Hi Alan, I'm not an LDAP expert to get into details about how ldap should be configured or so....What I can tell is that the bind is static (only once done at the beginning at that's it)....Can you send me a link or something to read more about what this dynamic bind means in LDAP ?
Thanks and regards, Bogdan Alan Rubin wrote: > Bogdan, > > Apparently the email administrator had a regex on the SMTP gateway to > reject messages with pass (and) word (combined) because of previous > users succumbing to phishing exercises. It may work now, but I will > continue to check the archives. Oh well. > > Regarding: > "Now, going to the actual issue, the problem is related to password - > about how the client and server (ldap) are keeping the password - do > they both keep it same format (like plain text) ? > > Regards, > Bogdan" > > I think I've figured out the issue, although I don't believe there is a > solution. Hopefully you can verify, either way. > > The bind user in the ldap.cfg file does not have the privilege to > retrieve the pass word field from our LDAP directory. The only way our > LDAP setup is supposed to work is by binding using the > user-to-be-authenticated directly with the LDAP directory server. It is > my understanding, and this is where you can verify or correct me, that > opensips and the LDAP module can not change the bind user dynamically. > > Regards, > > Alan Rubin > > -----Original Message----- > From: users-boun...@lists.opensips.org > [mailto:users-boun...@lists.opensips.org] On Behalf Of Alan Rubin > Sent: Wednesday, 24 June 2009 8:10 AM > To: Bogdan-Andrei Iancu > Cc: users@lists.opensips.org > Subject: [OpenSIPS-Users] LDAP Authentication > > Bogdan, > > The LDAP messages from the mailing list are still not reaching my > mailbox, which is unusual. I am checking the mail services on my end. > > Still managed to pick up your last message from the Archive. After > making the changes suggested for my config file, I'm still failing with > a "401 - Unauthorized". Here are the relevant logs: > > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], > scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout > [5000000] usecs > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:check_nonce: comparing > [4a41558400000004dcd97551d7189591cf32402f006987b9] and > [4a41558400000004dcd97551d7189591cf32402f006987b9] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: nonce index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest > realm="155.205.69.126", > nonce="4a4155840000000573fd091deb999f17423ea6b4be4cb6e2" ' > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags=ffffffffffffffff > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:receive_msg: cleaning up > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 > /var/log/localmessages | less > dcshub1:/usr/local/opensips/etc/opensips # > dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26 > /var/log/localmessages > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: SIP Request: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: method: <REGISTER> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: uri: <sip:155.205.69.126> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_msg: version: <SIP/2.0> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via_param: found param type 232, <branch> = > <z9hG4bK-d8754z-02350078246c1c6a-1---d8754z->; state=6 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via_param: found param type 235, <rport> = <n/a>; > state=17 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_via: end of header reached, state=5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: via found, flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: this is the first via > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:receive_msg: After parse_msg... > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:receive_msg: preparing to run routing scripts... > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=100 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:maxfwd:is_maxfwd_present: value = 70 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=8 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_to: end of header reached, state=10 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_to: display={"alan"}, ruri={sip:o...@155.205.69.126} > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:get_hdr_field: <To> [32]; uri=[sip:o...@155.205.69.126] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:get_hdr_field: to body ["alan"<sip:o...@155.205.69.126> ] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:uri:has_totag: no totag > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=78 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:get_hdr_field: cseq <CSeq>: <2> <REGISTER> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:tm:t_lookup_request: start searching: hash=48267, isACK=0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:tm:matching_3261: RFC3261 transaction matching failed > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:tm:t_lookup_request: no transaction found > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=ffffffffffffffff > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:get_hdr_field: content_length=0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:get_hdr_field: found end of header > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:ldap:ldap_url_search: LDAP URL parsed into session_name > [sipaccounts], base [o=ntg], scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], > scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout > [5000000] usecs > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:auth:check_nonce: comparing > [4a41558300000003489e75bbcc433a8035de29ba6fd0c3e6] and > [4a41558300000003489e75bbcc433a8035de29ba6fd0c3e6] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 4 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:auth:build_auth_hf: nonce index= 4 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest > realm="155.205.69.126", > nonce="4a41558400000004dcd97551d7189591cf32402f006987b9" ' > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:parse_headers: flags=ffffffffffffffff > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]: > DBG:core:receive_msg: cleaning up > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_msg: SIP Request: > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_msg: method: <REGISTER> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_msg: uri: <sip:155.205.69.126> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_msg: version: <SIP/2.0> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_via_param: found param type 232, <branch> = > <z9hG4bK-d8754z-e755c268ad186c3e-1---d8754z->; state=6 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_via_param: found param type 235, <rport> = <n/a>; > state=17 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_via: end of header reached, state=5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: via found, flags=2 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: this is the first via > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:receive_msg: After parse_msg... > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:receive_msg: preparing to run routing scripts... > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags=100 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:maxfwd:is_maxfwd_present: value = 70 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags=8 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_to: end of header reached, state=10 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_to: display={"alan"}, ruri={sip:o...@155.205.69.126} > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:get_hdr_field: <To> [32]; uri=[sip:o...@155.205.69.126] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:get_hdr_field: to body ["alan"<sip:o...@155.205.69.126> ] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:uri:has_totag: no totag > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags=78 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:get_hdr_field: cseq <CSeq>: <3> <REGISTER> > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:tm:t_lookup_request: start searching: hash=48268, isACK=0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:tm:matching_3261: RFC3261 transaction matching failed > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:tm:t_lookup_request: no transaction found > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags=ffffffffffffffff > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:get_hdr_field: content_length=0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:get_hdr_field: found end of header > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:ldap_url_search: LDAP URL parsed into session_name > [sipaccounts], base [o=ntg], scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg], > scope [2], filter > [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout > [5000000] usecs > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:check_nonce: comparing > [4a41558400000004dcd97551d7189591cf32402f006987b9] and > [4a41558400000004dcd97551d7189591cf32402f006987b9] > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: nonce index= 5 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest > realm="155.205.69.126", > nonce="4a4155840000000573fd091deb999f17423ea6b4be4cb6e2" ' > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:parse_headers: flags=ffffffffffffffff > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0 > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:destroy_avp_list: destroying list (nil) > Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]: > DBG:core:receive_msg: cleaning up > ... > > Here's my main route section from the opensips.cfg file: > > # main request routing logic > > route{ > > if (!mf_process_maxfwd_header("10")) { > sl_send_reply("483","Too Many Hops"); > exit; > } > > if (has_totag()) { > # sequential request withing a dialog should > # take the path determined by record-routing > if (loose_route()) { > if (is_method("BYE")) { > setflag(1); # do accounting ... > setflag(3); # ... even if the > transaction fails > } else if (is_method("INVITE")) { > # even if in most of the cases is > useless, do RR for > # re-INVITEs alos, as some buggy clients > do change route set > # during the dialog. > record_route(); > } > # route it out to whatever destination was set > by loose_route() > # in $du (destination URI). > route(1); > } else { > /* uncomment the following lines if you want to > enable presence */ > ##if (is_method("SUBSCRIBE") && $rd == > "your.server.ip.address") { > if (is_method("SUBSCRIBE") && $rd == > "155.205.69.126") { > # in-dialog subscribe requests > route(2); > exit; > } > if ( is_method("ACK") ) { > if ( t_check_trans() ) { > # non loose-route, but stateful > ACK; must be an ACK after > # a 487 or e.g. 404 from > upstream server > t_relay(); > exit; > } else { > # ACK without matching > transaction -> > # ignore and discard > exit; > } > } > sl_send_reply("404","Not here"); > } > exit; > } > > #initial requests > > # CANCEL processing > if (is_method("CANCEL")) > { > if (t_check_trans()) > t_relay(); > exit; > } > > t_check_trans(); > > # authenticate if from local subscriber (uncomment to enable > auth) > # authenticate all initial non-REGISTER request that pretend to > be > # generated by local subscriber (domain from FROM URI is local) > ##if (!(method=="REGISTER") && from_uri==myself) /*no > multidomain version*/ > ##if (!(method=="REGISTER") && is_from_local()) /*multidomain > version*/ > ##{ > ## if (!proxy_authorize("", "subscriber")) { > ## proxy_challenge("", "0"); > ## exit; > ## } > ## if (!check_from()) { > ## sl_send_reply("403","Forbidden auth ID"); > ## exit; > ## } > ## > ## consume_credentials(); > ## # caller authenticated > ##} > > > if (!(method=="REGISTER") && from_uri==myself) { /*no > multidomain version*/ > # are any credentials available in the request ? > if (!is_present_hf("Proxy-Authorization")) { > proxy_challenge("", "0"); > exit; > } > > # run the ldap_query() and load the passwd into > $avp(s:password) > # TODO > $var(username)=$fU; > > ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6 > 6)(ntguserstatus=Active))"); > ldap_result("userPassword/$avp(s:password)"); > > # username to authenticate > #$var(username) = $fU; > > # do the authentication > if(!pv_proxy_authorize("")){ > proxy_challenge("", "0"); > exit; > } > } > > if ( is_method("REGISTER") ) { > # are any credentials available in the request ? > if (!is_present_hf("Authorization")) { > www_challenge("", "0"); > exit; > } > > $var(username)=$tU; > > > ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$tU)(departmentNumber=6 > 6)(ntguserstatus=Active))"); > ldap_result("userPassword/$avp(s:password)"); > > # do the authentication > if(!pv_www_authorize("")){ > www_challenge("", "0"); > exit; > } > > > if (!save("location")) > sl_reply_error(); > > } > > > # preloaded route checking > if (loose_route()) { > xlog("L_ERR", > "Attempt to route with preloaded Route's > [$fu/$tu/$ru/$ci]"); > if (!is_method("ACK")) > sl_send_reply("403","Preload Route denied"); > exit; > } > > # record routing > if (!is_method("REGISTER|MESSAGE")) > record_route(); > > # account only INVITEs > if (is_method("INVITE")) { > setflag(1); # do accounting > } > if (!uri==myself) > ## replace with following line if multi-domain support is used > ##if (!is_uri_host_local()) > { > append_hf("P-hint: outbound\r\n"); > # if you have some interdomain connections via TLS > ##if($rd=="tls_domain1.net") { > ## t_relay("tls:domain1.net"); > ## exit; > ##} else if($rd=="tls_domain2.net") { > ## t_relay("tls:domain2.net"); > ## exit; > ##} > route(1); > } > > # requests for my domain > > ## uncomment this if you want to enable presence server > ## and comment the next 'if' block > ## NOTE: uncomment also the definition of route[2] from below > if( is_method("PUBLISH|SUBSCRIBE")) > route(2); > > ##if (is_method("PUBLISH")) > ##{ > ## sl_send_reply("503", "Service Unavailable"); > ## exit; > ##} > > > if (is_method("REGISTER")) > { > # authenticate the REGISTER requests (uncomment to > enable auth) > if (!www_authorize("155.205.69.126", "subscriber")) > { > www_challenge("155.205.69.126", "0"); > exit; > } > ## > ##if (!check_to()) > ##{ > ## sl_send_reply("403","Forbidden auth ID"); > ## exit; > ##} > > ## make pua_usrloc send PUBLISH for phones which do not > support presence > ## filter after User-Agent header > #if(!search("^User-Agent:")) > # pua_set_publish(); > > # save("location"); > # exit; > > if(is_method("REGISTER") && > from_uri=~"@galah.cprod.corp.ntgov") > pua_set_publish(); > > > if (!save("location")) > sl_reply_error(); > > exit; > } > > if ($rU==NULL) { > # request with no Username in RURI > sl_send_reply("484","Address Incomplete"); > exit; > } > > # apply DB based aliases (uncomment to enable) > ##alias_db_lookup("dbaliases"); > > if (!lookup("location")) { > switch ($retcode) { > case -1: > case -3: > t_newtran(); > t_reply("404", "Not Found"); > exit; > case -2: > sl_send_reply("405", "Method Not > Allowed"); > exit; > } > } > > # when routing via usrloc, log the missed calls also > setflag(2); > > route(1); > } > ... > > > If you see anything else wrong, please let me know and thanks for all of > your help so far. > > I've been using X-Lite to test, if anyone know of any issues. > > Regards, > > Alan Rubin > > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users