, and 182
Also tell freeradius to use ldap within tunnel as well, otherwise it simply would not work and you will damage your head by hitting it against the wall
nano /etc/freeradius/sites-enabled/inner-tunnel
Uncomment line 129 (ldap)
We are pretty much done, so restart both monster [ldap and freeradius]
service slapd restart
service freeradius restart
Issue the following command to see that ldap mapping is working correctely
freeradius -XXX
If something like following is in place, we are good here, everything is working the way it designed
Debug: rlm_ldap: Registering ldap_groupcmp for Ldap-Group
Debug: rlm_ldap: Registering ldap_xlat with xlat_name ldap
Debug: rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
Debug: rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
Debug: rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
Debug: rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
Debug: rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
Debug: rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
Debug: rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
Debug: rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
Debug: rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
Debug: rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
Debug: rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
Debug: rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
Debug: rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
Debug: rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
Debug: rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
Debug: rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
Debug: rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
Debug: rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
Debug: rlm_ldap: LDAP radiusClass mapped to RADIUS Class
Debug: rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
Debug: rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
Debug: rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
Debug: rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
Debug: rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
Debug: rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
Debug: rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
Debug: rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
One last thing, we have to add radiusprofile objectClass and dialupAceess attribute to user rkhan
You can do it right on console, but I would use ldif file
nano /tmp/modify.ldif
And paste the following in it
dn: uid=rkhan,ou=Users,dc=myldap,dc=ent
changetype: modify
add: objectClass
objectClass: radiusprofile

dn: uid=rkhan,ou=Users,dc=myldap,dc=ent
changetype: modify
add: dialupAccess
dialupAccess: access_attr
Issue the following command to add above entries in user rkhan records
sudo ldapmodify -h localhost -p 389 -D "cn=admin,dc=myldap,dc=ent" -w mypassword -f /tmp/modify.ldif
At this point freeradius is all setup with ldap authentication and only rkhan can use freeradius to authenticate against open-ldap.
Setup/allow client, localhost is allowed by default
nano /etc/freeradius/clients.conf Look through the file and make changes where needed
Configure wireless or wired clients and have fun !
I have tested it with my wireless [eap/peap authentication method] setup and it work like a charm everytime
Enjoy!

I already have wrote php script to add user via a web page, it will take care of all 1zz and 2zz in background.
User/administrator just have to fill the form and hit submit and yea ! our new user is ready to use freeradius and can authenticate against our freshly configured ldap server

Let me know if you are interested in that script

Note:- I have tested this setup using plain text password in ldap database

Feel free to email me if you have any question(s)

Did my efforts worked for you ? want to say thank you ?
You can buy me a beer, I would appreciate that !

Power of Power-Shell

This blog is about the things you can do with Power-Shell, the main focus of this blog is to through some light on:

How Power-Shell can be used with MS Exchange for doing all sorts of things which impossible/time consuming, while doing manually.

Please feel free to ask any question(s), you may have. You can also email me and I will try to get back to you as soon as possible. The easy way to contact me is:

http://cns.selfip.net/pages/contact.php

Samba with Open-Ldap on Ubuntu 10.04 LTS

Now that I finally have made it a successfull primary domain controller which use LDAP to authenticate, it is a greate system and can be deployed in production enviornment, and best off all its free! and yeah No MS headache. I like to share what I did to make it work correctly, Ubuntu official documents about this setup simply do not work, so dont waste your time and resources there. Let get back to what I did.


First of all we want to make sure that our system is up to date with all required updates

sudo apt-get update
sudo apt-get upgrade

It is also a good practice to configure static IP for servers, for this setup you dont have to though. If you like to setup click here
Next we want to install all package required for this setup, few package you have install later, and I think it appropriate to install them when there is need for them

sudo apt-get install slapd ldap-utils samba samba-doc libpam-smbpass smbclient smbldap-tools -y

Now we need to load some additional schema files for LDAP

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Next we need to create an ldif file about our domain setup

nano /tmp/mysetup.ldif

Paste the following information in your mysetup.ldif file, just make sure you change the information according to your setup before you save the file in order to keep things right

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=mydomain,dc=local
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=mydomain,dc=local
olcRootPW: mypassword
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=mydomain,dc=local" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=mydomain,dc=local" write by * read

Now add this mysetup.ldif file to LDAP directory

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/mysetup.ldif

Now we need to update the smb.conf file, please change thing according to your setup, feel free to download my config file, or view sample file

nano /etc/samba/smb.conf

Next we need to setup samba admin password

sudo smbpasswd -W

Now we are ready to start our samba server

sudo service smbd restart

Now its time to test things, you dont need to provide password for following, it can be test without password

sudo smbclient -L localhost

If your screen hangs or you get the error of not accessible etc, stop, start or restart the samba and you should be okay
Its time to make all directories we to samba in smb.conf file, mainly three directories, directories dont have to be where we will create, but this setup looks neat

mkdir /profiles
mkdir /netlogon

Setup correct permissions for above directories. These permissions are only for testing, change it for production because right now whole world can access your profiles directory

chmod 777 /profiles
chmod 777 /netlogon

Now we are almost done with samba setup, we have already setup the LDAP. Now we need to make samba to use ldap for authentication and tell ldap about new samba attribute, this can be down by using the samba schema, so let go and do that

sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
sudo gzip -d /etc/ldap/schema/samba.schema.gz

All schemas has to be converted to ldif format, so we can add them using ldapadd tool

nano /tmp/schema_convert.ldif

Paste the following into schema_convert.ldif

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

Now use slapcat tool covert these schemas

slapcat -f /tmp/schema_convert.ldif -F ~ -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif

Now make the following changes to samba.ldif file

nano /tmp/cn\=samba.ldif

Make changes like:

dn: cn={12}samba,cn=schema,cn=config
...
cn: {12}samba

Change above two lines from samba.ldif to the following lines

dn: cn=samba,cn=schema,cn=config
...
cn: samba

And get rid of the following line from samba.ldif as well

structuralObjectClass: olcSchemaConfig
entryUUID: 1050e3c8-4f2e-102f-9979-17b7632aa757
creatorsName: cn=config
createTimestamp: 20100908004504Z
entryCSN: 20100908004504.103442Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20100908004504Z

Now add the samba.ldif to ldap database

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=samba.ldif

Now just check how things looks so far

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -D cn=admin,cn=config -b cn=config -W olcDatabase={1}hdb

If you did not get any error(s), we are in good shape. Now unpack samba-ldap-tools we downloaded earlier

sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz

Now run a perl scrip which will set things up in ldap database for us, answer each question carefully not that you can not change them later, but just to keep things neat.

sudo perl /usr/share/doc/smbldap-tools/configure.pl

Now populate all the information script has created for us to ldap server, I want to make sure that our ldap user and group would has any conflict so I am setting the starting base for both user and group to 30000

smbldap-populate -u 30000 -g 30000

And finllay

sudo /etc/init.d/slapd stop
sudo slapindex
sudo chown openldap:openldap /var/lib/ldap/*
sudo /etc/init.d/slapd start

Now add root user to Administrator group so it can be used to join workstation to this domain

sudo smbldap-groupmod -m 'root' 'Administrators'

If you dont got any error(s), we are in good shape

Now we need to allow all clients to authenticate via LDAP. Answer each question very carefully and after full understanding, the trick par is ldapi:///, it need to be change to ldap://127.0.0.1

sudo apt-get --yes install ldap-auth-client

Now update pam

sudo auth-client-config -t nss -p lac_ldap
sudo pam-auth-update ldap

Make sure LDAP along with other services is checked in above update, if you did not got any error(s), things are good so far. So lets try to add your first ldap user

sudo smbldap-useradd -a -m -P rkhan

Now check new user using ldapsearch tool

ldapsearch -xLLL -b "dc=mydomain,dc=local" uid=rkhan

We are all done here, go to XP or Window 7 client and join them to your new samba domain, enjoy it !
Note: There is no guarntee that this will work for you, it work for me like a charm so I am sharing it


Quick commands

sudo service smbd stop
sudo service smbd start
sudo service smbd restart

/etc/init.d/slapd stop
/etc/init.d/slapd start
/etc/init.d/slapd restart

Want to say thank you, buy me a beer, I would appreciate that !