Jump to content

Provisioning Username and Password


netpro78
 Share

Recommended Posts

Is there a way to create a username/password per domain that will allow downloading of config files?  Right now only the extension web usernames/passwords seem to work, and while it is more secure, it would be much easier to have the option of a domain level username/password that would permit provisioning.

Link to comment
Share on other sites

I am referring to a username/password that can be used on all phones in the domain to download their config, that would be a great feature for a future version, and make me more likely to utilize the built in provisioning of the PBX instead of hand writing config files, and hosting them on a separate server.

Link to comment
Share on other sites

Generally speaking, at least by default the PBX should never leak out passwords. However, you can (should) use the REST API for this. By default downloading passwords is disabled; there is a setting in pnp.xml called rest_show_passwords that you can change to true to make this possible. Then you can use the /rest/domain/<domain>/user_settings/<account> API call for this.

Link to comment
Share on other sites

It is not as much of a LDAP issue is it is an issue with the way the system builds the config files.  I would propose that there be an account type at the domain level that has permissions to download config files for the domain.  Then when the system generates the config file, it fills it with the credentials of the account that the MAC is bound to, and not the credentials of who is logging in to get the file (like it currently does).  It would probably also make sense if there was a separate password for LDAP since web, sip, and VM all have individual passwords. 

Link to comment
Share on other sites

Yes, and you cannot trust an end user to update their phone's provisioning password in the phone if they happen to update their web password.  Possibly each extension should have separate passwords for each function:

LDAP password

SIP Password

Provisioning password

Web portal Password

Voicemail PIN

Link to comment
Share on other sites

The provisioning password is today the MAC address password. You can also provision a phone with the web "master" password, but that is not suggested and that is not in the latest templates. IMHO that is the right way to do this. In the next version we will generate a special LDAP password; then a VoIP phone should never have to use the web password or the SIP password. Having the LDAP password separate solves the problem that many VoIP phones don't support TLS for LDAP which makes this password specifically exposed. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...