Hello,
There is a new SER module in the repository called ldap, which
implements a generic LDAP driver for SER 2.1. The driver is not yet
complete, but it already seems to work fine, so I would like to
encourage those who are interested to give it a try.
The driver supports read-only access to LDAP directories, that means it
cannot be used with modules like acc_db or usrloc that write data into
the database. It can be used with read-only modules, such as auth_db
(for digest authentication), domain, uri_db, etc.
The driver has been tested against an OpenLDAP server and the module
needs libldap to be compiled.
To authenticate agains an LDAP directory you can configure the auth_db
module as follows:
modparam("auth_db", "calculate_ha1", yes)
modparam("auth_db", "plain_password_column", password);
modparam("auth_db", "db_url", "ldap://server";)
The module uses a standalone configuration file (included in the module
directory as ldap.cfg) which maps database table names to trees in LDAP
directories and also maps column names to LDAP attribute types and names.
For example, the auth_db module uses table named "credentials", and it
searches for the password and uid of the user based on his
authentication username and realm, the SQL query looks like this:
select uid, password from credentials where auth_username='user' and
auth_realm='iptel.org';
This SQL query is mapped to LDAP in the configuration file as follows:
[credentials]
base = "ou=Digest Credentials,dc=iptel,dc=org"
scope = childrenfield_map = password : (Binary) digestPassword
filter = "(objectClass=digestAuthCredentials)"
field_map = realm : (String) digestRealm
field_map = auth_username : (String) digestUsername
field_map = uid : (String) serUID
field_map = flags : (BitString) serFlags
The section starts with [credentials] which means that all directives
until the next [...] are for the credentials table.
Option 'base' tells the ldap driver that searches for entries in
credentials table should start at
"ou=Digest Credentials,dc=iptel,dc=org"
in the ldap directory, which is the subtree that contains digest
credentials.
The next option, 'scope', tells the driver that we are interested in all
objects below the root specified in 'base', but not in the base object
itself.
The option 'filter' contains a string that will be added to the LDAP
search filter that the driver builds (see RFC4515), the filter above
means that we are only interested in objects with ObjectClass
digestAuthCredentials.
And finally there are a few 'field_map' options which map SQL column
names to LDAP attribute names and types. The part before ':' is a name
of SQL column, the part after ':' contains the name of corresponding
LDAP attribute. The LDAP attribute name can be optionally preceed with
the type of the LDAP field. For example:
field_map = flags : (BitString) serFlag
means that SQL column name 'flags' should be mapped to LDAP attribute
'serFlag', and the LDAP attribute is a bit string ('010101'B).
With this configuration file, the SQL query above will be converted to
the following LDAP search filter:
(&(objectClass=digestAuthCredentials)(digestUsername=user)(digestRealm=iptel.org))
File ser.schema contains an example (simple for now) schema for
OpenLDAP. Currently the schema only contains equivalents of credentials
and domain tables, I will add more attributes and objects as I have them.
Jan.
_______________________________________________
Serdev mailing list
[email protected]
http://lists.iptel.org/mailman/listinfo/serdev
