Re: [OpenSIPS-Users] LDAP Authentication
Alan, How about the document of ldap module ? http://www.opensips.org/html/docs/modules/1.5.x/ldap.html -Thiago Rondon Alan Rubin escreveu: > Hello, > > I've gathered from web searches that it IS possible to authenticate to > an OpenSER system using an LDAP database. Is this also true for OpenSIPS > (1.5)? > > Does anyone have a tutorial for configuring such a setup? I found one > for Kamailio, but it doesn't appear to be identical to my version of > OpenSIPS (or there are typos of significance in the tutorial). > > Also important, can this authentication be done with existing LDAP > credentials or does there have to be specific SIP information inside the > LDAP database for the authentication to work? The requirement of > additional values in the LDAP space is also indicated by the example in > the tutorial for Kamailio that I found > (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap), but > I am unable to add SIP specific information in my instance. There is, > however, already UID and password information contained within. > > Regards, > > Alan Rubin > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Thiago, Thanks for the reply; however, the module documentation does not seem to give examples on how to configure LDAP with the auth mechanism. Or is that not necessary? This is the section from the tutorial I found, mentioned previously: modparam("auth", "username_spec", "$avp(s:username)") modparam("auth", "password_spec", "$avp(s:password)") modparam("auth", "calculate_ha1", 1) ... The possible difference (typo?) that concerns me is this next reference in the tutorial: route[11] { if(is_method("REGISTER")) { if(is_present_hf("Authorization")) { # ldap search if (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S IPPassword?one?(cn=$fU)")) { switch ($retcode) { ... I have no "route[11]" in my configuration file. Am I meant to create a new route section to handle LDAP authentication? What I am trying to do, if it is not clear, is use LDAP as a mechanism for authentication/registration of SIP accounts rather than having to configure, by hand and with a separate password, a SIP account for each user of my SIP server. Regards, Alan -Original Message- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon Sent: Monday, 15 June 2009 1:47 PM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Alan, How about the document of ldap module ? http://www.opensips.org/html/docs/modules/1.5.x/ldap.html -Thiago Rondon Alan Rubin escreveu: > Hello, > > I've gathered from web searches that it IS possible to authenticate to > an OpenSER system using an LDAP database. Is this also true for OpenSIPS > (1.5)? > > Does anyone have a tutorial for configuring such a setup? I found one > for Kamailio, but it doesn't appear to be identical to my version of > OpenSIPS (or there are typos of significance in the tutorial). > > Also important, can this authentication be done with existing LDAP > credentials or does there have to be specific SIP information inside the > LDAP database for the authentication to work? The requirement of > additional values in the LDAP space is also indicated by the example in > the tutorial for Kamailio that I found > (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap), but > I am unable to add SIP specific information in my instance. There is, > however, already UID and password information contained within. > > Regards, > > Alan Rubin > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan, Do you want to use LDAP to authenticate clients or to authenticate opensips against other SIP server? Regards, Bogdan Alan Rubin wrote: > Thiago, > > Thanks for the reply; however, the module documentation does not seem to > give examples on how to configure LDAP with the auth mechanism. Or is > that not necessary? > > This is the section from the tutorial I found, mentioned previously: > > modparam("auth", "username_spec", "$avp(s:username)") > modparam("auth", "password_spec", "$avp(s:password)") > modparam("auth", "calculate_ha1", 1) > ... > > The possible difference (typo?) that concerns me is this next reference > in the tutorial: > > route[11] { > if(is_method("REGISTER")) > { > if(is_present_hf("Authorization")) > { > # ldap search > if > (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S > IPPassword?one?(cn=$fU)")) > { > switch ($retcode) > { > ... > > I have no "route[11]" in my configuration file. Am I meant to create a > new route section to handle LDAP authentication? > > What I am trying to do, if it is not clear, is use LDAP as a mechanism > for authentication/registration of SIP accounts rather than having to > configure, by hand and with a separate password, a SIP account for each > user of my SIP server. > > Regards, > > Alan > > -Original Message- > From: users-boun...@lists.opensips.org > [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon > Sent: Monday, 15 June 2009 1:47 PM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > > > Alan, > > How about the document of ldap module ? > > http://www.opensips.org/html/docs/modules/1.5.x/ldap.html > > -Thiago Rondon > > Alan Rubin escreveu: > >> Hello, >> >> I've gathered from web searches that it IS possible to authenticate to >> an OpenSER system using an LDAP database. Is this also true for >> > OpenSIPS > >> (1.5)? >> >> Does anyone have a tutorial for configuring such a setup? I found one >> for Kamailio, but it doesn't appear to be identical to my version of >> OpenSIPS (or there are typos of significance in the tutorial). >> >> Also important, can this authentication be done with existing LDAP >> credentials or does there have to be specific SIP information inside >> > the > >> LDAP database for the authentication to work? The requirement of >> additional values in the LDAP space is also indicated by the example >> > in > >> the tutorial for Kamailio that I found >> (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap), >> > but > >> I am unable to add SIP specific information in my instance. There is, >> however, already UID and password information contained within. >> >> Regards, >> >> Alan Rubin >> >> >> ___ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> >> > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, I want to use LDAP to authenticate clients. We're using it for our XMPP server (amongst other services) without issues. Regards, Alan Rubin Unix Systems Administrator DCS Midrange Services Phone: +61 (08) 8999 5111 Fax: +61 (08) 8999 7493 e-Mail: alan.ru...@nt.gov.au -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Tuesday, 16 June 2009 8:24 AM To: Alan Rubin Cc: Thiago Rondon; users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, Do you want to use LDAP to authenticate clients or to authenticate opensips against other SIP server? Regards, Bogdan Alan Rubin wrote: > Thiago, > > Thanks for the reply; however, the module documentation does not seem to > give examples on how to configure LDAP with the auth mechanism. Or is > that not necessary? > > This is the section from the tutorial I found, mentioned previously: > > modparam("auth", "username_spec", "$avp(s:username)") > modparam("auth", "password_spec", "$avp(s:password)") > modparam("auth", "calculate_ha1", 1) > ... > > The possible difference (typo?) that concerns me is this next reference > in the tutorial: > > route[11] { > if(is_method("REGISTER")) > { > if(is_present_hf("Authorization")) > { > # ldap search > if > (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S > IPPassword?one?(cn=$fU)")) > { > switch ($retcode) > { > ... > > I have no "route[11]" in my configuration file. Am I meant to create a > new route section to handle LDAP authentication? > > What I am trying to do, if it is not clear, is use LDAP as a mechanism > for authentication/registration of SIP accounts rather than having to > configure, by hand and with a separate password, a SIP account for each > user of my SIP server. > > Regards, > > Alan > > -----Original Message- > From: users-boun...@lists.opensips.org > [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon > Sent: Monday, 15 June 2009 1:47 PM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > > > Alan, > > How about the document of ldap module ? > > http://www.opensips.org/html/docs/modules/1.5.x/ldap.html > > -Thiago Rondon > > Alan Rubin escreveu: > >> Hello, >> >> I've gathered from web searches that it IS possible to authenticate to >> an OpenSER system using an LDAP database. Is this also true for >> > OpenSIPS > >> (1.5)? >> >> Does anyone have a tutorial for configuring such a setup? I found one >> for Kamailio, but it doesn't appear to be identical to my version of >> OpenSIPS (or there are typos of significance in the tutorial). >> >> Also important, can this authentication be done with existing LDAP >> credentials or does there have to be specific SIP information inside >> > the > >> LDAP database for the authentication to work? The requirement of >> additional values in the LDAP space is also indicated by the example >> > in > >> the tutorial for Kamailio that I found >> (http://kamailio.org/dokuwiki/doku.php/tutorials:openser-auth-ldap), >> > but > >> I am unable to add SIP specific information in my instance. There is, >> however, already UID and password information contained within. >> >> Regards, >> >> Alan Rubin >> >> >> ___ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> >> >> > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan, The way to do it is like: 1) configure the auth module to do authentication via Pseudo-variables: # -- auth params -- modparam("auth", "nonce_expire", 30) modparam("auth", "secret", "my-deepest-and-darkest-secret") modparam("auth", "disable_nonce_check", 0) modparam("auth", "username_spec", "$avp(i:2)") modparam("auth", "password_spec", "$avp(i:1)") modparam("auth", "calculate_ha1", 1) 2) and in script do: # are any credentials available in the request ? if (!is_present_hf("Proxy-Authorization")) { proxy_challenge("", "0"); exit; } # run the ldap_query() and load the passwd into $avp(i:1) # TODO # username to authenticate $avp(i:2) = $fU; # do the authentication if(!pv_proxy_authorize("")){ proxy_challenge("", "0"); exit; } Regards, Bogdan Alan Rubin wrote: > Bogdan, > > I want to use LDAP to authenticate clients. We're using it for our XMPP > server (amongst other services) without issues. > > Regards, > > Alan Rubin > Unix Systems Administrator > DCS Midrange Services > Phone: +61 (08) 8999 5111 > Fax: +61 (08) 8999 7493 > e-Mail: alan.ru...@nt.gov.au > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Tuesday, 16 June 2009 8:24 AM > To: Alan Rubin > Cc: Thiago Rondon; users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > Do you want to use LDAP to authenticate clients or to authenticate > opensips against other SIP server? > > Regards, > Bogdan > > > Alan Rubin wrote: > >> Thiago, >> >> Thanks for the reply; however, the module documentation does not seem >> > to > >> give examples on how to configure LDAP with the auth mechanism. Or is >> that not necessary? >> >> This is the section from the tutorial I found, mentioned previously: >> >> modparam("auth", "username_spec", "$avp(s:username)") >> modparam("auth", "password_spec", "$avp(s:password)") >> modparam("auth", "calculate_ha1", 1) >> ... >> >> The possible difference (typo?) that concerns me is this next >> > reference > >> in the tutorial: >> >> route[11] { >> if(is_method("REGISTER")) >> { >> if(is_present_hf("Authorization")) >> { >> # ldap search >> if >> >> > (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S > >> IPPassword?one?(cn=$fU)")) >> { >> switch ($retcode) >> { >> ... >> >> I have no "route[11]" in my configuration file. Am I meant to create >> > a > >> new route section to handle LDAP authentication? >> >> What I am trying to do, if it is not clear, is use LDAP as a mechanism >> for authentication/registration of SIP accounts rather than having to >> configure, by hand and with a separate password, a SIP account for >> > each > >> user of my SIP server. >> >> Regards, >> >> Alan >> >> -Original Message- >> From: users-boun...@lists.opensips.org >> [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon >> Sent: Monday, 15 June 2009 1:47 PM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> >> >> Alan, >> >> How about the document of ldap module ? >> >> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html >> >> -Thiago Rondon >> >> Alan Rubin escreveu: >> >> ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, Thanks for the help. Is the script part inside of the main route or is it a separate section? Regards, Alan Rubin Unix Systems Administrator DCS Midrange Services Phone: +61 (08) 8999 5111 Fax: +61 (08) 8999 7493 e-Mail: alan.ru...@nt.gov.au -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Tuesday, 16 June 2009 8:58 AM To: Alan Rubin Cc: Thiago Rondon; users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, The way to do it is like: 1) configure the auth module to do authentication via Pseudo-variables: # -- auth params -- modparam("auth", "nonce_expire", 30) modparam("auth", "secret", "my-deepest-and-darkest-secret") modparam("auth", "disable_nonce_check", 0) modparam("auth", "username_spec", "$avp(i:2)") modparam("auth", "password_spec", "$avp(i:1)") modparam("auth", "calculate_ha1", 1) 2) and in script do: # are any credentials available in the request ? if (!is_present_hf("Proxy-Authorization")) { proxy_challenge("", "0"); exit; } # run the ldap_query() and load the passwd into $avp(i:1) # TODO # username to authenticate $avp(i:2) = $fU; # do the authentication if(!pv_proxy_authorize("")){ proxy_challenge("", "0"); exit; } Regards, Bogdan Alan Rubin wrote: > Bogdan, > > I want to use LDAP to authenticate clients. We're using it for our XMPP > server (amongst other services) without issues. > > Regards, > > Alan Rubin > Unix Systems Administrator > DCS Midrange Services > Phone: +61 (08) 8999 5111 > Fax: +61 (08) 8999 7493 > e-Mail: alan.ru...@nt.gov.au > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Tuesday, 16 June 2009 8:24 AM > To: Alan Rubin > Cc: Thiago Rondon; users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > Do you want to use LDAP to authenticate clients or to authenticate > opensips against other SIP server? > > Regards, > Bogdan > > > Alan Rubin wrote: > >> Thiago, >> >> Thanks for the reply; however, the module documentation does not seem >> > to > >> give examples on how to configure LDAP with the auth mechanism. Or is >> that not necessary? >> >> This is the section from the tutorial I found, mentioned previously: >> >> modparam("auth", "username_spec", "$avp(s:username)") >> modparam("auth", "password_spec", "$avp(s:password)") >> modparam("auth", "calculate_ha1", 1) >> ... >> >> The possible difference (typo?) that concerns me is this next >> > reference > >> in the tutorial: >> >> route[11] { >> if(is_method("REGISTER")) >> { >> if(is_present_hf("Authorization")) >> { >> # ldap search >> if >> >> > (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S > >> IPPassword?one?(cn=$fU)")) >> { >> switch ($retcode) >> { >> ... >> >> I have no "route[11]" in my configuration file. Am I meant to create >> > a > >> new route section to handle LDAP authentication? >> >> What I am trying to do, if it is not clear, is use LDAP as a mechanism >> for authentication/registration of SIP accounts rather than having to >> configure, by hand and with a separate password, a SIP account for >> > each > >> user of my SIP server. >> >> Regards, >> >> Alan >> >> -Original Message- >> From: users-boun...@lists.opensips.org >> [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon >> Sent: Monday, 15 June 2009 1:47 PM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> >> >> Alan, >> >> How about the document of ldap module ? >> >> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html >> >> -Thiago Rondon >> >> Alan Rubin escreveu: >> >> ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan, put in in the main route, where you need to do the authentication...Is your script derived from the default opensips cfg file ? Regards, Bogdan Alan Rubin wrote: > Bogdan, > > Thanks for the help. Is the script part inside of the main route or is > it a separate section? > > Regards, > > Alan Rubin > Unix Systems Administrator > DCS Midrange Services > Phone: +61 (08) 8999 5111 > Fax: +61 (08) 8999 7493 > e-Mail: alan.ru...@nt.gov.au > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Tuesday, 16 June 2009 8:58 AM > To: Alan Rubin > Cc: Thiago Rondon; users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > The way to do it is like: > > 1) configure the auth module to do authentication via Pseudo-variables: > > # -- auth params -- > modparam("auth", "nonce_expire", 30) > modparam("auth", "secret", "my-deepest-and-darkest-secret") > modparam("auth", "disable_nonce_check", 0) > modparam("auth", "username_spec", "$avp(i:2)") > modparam("auth", "password_spec", "$avp(i:1)") > modparam("auth", "calculate_ha1", 1) > > 2) and in script do: > > # are any credentials available in the request ? > if (!is_present_hf("Proxy-Authorization")) { > proxy_challenge("", "0"); > exit; > } > > # run the ldap_query() and load the passwd into $avp(i:1) > # TODO > > # username to authenticate > $avp(i:2) = $fU; > > # do the authentication > if(!pv_proxy_authorize("")){ > proxy_challenge("", "0"); > exit; > } > > > Regards, > Bogdan > > > Alan Rubin wrote: > >> Bogdan, >> >> I want to use LDAP to authenticate clients. We're using it for our >> > XMPP > >> server (amongst other services) without issues. >> >> Regards, >> >> Alan Rubin >> Unix Systems Administrator >> DCS Midrange Services >> Phone: +61 (08) 8999 5111 >> Fax: +61 (08) 8999 7493 >> e-Mail: alan.ru...@nt.gov.au >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Tuesday, 16 June 2009 8:24 AM >> To: Alan Rubin >> Cc: Thiago Rondon; users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> Do you want to use LDAP to authenticate clients or to authenticate >> opensips against other SIP server? >> >> Regards, >> Bogdan >> >> >> Alan Rubin wrote: >> >> >>> Thiago, >>> >>> Thanks for the reply; however, the module documentation does not seem >>> >>> >> to >> >> >>> give examples on how to configure LDAP with the auth mechanism. Or >>> > is > >>> that not necessary? >>> >>> This is the section from the tutorial I found, mentioned previously: >>> >>> modparam("auth", "username_spec", "$avp(s:username)") >>> modparam("auth", "password_spec", "$avp(s:password)") >>> modparam("auth", "calculate_ha1", 1) >>> ... >>> >>> The possible difference (typo?) that concerns me is this next >>> >>> >> reference >> >> >>> in the tutorial: >>> >>> route[11] { >>> if(is_method("REGISTER")) >>> { >>> if(is_present_hf("Authorization")) >>> { >>> # ldap search >>> if >>> >>> >>> > (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S > >> >> >>> IPPassword?one?(cn=$fU)")) >>> { >>> switch ($retcode) >>> { >>> ... >>> >>> I have no "route[11]" in my configuration file. Am I meant to create >>> >>> >> a >> >> >>> new route section to handle LDAP authentication? >>> >>> What I am trying to do, if it is not clear, is use LDAP as a >>> > mechanism > >>> for authentication/registration of SIP accounts rather than having to >>> configure, by hand and with a separate password, a SIP account for >>> >>> >> each >> >> >>> user of my SIP server. >>> >>> Regards, >>> >>> Alan >>> >>> -Original Message- >>> From: users-boun...@lists.opensips.org >>> [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon >>> Sent: Monday, 15 June 2009 1:47 PM >>> To: Alan Rubin >>> Cc: users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> >>> >>> Alan, >>> >>> How about the document of ldap module ? >>> >>> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html >>> >>> -Thiago Rondon >>> >>> Alan Rubin escreveu: >>> >>> >>> > > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, Yes, my script is derived from the default and I have enabled MySQL and added PUA, PUA_userloc and Presence modules. Regards, Alan Rubin Unix Systems Administrator DCS Midrange Services Phone: +61 (08) 8999 5111 Fax: +61 (08) 8999 7493 e-Mail: alan.ru...@nt.gov.au -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Tuesday, 16 June 2009 9:59 AM To: Alan Rubin Cc: Thiago Rondon; users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, put in in the main route, where you need to do the authentication...Is your script derived from the default opensips cfg file ? Regards, Bogdan Alan Rubin wrote: > Bogdan, > > Thanks for the help. Is the script part inside of the main route or is > it a separate section? > > Regards, > > Alan Rubin > Unix Systems Administrator > DCS Midrange Services > Phone: +61 (08) 8999 5111 > Fax: +61 (08) 8999 7493 > e-Mail: alan.ru...@nt.gov.au > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Tuesday, 16 June 2009 8:58 AM > To: Alan Rubin > Cc: Thiago Rondon; users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > The way to do it is like: > > 1) configure the auth module to do authentication via Pseudo-variables: > > # -- auth params -- > modparam("auth", "nonce_expire", 30) > modparam("auth", "secret", "my-deepest-and-darkest-secret") > modparam("auth", "disable_nonce_check", 0) > modparam("auth", "username_spec", "$avp(i:2)") > modparam("auth", "password_spec", "$avp(i:1)") > modparam("auth", "calculate_ha1", 1) > > 2) and in script do: > > # are any credentials available in the request ? > if (!is_present_hf("Proxy-Authorization")) { > proxy_challenge("", "0"); > exit; > } > > # run the ldap_query() and load the passwd into $avp(i:1) > # TODO > > # username to authenticate > $avp(i:2) = $fU; > > # do the authentication > if(!pv_proxy_authorize("")){ > proxy_challenge("", "0"); > exit; > } > > > Regards, > Bogdan > > > Alan Rubin wrote: > >> Bogdan, >> >> I want to use LDAP to authenticate clients. We're using it for our >> > XMPP > >> server (amongst other services) without issues. >> >> Regards, >> >> Alan Rubin >> Unix Systems Administrator >> DCS Midrange Services >> Phone: +61 (08) 8999 5111 >> Fax: +61 (08) 8999 7493 >> e-Mail: alan.ru...@nt.gov.au >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Tuesday, 16 June 2009 8:24 AM >> To: Alan Rubin >> Cc: Thiago Rondon; users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> Do you want to use LDAP to authenticate clients or to authenticate >> opensips against other SIP server? >> >> Regards, >> Bogdan >> >> >> Alan Rubin wrote: >> >> >>> Thiago, >>> >>> Thanks for the reply; however, the module documentation does not seem >>> >>> >> to >> >> >>> give examples on how to configure LDAP with the auth mechanism. Or >>> > is > >>> that not necessary? >>> >>> This is the section from the tutorial I found, mentioned previously: >>> >>> modparam("auth", "username_spec", "$avp(s:username)") >>> modparam("auth", "password_spec", "$avp(s:password)") >>> modparam("auth", "calculate_ha1", 1) >>> ... >>> >>> The possible difference (typo?) that concerns me is this next >>> >>> >> reference >> >> >>> in the tutorial: >>> >>> route[11] { >>> if(is_method("REGISTER")) >>> { >>> if(is_present_hf("Authorization")) >>> { >>> # ldap search >>> if >>> >>> >>> > (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S > >> >> >>> IPPassword?one?(cn=$fU)")) >>>
Re: [OpenSIPS-Users] LDAP Authentication
cool, in this case simply replace the existing code for proxy_auth with the code I previously posted. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > Yes, my script is derived from the default and I have enabled MySQL and > added PUA, PUA_userloc and Presence modules. > > Regards, > > Alan Rubin > Unix Systems Administrator > DCS Midrange Services > Phone: +61 (08) 8999 5111 > Fax: +61 (08) 8999 7493 > e-Mail: alan.ru...@nt.gov.au > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Tuesday, 16 June 2009 9:59 AM > To: Alan Rubin > Cc: Thiago Rondon; users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > put in in the main route, where you need to do the authentication...Is > your script derived from the default opensips cfg file ? > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> Thanks for the help. Is the script part inside of the main route or >> > is > >> it a separate section? >> >> Regards, >> >> Alan Rubin >> Unix Systems Administrator >> DCS Midrange Services >> Phone: +61 (08) 8999 5111 >> Fax: +61 (08) 8999 7493 >> e-Mail: alan.ru...@nt.gov.au >> >> -Original Message----- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Tuesday, 16 June 2009 8:58 AM >> To: Alan Rubin >> Cc: Thiago Rondon; users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> The way to do it is like: >> >> 1) configure the auth module to do authentication via >> > Pseudo-variables: > >> # -- auth params -- >> modparam("auth", "nonce_expire", 30) >> modparam("auth", "secret", "my-deepest-and-darkest-secret") >> modparam("auth", "disable_nonce_check", 0) >> modparam("auth", "username_spec", "$avp(i:2)") >> modparam("auth", "password_spec", "$avp(i:1)") >> modparam("auth", "calculate_ha1", 1) >> >> 2) and in script do: >> >> # are any credentials available in the request ? >> if (!is_present_hf("Proxy-Authorization")) { >> proxy_challenge("", "0"); >> exit; >> } >> >> # run the ldap_query() and load the passwd into $avp(i:1) >> # TODO >> >> # username to authenticate >> $avp(i:2) = $fU; >> >> # do the authentication >> if(!pv_proxy_authorize("")){ >> proxy_challenge("", "0"); >> exit; >> } >> >> >> Regards, >> Bogdan >> >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> I want to use LDAP to authenticate clients. We're using it for our >>> >>> >> XMPP >> >> >>> server (amongst other services) without issues. >>> >>> Regards, >>> >>> Alan Rubin >>> Unix Systems Administrator >>> DCS Midrange Services >>> Phone: +61 (08) 8999 5111 >>> Fax: +61 (08) 8999 7493 >>> e-Mail: alan.ru...@nt.gov.au >>> >>> -Original Message- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Tuesday, 16 June 2009 8:24 AM >>> To: Alan Rubin >>> Cc: Thiago Rondon; users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> Do you want to use LDAP to authenticate clients or to authenticate >>> opensips against other SIP server? >>> >>> Regards, >>> Bogdan >>> >>> >>> Alan Rubin wrote: >>> >>> >>> >>>> Thiago, >>>> >>>> Thanks for the reply; however, the module documentation does not >>>> > seem > >>>> >>>> >>>> >>> to >>> >>> >>> >>>> give examples on how to configure LDAP with the auth mechanism. Or >>>> >>>> >> is >> >> >>>> that not necessary? >>>> >>>> This is the section from the tutorial I found, mentioned previously: >>>> >>&g
Re: [OpenSIPS-Users] LDAP Authentication
What format does the LDAP password need to be in? On 16/06/2009, Alan Rubin wrote: > Bogdan, > > Thanks for the help. Is the script part inside of the main route or is > it a separate section? > > Regards, > > Alan Rubin > Unix Systems Administrator > DCS Midrange Services > Phone: +61 (08) 8999 5111 > Fax: +61 (08) 8999 7493 > e-Mail: alan.ru...@nt.gov.au > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Tuesday, 16 June 2009 8:58 AM > To: Alan Rubin > Cc: Thiago Rondon; users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > The way to do it is like: > > 1) configure the auth module to do authentication via Pseudo-variables: > > # -- auth params -- > modparam("auth", "nonce_expire", 30) > modparam("auth", "secret", "my-deepest-and-darkest-secret") > modparam("auth", "disable_nonce_check", 0) > modparam("auth", "username_spec", "$avp(i:2)") > modparam("auth", "password_spec", "$avp(i:1)") > modparam("auth", "calculate_ha1", 1) > > 2) and in script do: > > # are any credentials available in the request ? > if (!is_present_hf("Proxy-Authorization")) { > proxy_challenge("", "0"); > exit; > } > > # run the ldap_query() and load the passwd into $avp(i:1) > # TODO > > # username to authenticate > $avp(i:2) = $fU; > > # do the authentication > if(!pv_proxy_authorize("")){ > proxy_challenge("", "0"); > exit; > } > > > Regards, > Bogdan > > > Alan Rubin wrote: >> Bogdan, >> >> I want to use LDAP to authenticate clients. We're using it for our > XMPP >> server (amongst other services) without issues. >> >> Regards, >> >> Alan Rubin >> Unix Systems Administrator >> DCS Midrange Services >> Phone: +61 (08) 8999 5111 >> Fax: +61 (08) 8999 7493 >> e-Mail: alan.ru...@nt.gov.au >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Tuesday, 16 June 2009 8:24 AM >> To: Alan Rubin >> Cc: Thiago Rondon; users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> Do you want to use LDAP to authenticate clients or to authenticate >> opensips against other SIP server? >> >> Regards, >> Bogdan >> >> >> Alan Rubin wrote: >> >>> Thiago, >>> >>> Thanks for the reply; however, the module documentation does not seem >>> >> to >> >>> give examples on how to configure LDAP with the auth mechanism. Or > is >>> that not necessary? >>> >>> This is the section from the tutorial I found, mentioned previously: >>> >>> modparam("auth", "username_spec", "$avp(s:username)") >>> modparam("auth", "password_spec", "$avp(s:password)") >>> modparam("auth", "calculate_ha1", 1) >>> ... >>> >>> The possible difference (typo?) that concerns me is this next >>> >> reference >> >>> in the tutorial: >>> >>> route[11] { >>> if(is_method("REGISTER")) >>> { >>> if(is_present_hf("Authorization")) >>> { >>> # ldap search >>> if >>> >>> >> > (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S >> >>> IPPassword?one?(cn=$fU)")) >>> { >>> switch ($retcode) >>> { >>> ... >>> >>> I have no "route[11]" in my configuration file. Am I meant to create >>> >> a >> >>> new route section to handle LDAP authentication? >>> >>> What I am trying to do, if it is not clear, is use LDAP as a > mechanism >>> for authentication/registration of SIP accounts rather than having to >>> configure, by hand and with a separate password, a SIP account for >>> >> each >> >>> user of my SIP server. >>> >>> Regards, >>> >>> Alan >>> >>> -Original Message- >>> From: users-boun...@lists.opensips.org >>> [mailto:users-boun...@lists.opensips.org] On Behalf Of Thiago Rondon >>> Sent: Monday, 15 June 2009 1:47 PM >>> To: Alan Rubin >>> Cc: users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> >>> >>> Alan, >>> >>> How about the document of ldap module ? >>> >>> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html >>> >>> -Thiago Rondon >>> >>> Alan Rubin escreveu: >>> >>> > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Hi Gavin, in this case the Password must be in take plane format. If you turn off the the "calculate_ha1" param (http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228275), then OpenSIPS expects an HA1 string in the password AVP. Regards, Bogdan Gavin Henry wrote: > What format does the LDAP password need to be in? > > On 16/06/2009, Alan Rubin wrote: > >> Bogdan, >> >> Thanks for the help. Is the script part inside of the main route or is >> it a separate section? >> >> Regards, >> >> Alan Rubin >> Unix Systems Administrator >> DCS Midrange Services >> Phone: +61 (08) 8999 5111 >> Fax: +61 (08) 8999 7493 >> e-Mail: alan.ru...@nt.gov.au >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Tuesday, 16 June 2009 8:58 AM >> To: Alan Rubin >> Cc: Thiago Rondon; users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> The way to do it is like: >> >> 1) configure the auth module to do authentication via Pseudo-variables: >> >> # -- auth params -- >> modparam("auth", "nonce_expire", 30) >> modparam("auth", "secret", "my-deepest-and-darkest-secret") >> modparam("auth", "disable_nonce_check", 0) >> modparam("auth", "username_spec", "$avp(i:2)") >> modparam("auth", "password_spec", "$avp(i:1)") >> modparam("auth", "calculate_ha1", 1) >> >> 2) and in script do: >> >> # are any credentials available in the request ? >> if (!is_present_hf("Proxy-Authorization")) { >> proxy_challenge("", "0"); >> exit; >> } >> >> # run the ldap_query() and load the passwd into $avp(i:1) >> # TODO >> >> # username to authenticate >> $avp(i:2) = $fU; >> >> # do the authentication >> if(!pv_proxy_authorize("")){ >> proxy_challenge("", "0"); >> exit; >> } >> >> >> Regards, >> Bogdan >> >> >> Alan Rubin wrote: >> >>> Bogdan, >>> >>> I want to use LDAP to authenticate clients. We're using it for our >>> >> XMPP >> >>> server (amongst other services) without issues. >>> >>> Regards, >>> >>> Alan Rubin >>> Unix Systems Administrator >>> DCS Midrange Services >>> Phone: +61 (08) 8999 5111 >>> Fax: +61 (08) 8999 7493 >>> e-Mail: alan.ru...@nt.gov.au >>> >>> -Original Message- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Tuesday, 16 June 2009 8:24 AM >>> To: Alan Rubin >>> Cc: Thiago Rondon; users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> Do you want to use LDAP to authenticate clients or to authenticate >>> opensips against other SIP server? >>> >>> Regards, >>> Bogdan >>> >>> >>> Alan Rubin wrote: >>> >>> >>>> Thiago, >>>> >>>> Thanks for the reply; however, the module documentation does not seem >>>> >>>> >>> to >>> >>> >>>> give examples on how to configure LDAP with the auth mechanism. Or >>>> >> is >> >>>> that not necessary? >>>> >>>> This is the section from the tutorial I found, mentioned previously: >>>> >>>> modparam("auth", "username_spec", "$avp(s:username)") >>>> modparam("auth", "password_spec", "$avp(s:password)") >>>> modparam("auth", "calculate_ha1", 1) >>>> ... >>>> >>>> The possible difference (typo?) that concerns me is this next >>>> >>>> >>> reference >>> >>> >>>> in the tutorial: >>>> >>>> route[11] { >>>> if(is_method("REGISTER")) >>>> { >>>> if(is_present_hf("Authorization")) >>>> { >>>> # ldap search >>>> if >&g
Re: [OpenSIPS-Users] LDAP Authentication
HI Alan, sorry for the late reply - this week we have the OpenSIPS bootcamp and I'm getting my hands on the emails only from time to time.. So, Are you loading the passwd in raw format (plain text) ? If so, you need the calulcate_ha1 param to be set to 1 (http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228275) - by default it is set to 0 (see prev email) Regards, Bogdan Alan Rubin wrote: > Bogdan, > > I've attached a log from a test this morning. I restarted opensips, > tried connecting from my PC using LDAP credentials and failed. Then I > made sure that the local account was removed and tried again with LDAP > credentials and it failed. Hopefully that's all apparent in the > logfile. I am using the X-lite client to connect. > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Wednesday, 17 June 2009 1:29 AM > To: Alan Rubin > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > the script looks ok - you can 1) use xlog just before the pv_auth() to > see if the user and passwd are properly filled in, or 2) use debug=6 to > get the logs and post them here. > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> If you have a minute, could you take a look at my opensips.cfg file? >> > It > >> is still authorizing against the users that were added by hand. I >> > have > >> probably put the LDAP authentication in the wrong place, but I seem to >> be going in circles. >> >> Also, I used some of the template from Tristan Mahe for readability (I >> adapted his LDAP search examples and used his variable names). I >> > don't > >> think this is my issue, but it could be. >> >> Thanks for your time, >> >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Tuesday, 16 June 2009 10:49 AM >> To: Alan Rubin >> Cc: Thiago Rondon; users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> cool, in this case simply replace the existing code for proxy_auth >> > with > >> the code I previously posted. >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> Yes, my script is derived from the default and I have enabled MySQL >>> >>> >> and >> >> >>> added PUA, PUA_userloc and Presence modules. >>> >>> Regards, >>> >>> Alan Rubin >>> Unix Systems Administrator >>> DCS Midrange Services >>> Phone: +61 (08) 8999 5111 >>> Fax: +61 (08) 8999 7493 >>> e-Mail: alan.ru...@nt.gov.au >>> >>> -Original Message- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Tuesday, 16 June 2009 9:59 AM >>> To: Alan Rubin >>> Cc: Thiago Rondon; users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> put in in the main route, where you need to do the >>> > authentication...Is > >>> >>> >> >> >>> your script derived from the default opensips cfg file ? >>> >>> Regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>> >>>> Bogdan, >>>> >>>> Thanks for the help. Is the script part inside of the main route or >>>> >>>> >>>> >>> is >>> >>> >>> >>>> it a separate section? >>>> >>>> Regards, >>>> >>>> Alan Rubin >>>> Unix Systems Administrator >>>> DCS Midrange Services >>>> Phone: +61 (08) 8999 5111 >>>> Fax: +61 (08) 8999 7493 >>>> e-Mail: alan.ru...@nt.gov.au >>>> >>>> -Original Message- >>>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>>> Sent: Tuesday, 16 June 2009 8:58 AM >>>> To: Alan Rubin >>>> Cc: Thiago Rondon; users@lists.opensips.org >>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>>> >>>> Hi Alan, >>>> >>>> The way to do it is like: >>>> >>>>
Re: [OpenSIPS-Users] LDAP Authentication
cal/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_val2bind: added val (0): len=3; type=254; is_null=0 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_do_prepared_query: doing BIND_PARAM in... Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_do_prepared_query: discon reset for 135989560 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_do_prepared_query: prepared statement has 2 columns in result Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_do_prepared_query: doing to BIND_PARAM out ... Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_query: SYNC-DBG - SELECT-STMT successfully executed!! Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:db_new_result: allocate 28 bytes for result set at 0x81b7ee0 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_store_result: SYNC-DBG - SELECT result was stored! Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_get_columns: 2 columns returned from the query Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:db_allocate_columns: allocate 32 bytes for result columns at 0x81b7f08 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x81b7f10)[0]=[ha1] Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_get_columns: RES_NAMES(0x81b7f18)[1]=[rpid] Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_get_columns: use DB_STRING result type Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:db_mysql:db_mysql_convert_rows: no rows returned from the query Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:auth_db:get_ha1: no result for user 'oh5@' Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:db_free_columns: freeing result columns at 0x81b7f08 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:db_free_rows: freeing 0 rows Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:db_free_result: freeing result set at 0x81b7ee0 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:db_free_result: SYNC-DBG - freeing result! Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:auth:reserve_nonce_index: second= 4, sec_monit= -1, index= 2 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:auth:build_auth_hf: nonce index= 2 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="155.205.69.126", nonce="4a3ad9b90002b64f5ef190966742551aa9531e9165f3" ' Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:parse_headers: flags= Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:destroy_avp_list: destroying list (nil) Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: DBG:core:receive_msg: cleaning up ... And here are the changes I made to the main route, for the benefit of anyone else who might have an idea for me: if (!(method=="REGISTER") && from_uri==myself) { /*no multidomain version*/ # are any credentials available in the request ? if (!is_present_hf("Proxy-Authorization")) { proxy_challenge("", "0"); exit; } # run the ldap_query() and load the passwd into $avp(s:password) # TODO $var(username)=$fU; ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6 6)(ntguserstatus=Active))"); ldap_result("userPassword/$avp(s:password)"); # username to authenticate #$var(username) = $fU; # do the authentication if(!pv_proxy_authorize("")){ proxy_challenge("", "0"); exit; } Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Friday, 19 June 2009 9:42 AM To: Alan Rubin; users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication HI Alan, sorry for the late reply - this week we have the OpenSIPS bootcamp and I'm getting my hands on the emails only from time to time.. So, Are you loading the passwd in raw format (plain text) ? If so, you need the calulca
Re: [OpenSIPS-Users] LDAP Authentication
YNC-DBG - freeing result! > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: > DBG:auth:reserve_nonce_index: second= 4, sec_monit= -1, index= 2 > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: > DBG:auth:build_auth_hf: nonce index= 2 > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest > realm="155.205.69.126", > nonce="4a3ad9b90002b64f5ef190966742551aa9531e9165f3" ' > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: > DBG:core:parse_headers: flags= > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27781]: > DBG:core:receive_msg: cleaning up > ... > > > And here are the changes I made to the main route, for the benefit of > anyone else who might have an idea for me: > > if (!(method=="REGISTER") && from_uri==myself) { /*no > multidomain version*/ > # are any credentials available in the request ? > if (!is_present_hf("Proxy-Authorization")) { > proxy_challenge("", "0"); > exit; > } > > # run the ldap_query() and load the passwd into > $avp(s:password) > # TODO > $var(username)=$fU; > > ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6 > 6)(ntguserstatus=Active))"); > ldap_result("userPassword/$avp(s:password)"); > > # username to authenticate > #$var(username) = $fU; > > # do the authentication > if(!pv_proxy_authorize("")){ > proxy_challenge("", "0"); > exit; > } > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Friday, 19 June 2009 9:42 AM > To: Alan Rubin; users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > HI Alan, > > sorry for the late reply - this week we have the OpenSIPS bootcamp and > I'm getting my hands on the emails only from time to time.. > > So, Are you loading the passwd in raw format (plain text) ? If so, you > need the calulcate_ha1 param to be set to 1 > (http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228275) - > by default it is set to 0 (see prev email) > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> I've attached a log from a test this morning. I restarted opensips, >> tried connecting from my PC using LDAP credentials and failed. Then I >> made sure that the local account was removed and tried again with LDAP >> credentials and it failed. Hopefully that's all apparent in the >> logfile. I am using the X-lite client to connect. >> >> Regards, >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Wednesday, 17 June 2009 1:29 AM >> To: Alan Rubin >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> the script looks ok - you can 1) use xlog just before the pv_auth() to >> > > >> see if the user and passwd are properly filled in, or 2) use debug=6 >> > to > >> get the logs and post them here. >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> If you have a minute, could you take a look at my opensips.cfg file? >>> >>> >> It >> >> >>> is still authorizing against the users that were added by hand. I >>> >>> >> have >> >> >>> probably put the LDAP authentication in the wrong place, but I seem >>> > to > >>> be going in circles. >>> >>> Also, I used some of the template from Tristan Mahe for readability >>> > (I > >>> adapted his LDAP search examples and used his variable names). I >>> >>> >> don't >> >> >>> think this is my issue, but it could be. >>> >>> Thanks for your time, >>> >>>
Re: [OpenSIPS-Users] LDAP Authentication
(reposting to fit the list size limits) Bogdan, 2) I removed the "!" from the REGISTER section. This seems to have at least pushed me on to the next stage of actually doing an LDAP query: Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:ldap_url_search: LDAP URL parsed into session_name [sipaccounts], base [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout [500] usecs Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:check_nonce: comparing [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:build_auth_hf: nonce index= 2 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest realm="155.205.69.126", nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" ' Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:parse_headers: flags= Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:destroy_avp_list: destroying list (nil) Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:receive_msg: cleaning up ... Still failing, but this time it is code 407: Proxy Authentication Required. Getting closer? 1) Perhaps I mean "encoded" and am just using the wrong term. An example return from our LDAP search: userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ== Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Friday, 19 June 2009 10:52 AM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Alan, 2 points: 1) what you mean by "encrypted" ? the module supports only ha1 encoded passwords. 2) I see you deal with a REGISTER request, but in your script you changed the auth (from DB to LDAP) only for INVITES - check in the script the second auth block (for REGISTERS) and change it in the same time as we did for the INVITEs. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > Thanks for your help. I reset the configuration for calculate_ha1 to 0 > (it was set to 1), but I am still getting a "401 - Unauthorized" error. > The password returning from the LDAP server should be an encrypted > string. > > # - auth_db params - > /* uncomment the following lines if you want to enable the DB based >authentication */ > #modparam("auth_db", "calculate_ha1", yes) > #modparam("auth_db", "password_column", "password") > #modparam("auth_db", "db_url", > # "mysql://opensips:@localhost/opensips") > #modparam("auth_db", "load_credentials", "") > > # -- auth params - > #modparam("auth", "username_spec", "$var(username)") > #modparam("auth", "password_spec", "$avp(s:password)") > modparam("auth", "nonce_expire", 30) > modparam("auth", "secret", "") > modparam("auth", "disable_nonce_check", 0) > modparam("auth", "username_spec", "$var(username)") > modparam("auth", "password_spec", "$avp(s:password)") > modparam("auth", "calculate_ha1", 0) > > Here are the relevant logs from the connection (I think): > > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]: > DBG:core:parse_msg: SIP Request: > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]: > DBG:core:parse_msg: method: > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]: > DBG:core:parse_msg: uri: > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]: > DBG:core:parse_msg: version: > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]: > DBG:core:parse_headers: flags=2 > Jun 19 09:49:39 dcshub1 /usr/local/opensips/sbin/opensips[27778]: > DBG:core:parse_via_param: found param type
Re: [OpenSIPS-Users] LDAP Authentication
Alan, Could you post the part of the script taking care of the REGISTRATION part, just for double checking ? Also, for the password...does not look ok - not sure how that value is computed, but please check the Digest Auth RFC to see the definition of HA1 . Regards, Bogdan Alan Rubin wrote: > (reposting to fit the list size limits) > > Bogdan, > > 2) I removed the "!" from the REGISTER section. This seems to have at > least pushed me on to the next stage of actually doing an LDAP query: > > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:ldap:ldap_url_search: LDAP URL parsed into session_name > [sipaccounts], base [o=ntg], scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], > scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout > [500] usecs > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:check_nonce: comparing > [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and > [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:build_auth_hf: nonce index= 2 > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest > realm="155.205.69.126", > nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" ' > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:parse_headers: flags= > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:receive_msg: cleaning up > ... > > Still failing, but this time it is code 407: Proxy Authentication > Required. Getting closer? > > 1) Perhaps I mean "encoded" and am just using the wrong term. An > example return from our LDAP search: > userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ== > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Friday, 19 June 2009 10:52 AM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Alan, > > 2 points: > > 1) what you mean by "encrypted" ? the module supports only ha1 encoded > passwords. > > 2) I see you deal with a REGISTER request, but in your script you > changed the auth (from DB to LDAP) only for INVITES - check in the > script the second auth block (for REGISTERS) and change it in the same > time as we did for the INVITEs. > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> Thanks for your help. I reset the configuration for calculate_ha1 to >> > 0 > >> (it was set to 1), but I am still getting a "401 - Unauthorized" >> > error. > >> The password returning from the LDAP server should be an encrypted >> string. >> >> # - auth_db params - >> /* uncomment the following lines if you want to enable the DB based >>authentication */ >> #modparam("auth_db", "calculate_ha1", yes) >> #modparam("auth_db", "password_column", "password") >> #modparam("auth_db", "db_url", >> # "mysql://opensips:@localhost/opensips") >> #modparam("auth_db", "load_credentials", "") >> >> # -- auth params - >> #modparam("auth", "username_spec", "$var(username)") >> #modparam("auth", "password_spec", "$avp(s:password)") >> modparam("auth", "nonce_expire", 30) >> modparam("auth", "secret", "") >> modparam("auth", "disable_nonce_check", 0) >> modparam("auth", "username_spec", "$var(username)") >> modparam("auth", "password_spec", "$avp(s:password)") >> modparam("auth", "calculate_ha1", 0) >> >> Here are the relevant logs from the connection (I think): >> >> >> ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
This is why I submitted a feature request for the ldap_sasl_bind function to be added. Then a sucessful bind is all that is needed by opensips. The problem is converting the password to plain on the opensips side to use it to bind with against the ldap directory. Is this possible? That way, we know the digest format in sip, but we don't need to care about the ldap hash format (most are ssha1) *and* we don't need to change the directory. On 19/06/2009, Bogdan-Andrei Iancu wrote: > Alan, > > Could you post the part of the script taking care of the REGISTRATION > part, just for double checking ? > > Also, for the password...does not look ok - not sure how that value is > computed, but please check the Digest Auth RFC to see the definition of > HA1 . > > Regards, > Bogdan > > > > Alan Rubin wrote: >> (reposting to fit the list size limits) >> >> Bogdan, >> >> 2) I removed the "!" from the REGISTER section. This seems to have at >> least pushed me on to the next stage of actually doing an LDAP query: >> >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name >> [sipaccounts], base [o=ntg], scope [2], filter >> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], >> scope [2], filter >> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout >> [500] usecs >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:auth:check_nonce: comparing >> [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and >> [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:auth:build_auth_hf: nonce index= 2 >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest >> realm="155.205.69.126", >> nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" ' >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:core:parse_headers: flags= >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:core:destroy_avp_list: destroying list (nil) >> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >> DBG:core:receive_msg: cleaning up >> ... >> >> Still failing, but this time it is code 407: Proxy Authentication >> Required. Getting closer? >> >> 1) Perhaps I mean "encoded" and am just using the wrong term. An >> example return from our LDAP search: >> userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ== >> >> Regards, >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Friday, 19 June 2009 10:52 AM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Alan, >> >> 2 points: >> >> 1) what you mean by "encrypted" ? the module supports only ha1 encoded >> passwords. >> >> 2) I see you deal with a REGISTER request, but in your script you >> changed the auth (from DB to LDAP) only for INVITES - check in the >> script the second auth block (for REGISTERS) and change it in the same >> time as we did for the INVITEs. >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >>> Bogdan, >>> >>> Thanks for your help. I reset the configuration for calculate_ha1 to >>> >> 0 >> >>> (it was set to 1), but I am still getting a "401 - Unauthorized" >>> >> error. >> >>> The password returning from the LDAP server should be an encrypted >>> string. >>> >>> # - auth_db params - >>> /* uncomment the following lines if you want to enable the DB based >>>authentication */ >>> #mod
Re: [OpenSIPS-Users] LDAP Authentication
Gavin, Actually the modules does use the ldap_sasl_bind() function for binding to LDAP, but I guess the additional params are no passed via ldap config file. Regards, Bogdan Gavin Henry wrote: > This is why I submitted a feature request for the ldap_sasl_bind > function to be added. Then a sucessful bind is all that is needed by > opensips. The problem is converting the password to plain on the > opensips side to use it to bind with against the ldap directory. Is > this possible? > > That way, we know the digest format in sip, but we don't need to care > about the ldap hash format (most are ssha1) *and* we don't need to > change the directory. > > On 19/06/2009, Bogdan-Andrei Iancu wrote: > >> Alan, >> >> Could you post the part of the script taking care of the REGISTRATION >> part, just for double checking ? >> >> Also, for the password...does not look ok - not sure how that value is >> computed, but please check the Digest Auth RFC to see the definition of >> HA1 . >> >> Regards, >> Bogdan >> >> >> >> Alan Rubin wrote: >> >>> (reposting to fit the list size limits) >>> >>> Bogdan, >>> >>> 2) I removed the "!" from the REGISTER section. This seems to have at >>> least pushed me on to the next stage of actually doing an LDAP query: >>> >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name >>> [sipaccounts], base [o=ntg], scope [2], filter >>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], >>> scope [2], filter >>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout >>> [500] usecs >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:check_nonce: comparing >>> [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and >>> [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:build_auth_hf: nonce index= 2 >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest >>> realm="155.205.69.126", >>> nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" ' >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:parse_headers: flags= >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:destroy_avp_list: destroying list (nil) >>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: >>> DBG:core:receive_msg: cleaning up >>> ... >>> >>> Still failing, but this time it is code 407: Proxy Authentication >>> Required. Getting closer? >>> >>> 1) Perhaps I mean "encoded" and am just using the wrong term. An >>> example return from our LDAP search: >>> userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ== >>> >>> Regards, >>> >>> Alan Rubin >>> >>> -Original Message- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Friday, 19 June 2009 10:52 AM >>> To: Alan Rubin >>> Cc: users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Alan, >>> >>> 2 points: >>> >>> 1) what you mean by "encrypted" ? the module supports only ha1 encoded >>> passwords. >>> >>> 2) I see you deal with a REGISTER request, but in your script you >>> changed the auth (from DB to LDAP) only for INVITES - check in the >>> script the second auth block (for REGISTERS) and change it in the same >>> time as we did for the INVITEs. >>> >>> Regards, >>> Bogdan >>> >>> Alan Rubin w
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, I think my message to the list may have been lost after I cancelled the original version due to size issues and re-sent an edited version. Trying again... 2) I removed the "!" from the REGISTER section. This seems to have at least pushed me on to the next stage of actually doing an LDAP query: Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:ldap_url_search: LDAP URL parsed into session_name [sipaccounts], base [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout [500] usecs Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:check_nonce: comparing [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:build_auth_hf: nonce index= 2 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest realm="155.205.69.126", nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" ' Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:parse_headers: flags= Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:destroy_avp_list: destroying list (nil) Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:receive_msg: cleaning up ... Still failing, but this time it is code 407: Proxy Authentication Required. Getting closer? 1) Perhaps I mean "encoded" and am just using the wrong term. An example return from our LDAP search: userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ== Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Friday, 19 June 2009 10:52 AM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Alan, 2 points: 1) what you mean by "encrypted" ? the module supports only ha1 encoded passwords. 2) I see you deal with a REGISTER request, but in your script you changed the auth (from DB to LDAP) only for INVITES - check in the script the second auth block (for REGISTERS) and change it in the same time as we did for the INVITEs. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > Thanks for your help. I reset the configuration for calculate_ha1 to 0 > (it was set to 1), but I am still getting a "401 - Unauthorized" error. > The password returning from the LDAP server should be an encrypted > string. > > # - auth_db params - > /* uncomment the following lines if you want to enable the DB based >authentication */ > #modparam("auth_db", "calculate_ha1", yes) > #modparam("auth_db", "password_column", "password") > #modparam("auth_db", "db_url", > # "mysql://opensips:@localhost/opensips") > #modparam("auth_db", "load_credentials", "") > > # -- auth params - > #modparam("auth", "username_spec", "$var(username)") > #modparam("auth", "password_spec", "$avp(s:password)") > modparam("auth", "nonce_expire", 30) > modparam("auth", "secret", "") > modparam("auth", "disable_nonce_check", 0) > modparam("auth", "username_spec", "$var(username)") > modparam("auth", "password_spec", "$avp(s:password)") > modparam("auth", "calculate_ha1", 0) > > > > And here are the changes I made to the main route, for the benefit of > anyone else who might have an idea for me: > > if (!(method=="REGISTER") && from_uri==myself) { /*no > multidomain version*/ > # are any credentials available in the request ? > if (!is_present_hf("Proxy-Authorization")) { > proxy_challenge("", "0"); > exit; > } > > # run the ldap_query() and load the passwd into > $avp(s:password) > # TODO >
Re: [OpenSIPS-Users] LDAP Authentication
On a whim, I checked the archives for this list and apparently there have been messages on this thread but they haven't been delivered to me. I do not know if Mailman chose to filter out this topic or some anti-spam device on my domain has started blocking ONLY messages on this subject (got many other OpenSIPS messages over the weekend). Hope I can see them now after tinkering with my Mailman options. In response to: Alan, Could you post the part of the script taking care of the REGISTRATION part, just for double checking ? Also, for the password...does not look ok - not sure how that value is computed, but please check the Digest Auth RFC to see the definition of HA1 . Regards, Bogdan ... Here is the REGISTER section involving LDAP: if ((method=="REGISTER") && from_uri==myself) { /*no multidomain version*/ # are any credentials available in the request ? if (!is_present_hf("Proxy-Authorization")) { proxy_challenge("", "0"); exit; } # run the ldap_query() and load the passwd into $avp(s:password) # TODO $var(username)=$fU; ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6 6)(ntguserstatus=Active))"); ldap_result("userPassword/$avp(s:password)"); # username to authenticate #$var(username) = $fU; # do the authentication if(!pv_proxy_authorize("")){ proxy_challenge("", "0"); exit; } } ... and there is also this section, still in "route": if (is_method("REGISTER")) { # authenticate the REGISTER requests (uncomment to enable auth) if (!www_authorize("155.205.69.126", "subscriber")) { www_challenge("155.205.69.126", "0"); exit; } ## ##if (!check_to()) ##{ ## sl_send_reply("403","Forbidden auth ID"); ## exit; ##} ## make pua_usrloc send PUBLISH for phones which do not support presence ## filter after User-Agent header #if(!search("^User-Agent:")) # pua_set_publish(); # save("location"); # exit; if(is_method("REGISTER") && from_uri=~"@galah.cprod.corp.ntgov") pua_set_publish(); if (!save("location")) sl_reply_error(); exit; } Regards, Alan Rubin -Original Message- From: Alan Rubin Sent: Tuesday, 23 June 2009 9:05 AM To: 'Bogdan-Andrei Iancu' Cc: 'users@lists.opensips.org' Subject: RE: [OpenSIPS-Users] LDAP Authentication Bogdan, I think my message to the list may have been lost after I cancelled the original version due to size issues and re-sent an edited version. Trying again... 2) I removed the "!" from the REGISTER section. This seems to have at least pushed me on to the next stage of actually doing an LDAP query: Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:ldap_url_search: LDAP URL parsed into session_name [sipaccounts], base [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout [500] usecs Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:check_nonce: comparing [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:build_auth_hf: nonce index= 2 Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest realm="155.205.69.126", nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" ' Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:parse_headers: flags= Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 Jun 19 10:58:
Re: [OpenSIPS-Users] LDAP Authentication
gent header > #if(!search("^User-Agent:")) > # pua_set_publish(); > > # save("location"); > # exit; > > if(is_method("REGISTER") && > from_uri=~"@galah.cprod.corp.ntgov") > pua_set_publish(); > > > if (!save("location")) > sl_reply_error(); > > exit; > } > > > Regards, > > Alan Rubin > > -Original Message- > From: Alan Rubin > Sent: Tuesday, 23 June 2009 9:05 AM > To: 'Bogdan-Andrei Iancu' > Cc: 'users@lists.opensips.org' > Subject: RE: [OpenSIPS-Users] LDAP Authentication > > > Bogdan, > > I think my message to the list may have been lost after I cancelled the > original version due to size issues and re-sent an edited version. > Trying again... > > 2) I removed the "!" from the REGISTER section. This seems to have at > least pushed me on to the next stage of actually doing an LDAP query: > > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:ldap:ldap_url_search: LDAP URL parsed into session_name > [sipaccounts], base [o=ntg], scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], > scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout > [500] usecs > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:check_nonce: comparing > [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] and > [4a3ae9d1b43a57f1ad95192b98ace5030eb50d1a] > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2 > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:build_auth_hf: nonce index= 2 > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest > realm="155.205.69.126", > nonce="4a3ae9d2c65c88df6909b9e945bdbaaa5e495b3a" ' > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:parse_headers: flags= > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]: > DBG:core:receive_msg: cleaning up > ... > > Still failing, but this time it is code 407: Proxy Authentication > Required. Getting closer? > > 1) Perhaps I mean "encoded" and am just using the wrong term. An > example return from our LDAP search: > userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ== > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Friday, 19 June 2009 10:52 AM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Alan, > > 2 points: > > 1) what you mean by "encrypted" ? the module supports only ha1 encoded > passwords. > > 2) I see you deal with a REGISTER request, but in your script you > changed the auth (from DB to LDAP) only for INVITES - check in the > script the second auth block (for REGISTERS) and change it in the same > time as we did for the INVITEs. > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> Thanks for your help. I reset the configuration for calculate_ha1 to >> > 0 > >> (it was set to 1), but I am still getting a "401 - Unauthorized" >> > error. > >> The password returning from the LDAP server should be an encrypted >> string. >> >> # - auth_db params - >> /* uncomment the following lines if you want to enable the DB based >>authentication */ >> #modparam("auth_db", "calculate_ha1", yes) >> #modparam("auth_db", "password_column", "password") >> #modparam("auth_db", "db_url", >> # "mysql://opensips:@localhost/opensips") >> #modp
Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan, I get this error each time I'm emailing you: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: alan.ru...@nt.gov.au SMTP error from remote mail server after end of data: host emdch-mx21.nt.gov.au [203.26.75.16]: 550 5.7.1 Phish_1 Now, going to the actual issue, the problem is related to password - about how the client and server (ldap) are keeping the password - do they both keep it same format (like plain text) ? Regards, Bogdan Alan Rubin wrote: > Bogdan, > > The LDAP messages from the mailing list are still not reaching my > mailbox, which is unusual. I am checking the mail services on my end. > > Still managed to pick up your last message from the Archive. After > making the changes suggested for my config file, I'm still failing with > a "401 - Unauthorized". Here are the relevant logs: > > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], > scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout > [500] usecs > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:check_nonce: comparing > [4a4155840004dcd97551d7189591cf32402f006987b9] and > [4a4155840004dcd97551d7189591cf32402f006987b9] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: nonce index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest > realm="155.205.69.126", > nonce="4a415584000573fd091deb999f17423ea6b4be4cb6e2" ' > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags= > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:receive_msg: cleaning up > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 > /var/log/localmessages | less > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 > /var/log/localmessages > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: SIP Request: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: method: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: uri: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: version: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via_param: found param type 232, = > ; state=6 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via_param: found param type 235, = ; > state=17 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via: end of header reached, state=5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: via found, flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: this is the first via > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:receive_msg: After parse_msg... > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:receive_msg: preparing to run routing scripts... > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=100 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:maxfwd:is_maxfwd_present: value = 70 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=8 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_to: end of header reached, state=10 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_to: display={"alan"}, ruri={sip:o...@155.205.69.126} > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:get_hdr_field: [32]; uri=[sip:o...@155.205.69.126] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:get_hdr_f
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, Apparently the email administrator had a regex on the SMTP gateway to reject messages with pass (and) word (combined) because of previous users succumbing to phishing exercises. It may work now, but I will continue to check the archives. Oh well. Regarding: "Now, going to the actual issue, the problem is related to password - about how the client and server (ldap) are keeping the password - do they both keep it same format (like plain text) ? Regards, Bogdan" I think I've figured out the issue, although I don't believe there is a solution. Hopefully you can verify, either way. The bind user in the ldap.cfg file does not have the privilege to retrieve the pass word field from our LDAP directory. The only way our LDAP setup is supposed to work is by binding using the user-to-be-authenticated directly with the LDAP directory server. It is my understanding, and this is where you can verify or correct me, that opensips and the LDAP module can not change the bind user dynamically. Regards, Alan Rubin -Original Message- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Alan Rubin Sent: Wednesday, 24 June 2009 8:10 AM To: Bogdan-Andrei Iancu Cc: users@lists.opensips.org Subject: [OpenSIPS-Users] LDAP Authentication Bogdan, The LDAP messages from the mailing list are still not reaching my mailbox, which is unusual. I am checking the mail services on my end. Still managed to pick up your last message from the Archive. After making the changes suggested for my config file, I'm still failing with a "401 - Unauthorized". Here are the relevant logs: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], scope [2], filter [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout [500] usecs Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:check_nonce: comparing [4a4155840004dcd97551d7189591cf32402f006987b9] and [4a4155840004dcd97551d7189591cf32402f006987b9] Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:build_auth_hf: nonce index= 5 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest realm="155.205.69.126", nonce="4a415584000573fd091deb999f17423ea6b4be4cb6e2" ' Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:parse_headers: flags= Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:destroy_avp_list: destroying list (nil) Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: DBG:core:receive_msg: cleaning up dcshub1:/usr/local/opensips/etc/opensips # dcshub1:/usr/local/opensips/etc/opensips # dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 /var/log/localmessages | less dcshub1:/usr/local/opensips/etc/opensips # dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 /var/log/localmessages Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: SIP Request: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: method: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: uri: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_msg: version: Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: flags=2 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_via_param: found param type 232, = ; state=6 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_via_param: found param type 235, = ; state=17 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_via: end of header reached, state=5 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: via found, flags=2 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: this is the first via Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:receive_msg: After parse_msg... Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:receive_msg: preparing to run routing scripts... Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:core:parse_headers: flags=100 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: DBG:maxfwd:is_maxfwd_present: value = 70 Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opens
Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan, I'm not an LDAP expert to get into details about how ldap should be configured or soWhat I can tell is that the bind is static (only once done at the beginning at that's it)Can you send me a link or something to read more about what this dynamic bind means in LDAP ? Thanks and regards, Bogdan Alan Rubin wrote: > Bogdan, > > Apparently the email administrator had a regex on the SMTP gateway to > reject messages with pass (and) word (combined) because of previous > users succumbing to phishing exercises. It may work now, but I will > continue to check the archives. Oh well. > > Regarding: > "Now, going to the actual issue, the problem is related to password - > about how the client and server (ldap) are keeping the password - do > they both keep it same format (like plain text) ? > > Regards, > Bogdan" > > I think I've figured out the issue, although I don't believe there is a > solution. Hopefully you can verify, either way. > > The bind user in the ldap.cfg file does not have the privilege to > retrieve the pass word field from our LDAP directory. The only way our > LDAP setup is supposed to work is by binding using the > user-to-be-authenticated directly with the LDAP directory server. It is > my understanding, and this is where you can verify or correct me, that > opensips and the LDAP module can not change the bind user dynamically. > > Regards, > > Alan Rubin > > -Original Message- > From: users-boun...@lists.opensips.org > [mailto:users-boun...@lists.opensips.org] On Behalf Of Alan Rubin > Sent: Wednesday, 24 June 2009 8:10 AM > To: Bogdan-Andrei Iancu > Cc: users@lists.opensips.org > Subject: [OpenSIPS-Users] LDAP Authentication > > Bogdan, > > The LDAP messages from the mailing list are still not reaching my > mailbox, which is unusual. I am checking the mail services on my end. > > Still managed to pick up your last message from the Archive. After > making the changes suggested for my config file, I'm still failing with > a "401 - Unauthorized". Here are the relevant logs: > > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], > scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout > [500] usecs > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:check_nonce: comparing > [4a4155840004dcd97551d7189591cf32402f006987b9] and > [4a4155840004dcd97551d7189591cf32402f006987b9] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: nonce index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest > realm="155.205.69.126", > nonce="4a415584000573fd091deb999f17423ea6b4be4cb6e2" ' > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags= > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:receive_msg: cleaning up > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 > /var/log/localmessages | less > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 > /var/log/localmessages > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: SIP Request: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: method: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: uri: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: version: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via_param: found param type 232, = > ; state=6 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via_param: found param type 235, = ; > state=17 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via: end of header reached, state=5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: via found, flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:p
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, I'm not an LDAP expert either, but I will try to explain the scenario better. As you said, the LDAP bind is static - done once in the beginning and sourced from the ldap.cfg file. Unfortunately, we have a filter on our LDAP server that prevents ordinary users from seeing the password field in the LDAP entry. The way we verify authentication in our environment is by dynamically substituting the LDAP bind DN with the client's uid (and password) and making a simple LDAP query using that uid. If that bind is successful, then we know that the password is correct. It doesn't seem like there is anyway to configure opensips in that manner. The aim, with LDAP, was to have a single-signon environment for our LAN and SIP accounts. This doesn't seem possible, unless you or anyone else on the list has any further suggestions. We could use kerberos/AD authentication from the client if that is a possibility. Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Monday, 29 June 2009 10:13 PM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, I'm not an LDAP expert to get into details about how ldap should be configured or soWhat I can tell is that the bind is static (only once done at the beginning at that's it)Can you send me a link or something to read more about what this dynamic bind means in LDAP ? Thanks and regards, Bogdan Alan Rubin wrote: > Bogdan, > > Apparently the email administrator had a regex on the SMTP gateway to > reject messages with pass (and) word (combined) because of previous > users succumbing to phishing exercises. It may work now, but I will > continue to check the archives. Oh well. > > Regarding: > "Now, going to the actual issue, the problem is related to password - > about how the client and server (ldap) are keeping the password - do > they both keep it same format (like plain text) ? > > Regards, > Bogdan" > > I think I've figured out the issue, although I don't believe there is a > solution. Hopefully you can verify, either way. > > The bind user in the ldap.cfg file does not have the privilege to > retrieve the pass word field from our LDAP directory. The only way our > LDAP setup is supposed to work is by binding using the > user-to-be-authenticated directly with the LDAP directory server. It is > my understanding, and this is where you can verify or correct me, that > opensips and the LDAP module can not change the bind user dynamically. > > Regards, > > Alan Rubin > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
These are my points too and how I thought the auth should work. But you need some kind of mapping here for user dns etc. ? On 30/06/2009, Alan Rubin wrote: > Bogdan, > > I'm not an LDAP expert either, but I will try to explain the scenario > better. As you said, the LDAP bind is static - done once in the > beginning and sourced from the ldap.cfg file. Unfortunately, we have a > filter on our LDAP server that prevents ordinary users from seeing the > password field in the LDAP entry. The way we verify authentication in > our environment is by dynamically substituting the LDAP bind DN with the > client's uid (and password) and making a simple LDAP query using that > uid. If that bind is successful, then we know that the password is > correct. It doesn't seem like there is anyway to configure opensips in > that manner. > > The aim, with LDAP, was to have a single-signon environment for our LAN > and SIP accounts. This doesn't seem possible, unless you or anyone else > on the list has any further suggestions. We could use kerberos/AD > authentication from the client if that is a possibility. > > Regards, > > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Monday, 29 June 2009 10:13 PM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > I'm not an LDAP expert to get into details about how ldap should be > configured or soWhat I can tell is that the bind is static (only > once done at the beginning at that's it)Can you send me a link or > something to read more about what this dynamic bind means in LDAP ? > > Thanks and regards, > Bogdan > > Alan Rubin wrote: >> Bogdan, >> >> Apparently the email administrator had a regex on the SMTP gateway to >> reject messages with pass (and) word (combined) because of previous >> users succumbing to phishing exercises. It may work now, but I will >> continue to check the archives. Oh well. >> >> Regarding: >> "Now, going to the actual issue, the problem is related to password - >> about how the client and server (ldap) are keeping the password - do >> they both keep it same format (like plain text) ? >> >> Regards, >> Bogdan" >> >> I think I've figured out the issue, although I don't believe there is > a >> solution. Hopefully you can verify, either way. >> >> The bind user in the ldap.cfg file does not have the privilege to >> retrieve the pass word field from our LDAP directory. The only way > our >> LDAP setup is supposed to work is by binding using the >> user-to-be-authenticated directly with the LDAP directory server. It > is >> my understanding, and this is where you can verify or correct me, that >> opensips and the LDAP module can not change the bind user dynamically. >> >> Regards, >> >> Alan Rubin >> > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan, Got your point! Theoretically, dynamic ldap binding can be done, but the question is how efficient will be (to bind for each auth)..Think that you may process thousands of requests per second! Wouldn't be more reasonable to import the data into mysql? Regards, Bogdan Alan Rubin wrote: > Bogdan, > > I'm not an LDAP expert either, but I will try to explain the scenario > better. As you said, the LDAP bind is static - done once in the > beginning and sourced from the ldap.cfg file. Unfortunately, we have a > filter on our LDAP server that prevents ordinary users from seeing the > password field in the LDAP entry. The way we verify authentication in > our environment is by dynamically substituting the LDAP bind DN with the > client's uid (and password) and making a simple LDAP query using that > uid. If that bind is successful, then we know that the password is > correct. It doesn't seem like there is anyway to configure opensips in > that manner. > > The aim, with LDAP, was to have a single-signon environment for our LAN > and SIP accounts. This doesn't seem possible, unless you or anyone else > on the list has any further suggestions. We could use kerberos/AD > authentication from the client if that is a possibility. > > Regards, > > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Monday, 29 June 2009 10:13 PM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > I'm not an LDAP expert to get into details about how ldap should be > configured or soWhat I can tell is that the bind is static (only > once done at the beginning at that's it)Can you send me a link or > something to read more about what this dynamic bind means in LDAP ? > > Thanks and regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> Apparently the email administrator had a regex on the SMTP gateway to >> reject messages with pass (and) word (combined) because of previous >> users succumbing to phishing exercises. It may work now, but I will >> continue to check the archives. Oh well. >> >> Regarding: >> "Now, going to the actual issue, the problem is related to password - >> about how the client and server (ldap) are keeping the password - do >> they both keep it same format (like plain text) ? >> >> Regards, >> Bogdan" >> >> I think I've figured out the issue, although I don't believe there is >> > a > >> solution. Hopefully you can verify, either way. >> >> The bind user in the ldap.cfg file does not have the privilege to >> retrieve the pass word field from our LDAP directory. The only way >> > our > >> LDAP setup is supposed to work is by binding using the >> user-to-be-authenticated directly with the LDAP directory server. It >> > is > >> my understanding, and this is where you can verify or correct me, that >> opensips and the LDAP module can not change the bind user dynamically. >> >> Regards, >> >> Alan Rubin >> >> > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, If one request equals one user authentication/registration, then I don't think it would hit 1000 binds per week (small environment). If it has to bind each time a packet is sent, then that is pretty inefficient. Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Thursday, 2 July 2009 12:34 AM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication Hi Alan, Got your point! Theoretically, dynamic ldap binding can be done, but the question is how efficient will be (to bind for each auth)..Think that you may process thousands of requests per second! Wouldn't be more reasonable to import the data into mysql? Regards, Bogdan Alan Rubin wrote: > Bogdan, > > I'm not an LDAP expert either, but I will try to explain the scenario > better. As you said, the LDAP bind is static - done once in the > beginning and sourced from the ldap.cfg file. Unfortunately, we have a > filter on our LDAP server that prevents ordinary users from seeing the > password field in the LDAP entry. The way we verify authentication in > our environment is by dynamically substituting the LDAP bind DN with the > client's uid (and password) and making a simple LDAP query using that > uid. If that bind is successful, then we know that the password is > correct. It doesn't seem like there is anyway to configure opensips in > that manner. > > The aim, with LDAP, was to have a single-signon environment for our LAN > and SIP accounts. This doesn't seem possible, unless you or anyone else > on the list has any further suggestions. We could use kerberos/AD > authentication from the client if that is a possibility. > > Regards, > > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Monday, 29 June 2009 10:13 PM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > I'm not an LDAP expert to get into details about how ldap should be > configured or soWhat I can tell is that the bind is static (only > once done at the beginning at that's it)Can you send me a link or > something to read more about what this dynamic bind means in LDAP ? > > Thanks and regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> Apparently the email administrator had a regex on the SMTP gateway to >> reject messages with pass (and) word (combined) because of previous >> users succumbing to phishing exercises. It may work now, but I will >> continue to check the archives. Oh well. >> >> Regarding: >> "Now, going to the actual issue, the problem is related to password - >> about how the client and server (ldap) are keeping the password - do >> they both keep it same format (like plain text) ? >> >> Regards, >> Bogdan" >> >> I think I've figured out the issue, although I don't believe there is >> > a > >> solution. Hopefully you can verify, either way. >> >> The bind user in the ldap.cfg file does not have the privilege to >> retrieve the pass word field from our LDAP directory. The only way >> > our > >> LDAP setup is supposed to work is by binding using the >> user-to-be-authenticated directly with the LDAP directory server. It >> > is > >> my understanding, and this is where you can verify or correct me, that >> opensips and the LDAP module can not change the bind user dynamically. >> >> Regards, >> >> Alan Rubin >> >> > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Depends is a select would be faster than an LDAP bind. Probably OpenLDAP would be faster and you have much more to gain by having it in centrally in OpenLDAP (replication, standards based access etc.) Gavin. On 01/07/2009, Bogdan-Andrei Iancu wrote: > Hi Alan, > > Got your point! Theoretically, dynamic ldap binding can be done, but the > question is how efficient will be (to bind for each auth)..Think that > you may process thousands of requests per second! > > Wouldn't be more reasonable to import the data into mysql? > > Regards, > Bogdan > > Alan Rubin wrote: >> Bogdan, >> >> I'm not an LDAP expert either, but I will try to explain the scenario >> better. As you said, the LDAP bind is static - done once in the >> beginning and sourced from the ldap.cfg file. Unfortunately, we have a >> filter on our LDAP server that prevents ordinary users from seeing the >> password field in the LDAP entry. The way we verify authentication in >> our environment is by dynamically substituting the LDAP bind DN with the >> client's uid (and password) and making a simple LDAP query using that >> uid. If that bind is successful, then we know that the password is >> correct. It doesn't seem like there is anyway to configure opensips in >> that manner. >> >> The aim, with LDAP, was to have a single-signon environment for our LAN >> and SIP accounts. This doesn't seem possible, unless you or anyone else >> on the list has any further suggestions. We could use kerberos/AD >> authentication from the client if that is a possibility. >> >> Regards, >> >> >> Alan Rubin >> >> -----Original Message----- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Monday, 29 June 2009 10:13 PM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> I'm not an LDAP expert to get into details about how ldap should be >> configured or soWhat I can tell is that the bind is static (only >> once done at the beginning at that's it)Can you send me a link or >> something to read more about what this dynamic bind means in LDAP ? >> >> Thanks and regards, >> Bogdan >> >> Alan Rubin wrote: >> >>> Bogdan, >>> >>> Apparently the email administrator had a regex on the SMTP gateway to >>> reject messages with pass (and) word (combined) because of previous >>> users succumbing to phishing exercises. It may work now, but I will >>> continue to check the archives. Oh well. >>> >>> Regarding: >>> "Now, going to the actual issue, the problem is related to password - >>> about how the client and server (ldap) are keeping the password - do >>> they both keep it same format (like plain text) ? >>> >>> Regards, >>> Bogdan" >>> >>> I think I've figured out the issue, although I don't believe there is >>> >> a >> >>> solution. Hopefully you can verify, either way. >>> >>> The bind user in the ldap.cfg file does not have the privilege to >>> retrieve the pass word field from our LDAP directory. The only way >>> >> our >> >>> LDAP setup is supposed to work is by binding using the >>> user-to-be-authenticated directly with the LDAP directory server. It >>> >> is >> >>> my understanding, and this is where you can verify or correct me, that >>> opensips and the LDAP module can not change the bind user dynamically. >>> >>> Regards, >>> >>> Alan Rubin >>> >>> >> >> > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
But Alan, you will need to re-bind each time you do an Authentication. So, even on a system with 1000 online subscribers, registering each 30 minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds per day -> 36 binds per minute. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > If one request equals one user authentication/registration, then I don't > think it would hit 1000 binds per week (small environment). If it has > to bind each time a packet is sent, then that is pretty inefficient. > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Thursday, 2 July 2009 12:34 AM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > Got your point! Theoretically, dynamic ldap binding can be done, but the > > question is how efficient will be (to bind for each auth)..Think that > you may process thousands of requests per second! > > Wouldn't be more reasonable to import the data into mysql? > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> I'm not an LDAP expert either, but I will try to explain the scenario >> better. As you said, the LDAP bind is static - done once in the >> beginning and sourced from the ldap.cfg file. Unfortunately, we have >> > a > >> filter on our LDAP server that prevents ordinary users from seeing the >> password field in the LDAP entry. The way we verify authentication in >> our environment is by dynamically substituting the LDAP bind DN with >> > the > >> client's uid (and password) and making a simple LDAP query using that >> uid. If that bind is successful, then we know that the password is >> correct. It doesn't seem like there is anyway to configure opensips >> > in > >> that manner. >> >> The aim, with LDAP, was to have a single-signon environment for our >> > LAN > >> and SIP accounts. This doesn't seem possible, unless you or anyone >> > else > >> on the list has any further suggestions. We could use kerberos/AD >> authentication from the client if that is a possibility. >> >> Regards, >> >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Monday, 29 June 2009 10:13 PM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> I'm not an LDAP expert to get into details about how ldap should be >> configured or soWhat I can tell is that the bind is static (only >> once done at the beginning at that's it)Can you send me a link or >> something to read more about what this dynamic bind means in LDAP ? >> >> Thanks and regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> Apparently the email administrator had a regex on the SMTP gateway to >>> reject messages with pass (and) word (combined) because of previous >>> users succumbing to phishing exercises. It may work now, but I will >>> continue to check the archives. Oh well. >>> >>> Regarding: >>> "Now, going to the actual issue, the problem is related to password - >>> > > >>> about how the client and server (ldap) are keeping the password - do >>> they both keep it same format (like plain text) ? >>> >>> Regards, >>> Bogdan" >>> >>> I think I've figured out the issue, although I don't believe there is >>> >>> >> a >> >> >>> solution. Hopefully you can verify, either way. >>> >>> The bind user in the ldap.cfg file does not have the privilege to >>> retrieve the pass word field from our LDAP directory. The only way >>> >>> >> our >> >> >>> LDAP setup is supposed to work is by binding using the >>> user-to-be-authenticated directly with the LDAP directory server. It >>> >>> >> is >> >> >>> my understanding, and this is where you can verify or correct me, >>> > that > >>> opensips and the LDAP module can not change the bind user >>> > dynamically. > >>> Regards, >>> >>> Alan Rubin >>> >>> >>> >> >> > > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Hi Gavin, Actually, correctly speaking is if a LDAP bind + LDAP query is faster or not than a SQL query Regards, Bogdan Gavin Henry wrote: > Depends is a select would be faster than an LDAP bind. > > Probably OpenLDAP would be faster and you have much more to gain by > having it in centrally in OpenLDAP (replication, standards based > access etc.) > > Gavin. > > On 01/07/2009, Bogdan-Andrei Iancu wrote: > >> Hi Alan, >> >> Got your point! Theoretically, dynamic ldap binding can be done, but the >> question is how efficient will be (to bind for each auth)..Think that >> you may process thousands of requests per second! >> >> Wouldn't be more reasonable to import the data into mysql? >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >>> Bogdan, >>> >>> I'm not an LDAP expert either, but I will try to explain the scenario >>> better. As you said, the LDAP bind is static - done once in the >>> beginning and sourced from the ldap.cfg file. Unfortunately, we have a >>> filter on our LDAP server that prevents ordinary users from seeing the >>> password field in the LDAP entry. The way we verify authentication in >>> our environment is by dynamically substituting the LDAP bind DN with the >>> client's uid (and password) and making a simple LDAP query using that >>> uid. If that bind is successful, then we know that the password is >>> correct. It doesn't seem like there is anyway to configure opensips in >>> that manner. >>> >>> The aim, with LDAP, was to have a single-signon environment for our LAN >>> and SIP accounts. This doesn't seem possible, unless you or anyone else >>> on the list has any further suggestions. We could use kerberos/AD >>> authentication from the client if that is a possibility. >>> >>> Regards, >>> >>> >>> Alan Rubin >>> >>> -Original Message- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Monday, 29 June 2009 10:13 PM >>> To: Alan Rubin >>> Cc: users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> I'm not an LDAP expert to get into details about how ldap should be >>> configured or soWhat I can tell is that the bind is static (only >>> once done at the beginning at that's it)Can you send me a link or >>> something to read more about what this dynamic bind means in LDAP ? >>> >>> Thanks and regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>>> Bogdan, >>>> >>>> Apparently the email administrator had a regex on the SMTP gateway to >>>> reject messages with pass (and) word (combined) because of previous >>>> users succumbing to phishing exercises. It may work now, but I will >>>> continue to check the archives. Oh well. >>>> >>>> Regarding: >>>> "Now, going to the actual issue, the problem is related to password - >>>> about how the client and server (ldap) are keeping the password - do >>>> they both keep it same format (like plain text) ? >>>> >>>> Regards, >>>> Bogdan" >>>> >>>> I think I've figured out the issue, although I don't believe there is >>>> >>>> >>> a >>> >>> >>>> solution. Hopefully you can verify, either way. >>>> >>>> The bind user in the ldap.cfg file does not have the privilege to >>>> retrieve the pass word field from our LDAP directory. The only way >>>> >>>> >>> our >>> >>> >>>> LDAP setup is supposed to work is by binding using the >>>> user-to-be-authenticated directly with the LDAP directory server. It >>>> >>>> >>> is >>> >>> >>>> my understanding, and this is where you can verify or correct me, that >>>> opensips and the LDAP module can not change the bind user dynamically. >>>> >>>> Regards, >>>> >>>> Alan Rubin >>>> >>>> >>>> >>> >> ___ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
You can easily get >300 auth binds per second with Ldap depending type of auth and >15k per second indexed searches. On 03/07/2009, Bogdan-Andrei Iancu wrote: > > But Alan, you will need to re-bind each time you do an Authentication. > So, even on a system with 1000 online subscribers, registering each 30 > minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds > per day -> 36 binds per minute. > > Regards, > Bogdan > > Alan Rubin wrote: >> Bogdan, >> >> If one request equals one user authentication/registration, then I don't >> think it would hit 1000 binds per week (small environment). If it has >> to bind each time a packet is sent, then that is pretty inefficient. >> >> Regards, >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Thursday, 2 July 2009 12:34 AM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> Got your point! Theoretically, dynamic ldap binding can be done, but the >> >> question is how efficient will be (to bind for each auth)..Think that >> you may process thousands of requests per second! >> >> Wouldn't be more reasonable to import the data into mysql? >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >>> Bogdan, >>> >>> I'm not an LDAP expert either, but I will try to explain the scenario >>> better. As you said, the LDAP bind is static - done once in the >>> beginning and sourced from the ldap.cfg file. Unfortunately, we have >>> >> a >> >>> filter on our LDAP server that prevents ordinary users from seeing the >>> password field in the LDAP entry. The way we verify authentication in >>> our environment is by dynamically substituting the LDAP bind DN with >>> >> the >> >>> client's uid (and password) and making a simple LDAP query using that >>> uid. If that bind is successful, then we know that the password is >>> correct. It doesn't seem like there is anyway to configure opensips >>> >> in >> >>> that manner. >>> >>> The aim, with LDAP, was to have a single-signon environment for our >>> >> LAN >> >>> and SIP accounts. This doesn't seem possible, unless you or anyone >>> >> else >> >>> on the list has any further suggestions. We could use kerberos/AD >>> authentication from the client if that is a possibility. >>> >>> Regards, >>> >>> >>> Alan Rubin >>> >>> -Original Message- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Monday, 29 June 2009 10:13 PM >>> To: Alan Rubin >>> Cc: users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> I'm not an LDAP expert to get into details about how ldap should be >>> configured or soWhat I can tell is that the bind is static (only >>> once done at the beginning at that's it)Can you send me a link or >>> something to read more about what this dynamic bind means in LDAP ? >>> >>> Thanks and regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>>> Bogdan, >>>> >>>> Apparently the email administrator had a regex on the SMTP gateway to >>>> reject messages with pass (and) word (combined) because of previous >>>> users succumbing to phishing exercises. It may work now, but I will >>>> continue to check the archives. Oh well. >>>> >>>> Regarding: >>>> "Now, going to the actual issue, the problem is related to password - >>>> >> >> >>>> about how the client and server (ldap) are keeping the password - do >>>> they both keep it same format (like plain text) ? >>>> >>>> Regards, >>>> Bogdan" >>>> >>>> I think I've figured out the issue, although I don't believe there is >>>> >>>> >>> a >>> >>> >>>> solution. Hopefully you can verify, either way. >>>> >>>> The bind user in the ldap.cfg file does not have the privilege to >>>> retrieve the pass word field from our LDAP directory. The only way >>>> >>>> >>> our >>> >>> >>>> LDAP setup is supposed to work is by binding using the >>>> user-to-be-authenticated directly with the LDAP directory server. It >>>> >>>> >>> is >>> >>> >>>> my understanding, and this is where you can verify or correct me, >>>> >> that >> >>>> opensips and the LDAP module can not change the bind user >>>> >> dynamically. >> >>>> Regards, >>>> >>>> Alan Rubin >>>> >>>> >>>> >>> >>> >> >> >> > > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Bogdan, My site would actually be smaller than that, but that doesn't really address the argument. Is there basically no way, then, to have a single signon-type environment because OpenSIPS requires so much authentication/registration traffic? Regards, Alan Rubin -Original Message- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Friday, 3 July 2009 8:46 PM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication But Alan, you will need to re-bind each time you do an Authentication. So, even on a system with 1000 online subscribers, registering each 30 minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds per day -> 36 binds per minute. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > If one request equals one user authentication/registration, then I don't > think it would hit 1000 binds per week (small environment). If it has > to bind each time a packet is sent, then that is pretty inefficient. > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Thursday, 2 July 2009 12:34 AM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > Got your point! Theoretically, dynamic ldap binding can be done, but the > > question is how efficient will be (to bind for each auth)..Think that > you may process thousands of requests per second! > > Wouldn't be more reasonable to import the data into mysql? > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> I'm not an LDAP expert either, but I will try to explain the scenario >> better. As you said, the LDAP bind is static - done once in the >> beginning and sourced from the ldap.cfg file. Unfortunately, we have >> > a > >> filter on our LDAP server that prevents ordinary users from seeing the >> password field in the LDAP entry. The way we verify authentication in >> our environment is by dynamically substituting the LDAP bind DN with >> > the > >> client's uid (and password) and making a simple LDAP query using that >> uid. If that bind is successful, then we know that the password is >> correct. It doesn't seem like there is anyway to configure opensips >> > in > >> that manner. >> >> The aim, with LDAP, was to have a single-signon environment for our >> > LAN > >> and SIP accounts. This doesn't seem possible, unless you or anyone >> > else > >> on the list has any further suggestions. We could use kerberos/AD >> authentication from the client if that is a possibility. >> >> Regards, >> >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Monday, 29 June 2009 10:13 PM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> I'm not an LDAP expert to get into details about how ldap should be >> configured or soWhat I can tell is that the bind is static (only >> once done at the beginning at that's it)Can you send me a link or >> something to read more about what this dynamic bind means in LDAP ? >> >> Thanks and regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> Apparently the email administrator had a regex on the SMTP gateway to >>> reject messages with pass (and) word (combined) because of previous >>> users succumbing to phishing exercises. It may work now, but I will >>> continue to check the archives. Oh well. >>> >>> Regarding: >>> "Now, going to the actual issue, the problem is related to password - >>> > > >>> about how the client and server (ldap) are keeping the password - do >>> they both keep it same format (like plain text) ? >>> >>> Regards, >>> Bogdan" >>> >>> I think I've figured out the issue, although I don't believe there is >>> >>> >> a >> >> >>> solution. Hopefully you can verify, either way. >>> >>> The bind user in the ldap.cfg file does not have the privilege to >>> retrieve the pass word field from our LDAP directory. The only way >>> >>> >> our >> >> >>> LDAP setup is supposed to work is by binding using the >>> user-to-be-authenticated directly with the LDAP directory server. It >>> >>> >> is >> >> >>> my understanding, and this is where you can verify or correct me, >>> > that > >>> opensips and the LDAP module can not change the bind user >>> > dynamically. > >>> Regards, >>> >>> Alan Rubin >>> >>> >>> >> >> > > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP Authentication
Hi Alan, It is not OpenSIPS requiring it, it is how SIP works if you want to do it in a secure way :). But feel free and upload a feature request on the tracker for having dynamic binding. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > My site would actually be smaller than that, but that doesn't really > address the argument. Is there basically no way, then, to have a single > signon-type environment because OpenSIPS requires so much > authentication/registration traffic? > > Regards, > > Alan Rubin > > -Original Message- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Friday, 3 July 2009 8:46 PM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > > But Alan, you will need to re-bind each time you do an Authentication. > So, even on a system with 1000 online subscribers, registering each 30 > minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds > per day -> 36 binds per minute. > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> If one request equals one user authentication/registration, then I >> > don't > >> think it would hit 1000 binds per week (small environment). If it has >> to bind each time a packet is sent, then that is pretty inefficient. >> >> Regards, >> >> Alan Rubin >> >> -Original Message- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Thursday, 2 July 2009 12:34 AM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> Got your point! Theoretically, dynamic ldap binding can be done, but >> > the > >> question is how efficient will be (to bind for each auth)..Think that >> you may process thousands of requests per second! >> >> Wouldn't be more reasonable to import the data into mysql? >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> I'm not an LDAP expert either, but I will try to explain the scenario >>> better. As you said, the LDAP bind is static - done once in the >>> beginning and sourced from the ldap.cfg file. Unfortunately, we have >>> >>> >> a >> >> >>> filter on our LDAP server that prevents ordinary users from seeing >>> > the > >>> password field in the LDAP entry. The way we verify authentication >>> > in > >>> our environment is by dynamically substituting the LDAP bind DN with >>> >>> >> the >> >> >>> client's uid (and password) and making a simple LDAP query using that >>> uid. If that bind is successful, then we know that the password is >>> correct. It doesn't seem like there is anyway to configure opensips >>> >>> >> in >> >> >>> that manner. >>> >>> The aim, with LDAP, was to have a single-signon environment for our >>> >>> >> LAN >> >> >>> and SIP accounts. This doesn't seem possible, unless you or anyone >>> >>> >> else >> >> >>> on the list has any further suggestions. We could use kerberos/AD >>> authentication from the client if that is a possibility. >>> >>> Regards, >>> >>> >>> Alan Rubin >>> >>> -Original Message- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Monday, 29 June 2009 10:13 PM >>> To: Alan Rubin >>> Cc: users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> I'm not an LDAP expert to get into details about how ldap should be >>> configured or soWhat I can tell is that the bind is static (only >>> once done at the beginning at that's it)Can you send me a link or >>> > > >>> something to read more about what this dynamic bind means in LDAP ? >>> >>> Thanks and regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>> >>>> Bogdan, >>>> >>>> Apparently the email administrator had a regex on the SMTP gateway >>>> > to >
Re: [OpenSIPS-Users] LDAP authentication issue
Why do you need to get the password? How does the LDAP module do it's authentication checks? Usually an LDAP client will just bind with the username and password supplied by client and if successful you've passed the test. There are other ways, but I need to check what the LDAP module docs. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP authentication issue
Hi Henry, Correct me if I understand is wrong. As in LDAP module, ldap_search will search the given LDAP URL and store results. Then ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and compare with the one send by SIP request. So I think at least ldap_result should return a hashed password? Thanks Leon -Original Message- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Gavin Henry Sent: Wednesday, 3 June 2009 1:07 AM To: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP authentication issue Why do you need to get the password? How does the LDAP module do it's authentication checks? Usually an LDAP client will just bind with the username and password supplied by client and if successful you've passed the test. There are other ways, but I need to check what the LDAP module docs. ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP authentication issue
Morning Leon, Effectively the ldap_result writes the values requested by an ldap_search in the avp specified. The value returned as a result depends on what you stored in your directory. If it's a hash, then you get an hash. If it's a text value, then you get that text value Simple exemple: modparam("auth", "username_spec", "$var(username)") modparam("auth", "password_spec", "$avp(s:password)") $var(username)=$fU; ldap_search("ldap://sipaccounts/ou=people,dc=company,dc=fr??sub?cn=$fU";); ldap_result("sip_password/$avp(s:password)"); if (! pv_proxy_authorize("")) { proxy_challenge("", "1"); } @Henry: The ldap module only binds with the username/password specified in config file, not with a dynamic one. Regards, Gled Leon Li a écrit : > Hi Henry, > > Correct me if I understand is wrong. As in LDAP module, ldap_search will > search the given LDAP URL and store results. Then > ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and > compare with the one send by SIP request. So I think at least > ldap_result should return a hashed password? > > Thanks > Leon > > -Original Message- > From: users-boun...@lists.opensips.org > [mailto:users-boun...@lists.opensips.org] On Behalf Of Gavin Henry > Sent: Wednesday, 3 June 2009 1:07 AM > To: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP authentication issue > > Why do you need to get the password? How does the LDAP module do it's > authentication checks? > > Usually an LDAP client will just bind with the username and password > supplied by client and if successful you've passed the test. There are > other ways, but I need to check what the LDAP module docs. > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP authentication issue
Correct, if you are allowed to get it. Then you have to create your own sha hash with the correct salt to compare it. I submitted a feature request to add ldap_sasl_bind to the LDAP module so you can: 1. Search for an entry as normal (already possible) 2. Retrieve the user dn of that entry (already possible) 3. Use the new bind function to bind with the user DN from 2. And the password from the registration. If you get a successful bind, you're done. This is much better and how things like pam_ldap can work. On 03/06/2009, Leon Li wrote: > Hi Henry, > > Correct me if I understand is wrong. As in LDAP module, ldap_search will > search the given LDAP URL and store results. Then > ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and > compare with the one send by SIP request. So I think at least > ldap_result should return a hashed password? > > Thanks > Leon > > -Original Message- > From: users-boun...@lists.opensips.org > [mailto:users-boun...@lists.opensips.org] On Behalf Of Gavin Henry > Sent: Wednesday, 3 June 2009 1:07 AM > To: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP authentication issue > > Why do you need to get the password? How does the LDAP module do it's > authentication checks? > > Usually an LDAP client will just bind with the username and password > supplied by client and if successful you've passed the test. There are > other ways, but I need to check what the LDAP module docs. > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP authentication issue
Yes, I see that. That's just for the initial search and is how pam_ldap can work too. It is so you can use a user (not the rootdn of course) that has perms to perform these searches. On 03/06/2009, Gavin Henry wrote: > Correct, if you are allowed to get it. Then you have to create your > own sha hash with the correct salt to compare it. I submitted a > feature request to add ldap_sasl_bind to the LDAP module so you can: > > 1. Search for an entry as normal (already possible) > 2. Retrieve the user dn of that entry (already possible) > 3. Use the new bind function to bind with the user DN from 2. And the > password from the registration. If you get a successful bind, you're > done. > > This is much better and how things like pam_ldap can work. > > On 03/06/2009, Leon Li wrote: >> Hi Henry, >> >> Correct me if I understand is wrong. As in LDAP module, ldap_search will >> search the given LDAP URL and store results. Then >> ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and >> compare with the one send by SIP request. So I think at least >> ldap_result should return a hashed password? >> >> Thanks >> Leon >> >> -Original Message- >> From: users-boun...@lists.opensips.org >> [mailto:users-boun...@lists.opensips.org] On Behalf Of Gavin Henry >> Sent: Wednesday, 3 June 2009 1:07 AM >> To: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP authentication issue >> >> Why do you need to get the password? How does the LDAP module do it's >> authentication checks? >> >> Usually an LDAP client will just bind with the username and password >> supplied by client and if successful you've passed the test. There are >> other ways, but I need to check what the LDAP module docs. >> >> ___ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > > -- > Sent from my mobile device > > http://www.suretecsystems.com/services/openldap/ > http://www.suretectelecom.com > -- Sent from my mobile device http://www.suretecsystems.com/services/openldap/ http://www.suretectelecom.com ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] LDAP authentication issue
Hi Mathews, I've tried LDAP module long time ago and found the way this module works is to grab the clear text password from LDAP server and then compared with the one sent by the endpoints. However, my Sysadmin pointed out that most ldap server will not release the password but rather receive the credential and bind dynamically. So when you request to grab the password, the server may drop the request. I am not sure if this is still the case but others can confirm please. Regards, Leon -Original Message- From: users-boun...@lists.opensips.org [mailto:users-boun...@lists.opensips.org] On Behalf Of Indiver Sent: Friday, 19 November 2010 6:09 PM To: users@lists.opensips.org Subject: [OpenSIPS-Users] LDAP authentication issue Hello Guys, I'm trying to integrate ldap with opensips. For this purpose I configured LDAP server and added 10 users there. My ldap.cfg file is [sipaccounts] ldap_version = 2 ldap_server_url = "ldap://192.168.1.106:389"; ldap_bind_dn = "cn=Manager,dc=example,dc=net" ldap_bind_password = "password" ldap_network_timeout = 500 ldap_client_bind_timeout = 500 I added the following pieces in the cfg file: modparam("ldap", "config_file", "/usr/local/etc/opensips/ldap.cfg") modparam("auth", "username_spec", "$avp(s:username)") modparam("auth", "password_spec", "$avp(s:password)") modparam("auth", "calculate_ha1", 1) In route Block the following: if (!(method=="REGISTER") && from_uri==myself) /*no multidomainversion*/ { if (!is_present_hf("Proxy-Authorization")) { proxy_challenge("", "0"); exit; } $avp(s:password) $var(username)=$rU; if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(& (uid=$fU))")) { switch ($retcode) { case -1: # no LDAP entry found sl_send_reply("404", "example: User NotFound"); exit; case -2: # internal error sl_send_reply("500", "example : Internalserver error"); exit; default: exit; } } xlog("L_INFO", "example : ldap_search: found [$retcode]entries for (uid=$fU)"); ldap_result("userPassword/$avp(s:password)"); # username to authenticate #$avp(i:2) = $fU; # do the authentication if(!pv_proxy_authorize("")){ proxy_challenge("", "0"); exit; } # caller authenticated } if (is_method("REGISTER")) { if (!is_present_hf("Authorization")) { www_challenge("", "0"); exit; } $var(username)=$fU; if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(& (uid=$fU))")) { switch ($retcode) { case -1: # no LDAP entry found sl_send_reply("404", "example: User NotFound"); exit; case -2: # internal error sl_send_reply("500", "example : Internalserver error"); exit; default: exit; } } xlog("L_INFO", "example : ldap_search: found [$retcode]entries for (uid=$fU)"); if (!ldap_result("userPassword/$avp(s:password)")) { switch ($retcode) { case -1: # no SIPIdentityServiceLevel found sl_send_reply("403", "example :Forbidden"); exit; case -2: # internal error sl_send_reply("500", example :Internal server error"); exit; default: exit; } } xlog("L_INFO", "example : ldap_result: password est =$avp(s:password)"); # do the authentication if(!pv_www_authorize("")){ www_challenge("", "0"); exit; } if (!
Re: [OpenSIPS-Users] LDAP Authentication OpenSIPS
Hi Jonathan. You might find useful the documentation of LDAP module. http://www.opensips.org/html/docs/modules/1.5.x/ldap.html Regards. Sergio 2009/9/11 Jonathan González > Hi there, > > I have been trying to configure LDAP authentication. I have been reading > some documentation I have found about the configuration in OpenSer 1.3.x and > some emails from this list and I have read the the way is to make queries > against ldap to obtain username and password and then authenticate. > > The way I have to do this LDAP authentication is binding directly the LDAP > server with the username/password of the SIP users, it is impossible to me > to do on the other way because the password field on the LDAP is > unreadeable. Is there any way for OpenSIPS to bind the LDAP server to > authenticate the user? > > Thanks in advance, > Jonathan > > -- > Personal webpage - www.jonbaraq.eu > > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- Sergio Gutiérrez ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users