[OpenSIPS-Users] LDAP Authentication
Hello, I've gathered from web searches that it IS possible to authenticate to an OpenSER system using an LDAP database. Is this also true for OpenSIPS (1.5)? Does anyone have a tutorial for configuring such a setup? I found one for Kamailio, but it doesn't appear to be identical to my version of OpenSIPS (or there are typos of significance in the tutorial). Also important, can this authentication be done with existing LDAP credentials or does there have to be specific SIP information inside the LDAP database for the authentication to work? The requirement of additional values in the LDAP space is also indicated by the example in the tutorial for Kamailio that I found (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap), but I am unable to add SIP specific information in my instance. There is, however, already UID and password information contained within. Regards, Alan Rubin ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Thiago,
Thanks for the reply; however, the module documentation does not seem to
give examples on how to configure LDAP with the auth mechanism. Or is
that not necessary?
This is the section from the tutorial I found, mentioned previously:
modparam("auth", "username_spec", "$avp(s:username)")
modparam("auth", "password_spec", "$avp(s:password)")
modparam("auth", "calculate_ha1", 1)
...
The possible difference (typo?) that concerns me is this next reference
in the tutorial:
route[11] {
if(is_method("REGISTER"))
{
if(is_present_hf("Authorization"))
{
# ldap search
if
(!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S
IPPassword?one?(cn=$fU)"))
{
switch ($retcode)
{
...
I have no "route[11]" in my configuration file. Am I meant to create a
new route section to handle LDAP authentication?
What I am trying to do, if it is not clear, is use LDAP as a mechanism
for authentication/registration of SIP accounts rather than having to
configure, by hand and with a separate password, a SIP account for each
user of my SIP server.
Regards,
Alan
-Original Message-
From: users-boun...@lists.opensips.org
[mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon
Sent: Monday, 15 June 2009 1:47 PM
To: Alan Rubin
Cc: users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
Alan,
How about the document of ldap module ?
http://www.opensips.org/html/docs/modules/1.5.x/ldap.html
-Thiago Rondon
Alan Rubin escreveu:
> Hello,
>
> I've gathered from web searches that it IS possible to authenticate to
> an OpenSER system using an LDAP database. Is this also true for
OpenSIPS
> (1.5)?
>
> Does anyone have a tutorial for configuring such a setup? I found one
> for Kamailio, but it doesn't appear to be identical to my version of
> OpenSIPS (or there are typos of significance in the tutorial).
>
> Also important, can this authentication be done with existing LDAP
> credentials or does there have to be specific SIP information inside
the
> LDAP database for the authentication to work? The requirement of
> additional values in the LDAP space is also indicated by the example
in
> the tutorial for Kamailio that I found
> (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap),
but
> I am unable to add SIP specific information in my instance. There is,
> however, already UID and password information contained within.
>
> Regards,
>
> Alan Rubin
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan,
I want to use LDAP to authenticate clients. We're using it for our XMPP
server (amongst other services) without issues.
Regards,
Alan Rubin
Unix Systems Administrator
DCS Midrange Services
Phone: +61 (08) 8999 5111
Fax: +61 (08) 8999 7493
e-Mail: alan.ru...@nt.gov.au
-Original Message-
From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
Sent: Tuesday, 16 June 2009 8:24 AM
To: Alan Rubin
Cc: Thiago Rondon; users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan,
Do you want to use LDAP to authenticate clients or to authenticate
opensips against other SIP server?
Regards,
Bogdan
Alan Rubin wrote:
> Thiago,
>
> Thanks for the reply; however, the module documentation does not seem
to
> give examples on how to configure LDAP with the auth mechanism. Or is
> that not necessary?
>
> This is the section from the tutorial I found, mentioned previously:
>
> modparam("auth", "username_spec", "$avp(s:username)")
> modparam("auth", "password_spec", "$avp(s:password)")
> modparam("auth", "calculate_ha1", 1)
> ...
>
> The possible difference (typo?) that concerns me is this next
reference
> in the tutorial:
>
> route[11] {
> if(is_method("REGISTER"))
> {
> if(is_present_hf("Authorization"))
> {
> # ldap search
> if
>
(!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S
> IPPassword?one?(cn=$fU)"))
> {
> switch ($retcode)
> {
> ...
>
> I have no "route[11]" in my configuration file. Am I meant to create
a
> new route section to handle LDAP authentication?
>
> What I am trying to do, if it is not clear, is use LDAP as a mechanism
> for authentication/registration of SIP accounts rather than having to
> configure, by hand and with a separate password, a SIP account for
each
> user of my SIP server.
>
> Regards,
>
> Alan
>
> -Original Message-
> From: users-boun...@lists.opensips.org
> [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon
> Sent: Monday, 15 June 2009 1:47 PM
> To: Alan Rubin
> Cc: users@lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
>
>
> Alan,
>
> How about the document of ldap module ?
>
> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html
>
> -Thiago Rondon
>
> Alan Rubin escreveu:
>
>> Hello,
>>
>> I've gathered from web searches that it IS possible to authenticate
to
>> an OpenSER system using an LDAP database. Is this also true for
>>
> OpenSIPS
>
>> (1.5)?
>>
>> Does anyone have a tutorial for configuring such a setup? I found one
>> for Kamailio, but it doesn't appear to be identical to my version of
>> OpenSIPS (or there are typos of significance in the tutorial).
>>
>> Also important, can this authentication be done with existing LDAP
>> credentials or does there have to be specific SIP information inside
>>
> the
>
>> LDAP database for the authentication to work? The requirement of
>> additional values in the LDAP space is also indicated by the example
>>
> in
>
>> the tutorial for Kamailio that I found
>> (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap),
>>
> but
>
>> I am unable to add SIP specific information in my instance. There is,
>> however, already UID and password information contained within.
>>
>> Regards,
>>
>> Alan Rubin
>>
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>>
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan,
Thanks for the help. Is the script part inside of the main route or is
it a separate section?
Regards,
Alan Rubin
Unix Systems Administrator
DCS Midrange Services
Phone: +61 (08) 8999 5111
Fax: +61 (08) 8999 7493
e-Mail: alan.ru...@nt.gov.au
-Original Message-
From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
Sent: Tuesday, 16 June 2009 8:58 AM
To: Alan Rubin
Cc: Thiago Rondon; users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan,
The way to do it is like:
1) configure the auth module to do authentication via Pseudo-variables:
# -- auth params --
modparam("auth", "nonce_expire", 30)
modparam("auth", "secret", "my-deepest-and-darkest-secret")
modparam("auth", "disable_nonce_check", 0)
modparam("auth", "username_spec", "$avp(i:2)")
modparam("auth", "password_spec", "$avp(i:1)")
modparam("auth", "calculate_ha1", 1)
2) and in script do:
# are any credentials available in the request ?
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
# run the ldap_query() and load the passwd into $avp(i:1)
# TODO
# username to authenticate
$avp(i:2) = $fU;
# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> I want to use LDAP to authenticate clients. We're using it for our
XMPP
> server (amongst other services) without issues.
>
> Regards,
>
> Alan Rubin
> Unix Systems Administrator
> DCS Midrange Services
> Phone: +61 (08) 8999 5111
> Fax: +61 (08) 8999 7493
> e-Mail: alan.ru...@nt.gov.au
>
> -Original Message-
> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
> Sent: Tuesday, 16 June 2009 8:24 AM
> To: Alan Rubin
> Cc: Thiago Rondon; users@lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> Do you want to use LDAP to authenticate clients or to authenticate
> opensips against other SIP server?
>
> Regards,
> Bogdan
>
>
> Alan Rubin wrote:
>
>> Thiago,
>>
>> Thanks for the reply; however, the module documentation does not seem
>>
> to
>
>> give examples on how to configure LDAP with the auth mechanism. Or
is
>> that not necessary?
>>
>> This is the section from the tutorial I found, mentioned previously:
>>
>> modparam("auth", "username_spec", "$avp(s:username)")
>> modparam("auth", "password_spec", "$avp(s:password)")
>> modparam("auth", "calculate_ha1", 1)
>> ...
>>
>> The possible difference (typo?) that concerns me is this next
>>
> reference
>
>> in the tutorial:
>>
>> route[11] {
>> if(is_method("REGISTER"))
>> {
>> if(is_present_hf("Authorization"))
>> {
>> # ldap search
>> if
>>
>>
>
(!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S
>
>> IPPassword?one?(cn=$fU)"))
>> {
>> switch ($retcode)
>> {
>> ...
>>
>> I have no "route[11]" in my configuration file. Am I meant to create
>>
> a
>
>> new route section to handle LDAP authentication?
>>
>> What I am trying to do, if it is not clear, is use LDAP as a
mechanism
>> for authentication/registration of SIP accounts rather than having to
>> configure, by hand and with a separate password, a SIP account for
>>
> each
>
>> user of my SIP server.
>>
>> Regards,
>>
>> Alan
>>
>> -Original Message-
>> From: users-boun...@lists.opensips.org
>> [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon
>> Sent: Monday, 15 June 2009 1:47 PM
>> To: Alan Rubin
>> Cc: users@lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>>
>>
>> Alan,
>>
>> How about the document of ldap module ?
>>
>> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html
>>
>> -Thiago Rondon
>>
>> Alan Rubin escreveu:
>>
>>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan,
Yes, my script is derived from the default and I have enabled MySQL and
added PUA, PUA_userloc and Presence modules.
Regards,
Alan Rubin
Unix Systems Administrator
DCS Midrange Services
Phone: +61 (08) 8999 5111
Fax: +61 (08) 8999 7493
e-Mail: alan.ru...@nt.gov.au
-Original Message-
From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
Sent: Tuesday, 16 June 2009 9:59 AM
To: Alan Rubin
Cc: Thiago Rondon; users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan,
put in in the main route, where you need to do the authentication...Is
your script derived from the default opensips cfg file ?
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> Thanks for the help. Is the script part inside of the main route or
is
> it a separate section?
>
> Regards,
>
> Alan Rubin
> Unix Systems Administrator
> DCS Midrange Services
> Phone: +61 (08) 8999 5111
> Fax: +61 (08) 8999 7493
> e-Mail: alan.ru...@nt.gov.au
>
> -Original Message-
> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
> Sent: Tuesday, 16 June 2009 8:58 AM
> To: Alan Rubin
> Cc: Thiago Rondon; users@lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> The way to do it is like:
>
> 1) configure the auth module to do authentication via
Pseudo-variables:
>
> # -- auth params --
> modparam("auth", "nonce_expire", 30)
> modparam("auth", "secret", "my-deepest-and-darkest-secret")
> modparam("auth", "disable_nonce_check", 0)
> modparam("auth", "username_spec", "$avp(i:2)")
> modparam("auth", "password_spec", "$avp(i:1)")
> modparam("auth", "calculate_ha1", 1)
>
> 2) and in script do:
>
> # are any credentials available in the request ?
> if (!is_present_hf("Proxy-Authorization")) {
> proxy_challenge("", "0");
> exit;
> }
>
> # run the ldap_query() and load the passwd into $avp(i:1)
> # TODO
>
> # username to authenticate
> $avp(i:2) = $fU;
>
> # do the authentication
> if(!pv_proxy_authorize("")){
> proxy_challenge("", "0");
> exit;
> }
>
>
> Regards,
> Bogdan
>
>
> Alan Rubin wrote:
>
>> Bogdan,
>>
>> I want to use LDAP to authenticate clients. We're using it for our
>>
> XMPP
>
>> server (amongst other services) without issues.
>>
>> Regards,
>>
>> Alan Rubin
>> Unix Systems Administrator
>> DCS Midrange Services
>> Phone: +61 (08) 8999 5111
>> Fax: +61 (08) 8999 7493
>> e-Mail: alan.ru...@nt.gov.au
>>
>> -Original Message-
>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
>> Sent: Tuesday, 16 June 2009 8:24 AM
>> To: Alan Rubin
>> Cc: Thiago Rondon; users@lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Hi Alan,
>>
>> Do you want to use LDAP to authenticate clients or to authenticate
>> opensips against other SIP server?
>>
>> Regards,
>> Bogdan
>>
>>
>> Alan Rubin wrote:
>>
>>
>>> Thiago,
>>>
>>> Thanks for the reply; however, the module documentation does not
seem
>>>
>>>
>> to
>>
>>
>>> give examples on how to configure LDAP with the auth mechanism. Or
>>>
> is
>
>>> that not necessary?
>>>
>>> This is the section from the tutorial I found, mentioned previously:
>>>
>>> modparam("auth", "username_spec", "$avp(s:username)")
>>> modparam("auth", "password_spec", "$avp(s:password)")
>>> modparam("auth", "calculate_ha1", 1)
>>> ...
>>>
>>> The possible difference (typo?) that concerns me is this next
>>>
>>>
>> reference
>>
>>
>>> in the tutorial:
>>>
>>> route[11] {
>>> if(is_method("REGISTER"))
>>> {
>>> if(is_present_hf("Authorization"))
>>> {
>>> # ldap search
>>> if
>>>
>>>
>>>
>
(!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S
>
>>
>>
>>> IPPassword?one?(cn=$fU)"))
>>>
Re: [OpenSIPS-Users] LDAP Authentication
cal/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_val2bind: added val (0): len=3; type=254;
is_null=0
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in...
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_do_prepared_query: discon reset for 135989560
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 2
columns in result
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_do_prepared_query: doing to BIND_PARAM out ...
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_query: SYNC-DBG - SELECT-STMT successfully
executed!!
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:db_new_result: allocate 28 bytes for result set at 0x81b7ee0
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_store_result: SYNC-DBG - SELECT result was stored!
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_get_columns: 2 columns returned from the query
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:db_allocate_columns: allocate 32 bytes for result columns at
0x81b7f08
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x81b7f10)[0]=[ha1]
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x81b7f18)[1]=[rpid]
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:db_mysql:db_mysql_convert_rows: no rows returned from the query
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:auth_db:get_ha1: no result for user 'oh5@'
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:db_free_columns: freeing result columns at 0x81b7f08
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:db_free_rows: freeing 0 rows
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:db_free_result: freeing result set at 0x81b7ee0
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:db_free_result: SYNC-DBG - freeing result!
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:auth:reserve_nonce_index: second= 4, sec_monit= -1, index= 2
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:auth:build_auth_hf: nonce index= 2
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
realm="155.205.69.126",
nonce="4a3ad9b90002b64f5ef190966742551aa9531e9165f3" '
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:parse_headers: flags=
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:destroy_avp_list: destroying list (nil)
Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]:
DBG:core:receive_msg: cleaning up
...
And here are the changes I made to the main route, for the benefit of
anyone else who might have an idea for me:
if (!(method=="REGISTER") && from_uri==myself) { /*no
multidomain version*/
# are any credentials available in the request ?
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
# run the ldap_query() and load the passwd into
$avp(s:password)
# TODO
$var(username)=$fU;
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
6)(ntguserstatus=Active))");
ldap_result("userPassword/$avp(s:password)");
# username to authenticate
#$var(username) = $fU;
# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}
Regards,
Alan Rubin
-Original Message-
From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
Sent: Friday, 19 June 2009 9:42 AM
To: Alan Rubin; users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
HI Alan,
sorry for the late reply - this week we have the OpenSIPS bootcamp and
I'm getting my hands on the emails only from time to time..
So, Are you loading the passwd in raw format (plain text) ? If so, you
need the calulca
Re: [OpenSIPS-Users] LDAP Authentication
(reposting to fit the list size limits)
Bogdan,
2) I removed the "!" from the REGISTER section. This seems to have at
least pushed me on to the next stage of actually doing an LDAP query:
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
[sipaccounts], base [o=ntg], scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
[500] usecs
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:check_nonce: comparing
[4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and
[4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: nonce index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
realm="155.205.69.126",
nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" '
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:parse_headers: flags=
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:destroy_avp_list: destroying list (nil)
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:receive_msg: cleaning up
...
Still failing, but this time it is code 407: Proxy Authentication
Required. Getting closer?
1) Perhaps I mean "encoded" and am just using the wrong term. An
example return from our LDAP search:
userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ==
Regards,
Alan Rubin
-Original Message-
From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
Sent: Friday, 19 June 2009 10:52 AM
To: Alan Rubin
Cc: users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
Alan,
2 points:
1) what you mean by "encrypted" ? the module supports only ha1 encoded
passwords.
2) I see you deal with a REGISTER request, but in your script you
changed the auth (from DB to LDAP) only for INVITES - check in the
script the second auth block (for REGISTERS) and change it in the same
time as we did for the INVITEs.
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> Thanks for your help. I reset the configuration for calculate_ha1 to
0
> (it was set to 1), but I am still getting a "401 - Unauthorized"
error.
> The password returning from the LDAP server should be an encrypted
> string.
>
> # - auth_db params -
> /* uncomment the following lines if you want to enable the DB based
>authentication */
> #modparam("auth_db", "calculate_ha1", yes)
> #modparam("auth_db", "password_column", "password")
> #modparam("auth_db", "db_url",
> # "mysql://opensips:@localhost/opensips")
> #modparam("auth_db", "load_credentials", "")
>
> # -- auth params -
> #modparam("auth", "username_spec", "$var(username)")
> #modparam("auth", "password_spec", "$avp(s:password)")
> modparam("auth", "nonce_expire", 30)
> modparam("auth", "secret", "")
> modparam("auth", "disable_nonce_check", 0)
> modparam("auth", "username_spec", "$var(username)")
> modparam("auth", "password_spec", "$avp(s:password)")
> modparam("auth", "calculate_ha1", 0)
>
> Here are the relevant logs from the connection (I think):
>
> Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]:
> DBG:core:parse_msg: SIP Request:
> Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]:
> DBG:core:parse_msg: method:
> Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]:
> DBG:core:parse_msg: uri:
> Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]:
> DBG:core:parse_msg: version:
> Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]:
> DBG:core:parse_headers: flags=2
> Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]:
> DBG:core:parse_via_param: found param type
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan,
I think my message to the list may have been lost after I cancelled the
original version due to size issues and re-sent an edited version.
Trying again...
2) I removed the "!" from the REGISTER section. This seems to have at
least pushed me on to the next stage of actually doing an LDAP query:
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
[sipaccounts], base [o=ntg], scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
[500] usecs
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:check_nonce: comparing
[4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and
[4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: nonce index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
realm="155.205.69.126",
nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" '
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:parse_headers: flags=
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:destroy_avp_list: destroying list (nil)
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:receive_msg: cleaning up
...
Still failing, but this time it is code 407: Proxy Authentication
Required. Getting closer?
1) Perhaps I mean "encoded" and am just using the wrong term. An
example return from our LDAP search:
userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ==
Regards,
Alan Rubin
-Original Message-
From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro]
Sent: Friday, 19 June 2009 10:52 AM
To: Alan Rubin
Cc: users@lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
Alan,
2 points:
1) what you mean by "encrypted" ? the module supports only ha1 encoded
passwords.
2) I see you deal with a REGISTER request, but in your script you
changed the auth (from DB to LDAP) only for INVITES - check in the
script the second auth block (for REGISTERS) and change it in the same
time as we did for the INVITEs.
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> Thanks for your help. I reset the configuration for calculate_ha1 to
0
> (it was set to 1), but I am still getting a "401 - Unauthorized"
error.
> The password returning from the LDAP server should be an encrypted
> string.
>
> # - auth_db params -
> /* uncomment the following lines if you want to enable the DB based
>authentication */
> #modparam("auth_db", "calculate_ha1", yes)
> #modparam("auth_db", "password_column", "password")
> #modparam("auth_db", "db_url",
> # "mysql://opensips:@localhost/opensips")
> #modparam("auth_db", "load_credentials", "")
>
> # -- auth params -
> #modparam("auth", "username_spec", "$var(username)")
> #modparam("auth", "password_spec", "$avp(s:password)")
> modparam("auth", "nonce_expire", 30)
> modparam("auth", "secret", "")
> modparam("auth", "disable_nonce_check", 0)
> modparam("auth", "username_spec", "$var(username)")
> modparam("auth", "password_spec", "$avp(s:password)")
> modparam("auth", "calculate_ha1", 0)
>
>
>
> And here are the changes I made to the main route, for the benefit of
> anyone else who might have an idea for me:
>
> if (!(method=="REGISTER") && from_uri==myself) { /*no
> multidomain version*/
> # are any credentials available in the request ?
> if (!is_present_hf("Proxy-Authorization")) {
> proxy_challenge("", "0");
> exit;
> }
>
> # run the ldap_query() and load the passwd into
> $avp(s:password)
> # TODO
>
Re: [OpenSIPS-Users] LDAP Authentication
On a whim, I checked the archives for this list and apparently there
have been messages on this thread but they haven't been delivered to me.
I do not know if Mailman chose to filter out this topic or some
anti-spam device on my domain has started blocking ONLY messages on this
subject (got many other OpenSIPS messages over the weekend).
Hope I can see them now after tinkering with my Mailman options.
In response to:
Alan,
Could you post the part of the script taking care of the REGISTRATION
part, just for double checking ?
Also, for the password...does not look ok - not sure how that value is
computed, but please check the Digest Auth RFC to see the definition of
HA1 .
Regards,
Bogdan
...
Here is the REGISTER section involving LDAP:
if ((method=="REGISTER") && from_uri==myself) { /*no multidomain
version*/
# are any credentials available in the request ?
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
# run the ldap_query() and load the passwd into
$avp(s:password)
# TODO
$var(username)=$fU;
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
6)(ntguserstatus=Active))");
ldap_result("userPassword/$avp(s:password)");
# username to authenticate
#$var(username) = $fU;
# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}
}
...
and there is also this section, still in "route":
if (is_method("REGISTER"))
{
# authenticate the REGISTER requests (uncomment to
enable auth)
if (!www_authorize("155.205.69.126", "subscriber"))
{
www_challenge("155.205.69.126", "0");
exit;
}
##
##if (!check_to())
##{
## sl_send_reply("403","Forbidden auth ID");
## exit;
##}
## make pua_usrloc send PUBLISH for phones which do not
support presence
## filter after User-Agent header
#if(!search("^User-Agent:"))
# pua_set_publish();
# save("location");
# exit;
if(is_method("REGISTER") &&
from_uri=~"@galah.cprod.corp.ntgov")
pua_set_publish();
if (!save("location"))
sl_reply_error();
exit;
}
Regards,
Alan Rubin
-Original Message-
From: Alan Rubin
Sent: Tuesday, 23 June 2009 9:05 AM
To: 'Bogdan-Andrei Iancu'
Cc: 'users@lists.opensips.org'
Subject: RE: [OpenSIPS-Users] LDAP Authentication
Bogdan,
I think my message to the list may have been lost after I cancelled the
original version due to size issues and re-sent an edited version.
Trying again...
2) I removed the "!" from the REGISTER section. This seems to have at
least pushed me on to the next stage of actually doing an LDAP query:
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
[sipaccounts], base [o=ntg], scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
[500] usecs
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:check_nonce: comparing
[4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and
[4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: nonce index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
realm="155.205.69.126",
nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" '
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:parse_headers: flags=
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 19 10:58:
[OpenSIPS-Users] LDAP Authentication
if (!save("location"))
sl_reply_error();
exit;
}
if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}
# apply DB based aliases (uncomment to enable)
##alias_db_lookup("dbaliases");
if (!lookup("location")) {
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not
Allowed");
exit;
}
}
# when routing via usrloc, log the missed calls also
setflag(2);
route(1);
}
...
If you see anything else wrong, please let me know and thanks for all of
your help so far.
I've been using X-Lite to test, if anyone know of any issues.
Regards,
Alan Rubin
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, Apparently the email administrator had a regex on the SMTP gateway to reject messages with pass (and) word (combined) because of previous users succumbing to phishing exercises. It may work now, but I will continue to check the archives. Oh well. Regarding: "Now, going to the actual issue, the problem is related to password - about how the client and server (ldap) are keeping the password - do they both keep it same format (like plain text) ? Regards, Bogdan" I think I've figured out the issue, although I don't believe there is a solution. Hopefully you can verify, either way. The bind user in the ldap.cfg file does not have the privilege to retrieve the pass word field from our LDAP directory. The only way our LDAP setup is supposed to work is by binding using the user-to-be-authenticated directly with the LDAP directory server. It is my understanding, and this is where you can verify or correct me, that opensips and the LDAP module can not change the bind user dynamically. Regards, Alan Rubin -Original Message- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Alan Rubin Sent: Wednesday, 24 June 2009 8:10 AM To: Bogdan-Andrei Iancu Cc: users@lists.opensips.org Subject: [OpenSIPS-Users] LDAP Authentication Bogdan, The LDAP messages from the mailing list are still not reaching my mailbox, which is unusual. I am checking the mail services on my end. Still managed to pick up your last message from the Archive. After making the changes suggested for my config file, I'm still failing with a "401 - Unauthorized". Here are the relevant logs: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout [500] usecs Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:check_nonce: comparing [4a4155840004dcd97551d7189591cf32402f006987b9] and [4a4155840004dcd97551d7189591cf32402f006987b9] Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:build_auth_hf: nonce index= 5 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="155.205.69.126", nonce="4a415584000573fd091deb999f17423ea6b4be4cb6e2" ' Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:parse_headers: flags= Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:destroy_avp_list: destroying list (nil) Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:receive_msg: cleaning up dcshub1:/usr/local/opensips/etc/opensips # dcshub1:/usr/local/opensips/etc/opensips # dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 /var/log/localmessages | less dcshub1:/usr/local/opensips/etc/opensips # dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 /var/log/localmessages Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: SIP Request: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: method: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: uri: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: version: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: flags=2 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_via_param: found param type 232, = ; state=6 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_via_param: found param type 235, = ; state=17 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_via: end of header reached, state=5 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: via found, flags=2 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: this is the first via Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:receive_msg: After parse_msg... Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:receive_msg: preparing to run routing scripts... Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: flags=100 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:maxfwd:is_maxfwd
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, I'm not an LDAP expert either, but I will try to explain the scenario better. As you said, the LDAP bind is static - done once in the beginning and sourced from the ldap.cfg file. Unfortunately, we have a filter on our LDAP server that prevents ordinary users from seeing the password field in the LDAP entry. The way we verify authentication in our environment is by dynamically substituting the LDAP bind DN with the client's uid (and password) and making a simple LDAP query using that uid. If that bind is successful, then we know that the password is correct. It doesn't seem like there is anyway to configure opensips in that manner. The aim, with LDAP, was to have a single-signon environment for our LAN and SIP accounts. This doesn't seem possible, unless you or anyone else on the list has any further suggestions. We could use kerberos/AD authentication from the client if that is a possibility. Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Monday, 29 June 2009 10:13 PM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, I'm not an LDAP expert to get into details about how ldap should be configured or soWhat I can tell is that the bind is static (only once done at the beginning at that's it)Can you send me a link or something to read more about what this dynamic bind means in LDAP ? Thanks and regards, Bogdan Alan Rubin wrote: > Bogdan, > > Apparently the email administrator had a regex on the SMTP gateway to > reject messages with pass (and) word (combined) because of previous > users succumbing to phishing exercises. It may work now, but I will > continue to check the archives. Oh well. > > Regarding: > "Now, going to the actual issue, the problem is related to password - > about how the client and server (ldap) are keeping the password - do > they both keep it same format (like plain text) ? > > Regards, > Bogdan" > > I think I've figured out the issue, although I don't believe there is a > solution. Hopefully you can verify, either way. > > The bind user in the ldap.cfg file does not have the privilege to > retrieve the pass word field from our LDAP directory. The only way our > LDAP setup is supposed to work is by binding using the > user-to-be-authenticated directly with the LDAP directory server. It is > my understanding, and this is where you can verify or correct me, that > opensips and the LDAP module can not change the bind user dynamically. > > Regards, > > Alan Rubin > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, If one request equals one user authentication/registration, then I don't think it would hit 1000 binds per week (small environment). If it has to bind each time a packet is sent, then that is pretty inefficient. Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Thursday, 2 July 2009 12:34 AM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, Got your point! Theoretically, dynamic ldap binding can be done, but the question is how efficient will be (to bind for each auth)..Think that you may process thousands of requests per second! Wouldn't be more reasonable to import the data into mysql? Regards, Bogdan Alan Rubin wrote: > Bogdan, > > I'm not an LDAP expert either, but I will try to explain the scenario > better. As you said, the LDAP bind is static - done once in the > beginning and sourced from the ldap.cfg file. Unfortunately, we have a > filter on our LDAP server that prevents ordinary users from seeing the > password field in the LDAP entry. The way we verify authentication in > our environment is by dynamically substituting the LDAP bind DN with the > client's uid (and password) and making a simple LDAP query using that > uid. If that bind is successful, then we know that the password is > correct. It doesn't seem like there is anyway to configure opensips in > that manner. > > The aim, with LDAP, was to have a single-signon environment for our LAN > and SIP accounts. This doesn't seem possible, unless you or anyone else > on the list has any further suggestions. We could use kerberos/AD > authentication from the client if that is a possibility. > > Regards, > > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Monday, 29 June 2009 10:13 PM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > I'm not an LDAP expert to get into details about how ldap should be > configured or soWhat I can tell is that the bind is static (only > once done at the beginning at that's it)....Can you send me a link or > something to read more about what this dynamic bind means in LDAP ? > > Thanks and regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> Apparently the email administrator had a regex on the SMTP gateway to >> reject messages with pass (and) word (combined) because of previous >> users succumbing to phishing exercises. It may work now, but I will >> continue to check the archives. Oh well. >> >> Regarding: >> "Now, going to the actual issue, the problem is related to password - >> about how the client and server (ldap) are keeping the password - do >> they both keep it same format (like plain text) ? >> >> Regards, >> Bogdan" >> >> I think I've figured out the issue, although I don't believe there is >> > a > >> solution. Hopefully you can verify, either way. >> >> The bind user in the ldap.cfg file does not have the privilege to >> retrieve the pass word field from our LDAP directory. The only way >> > our > >> LDAP setup is supposed to work is by binding using the >> user-to-be-authenticated directly with the LDAP directory server. It >> > is > >> my understanding, and this is where you can verify or correct me, that >> opensips and the LDAP module can not change the bind user dynamically. >> >> Regards, >> >> Alan Rubin >> >> > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, My site would actually be smaller than that, but that doesn't really address the argument. Is there basically no way, then, to have a single signon-type environment because OpenSIPS requires so much authentication/registration traffic? Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Friday, 3 July 2009 8:46 PM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication But Alan, you will need to re-bind each time you do an Authentication. So, even on a system with 1000 online subscribers, registering each 30 minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds per day -> 36 binds per minute. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > If one request equals one user authentication/registration, then I don't > think it would hit 1000 binds per week (small environment). If it has > to bind each time a packet is sent, then that is pretty inefficient. > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Thursday, 2 July 2009 12:34 AM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > Got your point! Theoretically, dynamic ldap binding can be done, but the > > question is how efficient will be (to bind for each auth)..Think that > you may process thousands of requests per second! > > Wouldn't be more reasonable to import the data into mysql? > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> I'm not an LDAP expert either, but I will try to explain the scenario >> better. As you said, the LDAP bind is static - done once in the >> beginning and sourced from the ldap.cfg file. Unfortunately, we have >> > a > >> filter on our LDAP server that prevents ordinary users from seeing the >> password field in the LDAP entry. The way we verify authentication in >> our environment is by dynamically substituting the LDAP bind DN with >> > the > >> client's uid (and password) and making a simple LDAP query using that >> uid. If that bind is successful, then we know that the password is >> correct. It doesn't seem like there is anyway to configure opensips >> > in > >> that manner. >> >> The aim, with LDAP, was to have a single-signon environment for our >> > LAN > >> and SIP accounts. This doesn't seem possible, unless you or anyone >> > else > >> on the list has any further suggestions. We could use kerberos/AD >> authentication from the client if that is a possibility. >> >> Regards, >> >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Monday, 29 June 2009 10:13 PM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> I'm not an LDAP expert to get into details about how ldap should be >> configured or soWhat I can tell is that the bind is static (only >> once done at the beginning at that's it)Can you send me a link or >> something to read more about what this dynamic bind means in LDAP ? >> >> Thanks and regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> Apparently the email administrator had a regex on the SMTP gateway to >>> reject messages with pass (and) word (combined) because of previous >>> users succumbing to phishing exercises. It may work now, but I will >>> continue to check the archives. Oh well. >>> >>> Regarding: >>> "Now, going to the actual issue, the problem is related to password - >>> > > >>> about how the client and server (ldap) are keeping the password - do >>> they both keep it same format (like plain text) ? >>> >>> Regards, >>> Bogdan" >>> >>> I think I've figured out the issue, although I don't believe there is >>> >>> >> a >> >> >>> solution. Hopefully you can verify, either way. >>> >>> The bind user in the ldap.cfg file does not have the privilege to >>> retrieve the pass word field from our LDAP directory. The only way >>> >>> >> our >> >> >>> LDAP setup is supposed to work is by binding using the >>> user-to-be-authenticated directly with the LDAP directory server. It >>> >>> >> is >> >> >>> my understanding, and this is where you can verify or correct me, >>> > that > >>> opensips and the LDAP module can not change the bind user >>> > dynamically. > >>> Regards, >>> >>> Alan Rubin >>> >>> >>> >> >> > > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
