"sr-users-requ...@lists.sip-router.org" <sr-users-requ...@lists.sip-router.org> schrieb:
Send sr-users mailing list submissions to sr-users@lists.sip-router.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users or, via email, send a message with subject or body 'help' to sr-users-requ...@lists.sip-router.org You can reach the person managing the list at sr-users-ow...@lists.sip-router.org When replying, please edit your Subject line so it is more specific than "Re: Contents of sr-users digest..." Today's Topics: 1. Authentication SER + RADIUS + LDAP (Pablo Ros) 2. Kamailio SCTP support (Francisco Jos? M?ndez Cirera) 3. Re: NAT Traversal IPTel example (Daniel-Constantin Mierla) 4. Re: Kamailio SCTP support (Daniel-Constantin Mierla) ---------------------------------------------------------------------- Message: 1 Date: Tue, 4 May 2010 10:03:26 +0200 From: Pablo Ros <prf1...@gmail.com> Subject: [SR-Users] Authentication SER + RADIUS + LDAP To: sr-users@lists.sip-router.org Message-ID: <m2i46878ffc1005040103m27d01ccfo9c84d8bba7dc7...@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hello, We have a LDAP database with many users information and this is the one we use to implement most of our services; on the contrary we have SER working with a SQL data base. Our intention was to make also the authentication against LDAP. After some research, we've seen there's no specific module for SER to work with LDAP and we have considered some alternatives among them there was the "module" from ETH world<http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap>. However, we didn't manage to make it work (if it's an advisable choice we'd appreciate some clues). So, we decided to make the authentication through the RADIUS server. Nevertheless, we are having some problems with the way data is sent. When doing the user authentication there's no problem as it is sent in plain text and we modified to do it against the email attribute as it's this what we want. It makes it perfectly. But it turns out that when we try to make the password authentication, as the data sent from SER comes in a hash (user:realm:password) as long as we know, we don't really know how to make it compare with the password field in LDAP (under MD5 algorithm as well). When we make a test over Radius by sending plain text it works perfectly so it shouldn't be a problem by searching the attributes over LDAP. We have tried to follow instructions to set the digest section properly but there's something we definitely miss. Attached there's a log from the radius when trying to log with SER and the Register section from SER. log: 03 User-Name = "my.u...@i2cat.net" Digest-Attributes = 0x0a0b7061626c6f2e726f73 Digest-Attributes = 0x010b69326361742e6e6574 Digest-Attributes = 0x022a34626466643065343837303734363630626261366134363437663730313034343639 663532306532 Digest-Attributes = 0x040f7369703a69326361742e6e6574 Digest-Attributes = 0x030a5245474953544552 Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4" Service-Type = Sip-Session Sip-Uri-User = "my.user" NAS-Port = 5060 NAS-IP-Address = 127.0.0.1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_digest: Adding Auth-Type = DIGEST ++[digest] returns ok rlm_realm: Looking up realm "i2cat.net" for User-Name = " my.u...@i2cat.net" rlm_realm: No such realm "i2cat.net" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for my.u...@i2cat.net WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail= my.u...@i2cat.net) expand: ou=activat,ou=personal,dc=i2cat,dc=net -> ou=activat,ou=personal,dc=i2cat,dc=net rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to ldap.i2cat.net:389, authentication 0 rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to ldap.i2cat.net:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net, with filter (mail=pablo....@i2cat.net) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 == "{md5}nCK4tZ5NNP48oT0wlXX+Jw==" rlm_ldap: looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? rlm_ldap: user pablo....@i2cat.net authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type DIGEST auth: type "digest" +- entering group authenticate rlm_digest: Digest-HA1 has invalid length, authentication failed. ++[digest] returns invalid auth: Failed to validate the user. Login incorrect: [my.u...@i2cat.net/<via Auth-Type = DIGEST>] (from client localhost port 5060) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> my.u...@i2cat.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds SER register -> User Authentication part #------------------------------------------------------------------------ # Comprovacio de credencials per als usuaris. #------------------------------------------------------------------------ if (!is_user_in("From", "noauth")) { xlog("L_NOTICE", "SER-INFO: challenging user...\n"); # IMPORTANTE: radius_www_authorize solo toma un par?metro! if(!radius_www_authorize("")) { # L'usuari NO esta registrat correctament o les # credencials no son valides! www_challenge("i2cat.net","0"); xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from <%fu>:(%is) [403 Forbiden]\n"); sl_send_reply("403", "Forbiden!, Bad Credentials"); break; #tallem la comunicacio }; #-------------------------------------------------------------------- # check_to #-------------------------------------------------------------------- if(!check_to()) { xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed attempt <%fu>:(%is)\n"); sl_send_reply("403", "Use To=id la proxima vegada :@"); consume_credentials(); # fem que caduqui la sessio break; }; } -- Pablo Ros -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100504/bacbf dd1/attachment-0001.htm> ------------------------------ Message: 2 Date: Wed, 5 May 2010 09:52:53 +0200 From: Francisco Jos? M?ndez Cirera <mendezir...@gmail.com> Subject: [SR-Users] Kamailio SCTP support To: sr-users@lists.sip-router.org Message-ID: <p2i5522bed91005050052ra51f50bcr9b134241a8c20...@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hello, I've downloaded Kamailio 3.0.0 (the last release) and I?ve seen it?s possible downloading a "binary tar.gz" or the source to compile directly. I would like to know if the binary has enabled support for SCTP by default. If it?s enabled by default, how can I activate it (I can?t find any option related to sctp in kamailio.cfg) ? If it isn?t enabled by default, which are the dependencies? Is there a document or something with at least the main dependencies? Thank you very much. Bye! -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100505/e4998 1e4/attachment-0001.htm> ------------------------------ Message: 3 Date: Wed, 05 May 2010 10:58:56 +0200 From: Daniel-Constantin Mierla <mico...@gmail.com> Subject: Re: [SR-Users] NAT Traversal IPTel example To: Andy Savage <a...@bluewire.net.nz> Cc: serus...@iptel.org Message-ID: <4be13350.7000...@gmail.com> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" Hello On 5/5/10 9:00 AM, Andy Savage wrote: > Hi there, > > I've been setting up SER for a testing server on the local network > behind a NAT. I'm having problems understanding how to setup the NAT > routing in the configuration file. > > My understanding is that IPTel has already setup advanced NAT routing > on the free service (as per the website). > > Is it possible to get a copy of the configuration file (atleast the > part that has the NAT routing stuff). This would help me immensely in > getting proper nat traversal setup as it already works great on the > IPTel server. > > Not sure who I would contact in regards to this, but this seemed like > a good place to start. in the etc directory of sources you have several configuration files, oob.cfg should be pretty much what iptel.org has, afaik. also, kamailio flavour config, kamailio.cfg has nat traversal guidelines. Cheers, Daniel > > Kind regards, > Andy Savage > > -- > "The greatest challenge to any thinker is stating the problem in a way > that will allow a solution" > - Bertrand Russell > > Andy Savage > Cell Phone: +852 936 34341 > Skype ID: andy_savage > Linked In: http://www.linkedin.com/in/andysavage > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > -- Daniel-Constantin Mierla * http://www.asipto.com/ * http://twitter.com/miconda * http://www.linkedin.com/in/danielconstantinmierla -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20100505/76310 ae3/attachment-0001.htm> ------------------------------ Message: 4 Date: Wed, 05 May 2010 11:04:41 +0200 From: Daniel-Constantin Mierla <mico...@gmail.com> Subject: Re: [SR-Users] Kamailio SCTP support To: Francisco Jos? M?ndez Cirera <mendezir...@gmail.com> Cc: sr-users@lists.sip-router.org Message-ID: <4be134a9.1060...@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello, On 5/5/10 9:52 AM, Francisco Jos? M?ndez Cirera wrote: > Hello, > > I've downloaded Kamailio 3.0.0 (the last release) and I?ve seen it?s > possible downloading a "binary tar.gz" or the source to compile > directly. I would like to know if the binary has enabled support for > SCTP by default. > > If it?s enabled by default, how can I activate it (I can?t find any > option related to sctp in kamailio.cfg) ? > > If it isn?t enabled by default, which are the dependencies? Is there a > document or something with at least the main dependencies? > > Thank you very much. Bye! I think the binaries don't have SCTP built, you can check with 'kamailio -V', if you see SCTP use flag, then it is otherwise is not. Cheers, Daniel -- Daniel-Constantin Mierla * http://www.asipto.com/ * http://twitter.com/miconda * http://www.linkedin.com/in/danielconstantinmierla ------------------------------ _______________________________________________ sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users End of sr-users Digest, Vol 60, Issue 6 *************************************** _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users