Hi Gavin, Actually, correctly speaking is if a LDAP bind + LDAP query is faster or not than a SQL query....
Regards, Bogdan Gavin Henry wrote: > Depends is a select would be faster than an LDAP bind. > > Probably OpenLDAP would be faster and you have much more to gain by > having it in centrally in OpenLDAP (replication, standards based > access etc.) > > Gavin. > > On 01/07/2009, Bogdan-Andrei Iancu <bog...@voice-system.ro> wrote: > >> Hi Alan, >> >> Got your point! Theoretically, dynamic ldap binding can be done, but the >> question is how efficient will be (to bind for each auth)..Think that >> you may process thousands of requests per second! >> >> Wouldn't be more reasonable to import the data into mysql? >> >> Regards, >> Bogdan >> >> Alan Rubin wrote: >> >>> Bogdan, >>> >>> I'm not an LDAP expert either, but I will try to explain the scenario >>> better. As you said, the LDAP bind is static - done once in the >>> beginning and sourced from the ldap.cfg file. Unfortunately, we have a >>> filter on our LDAP server that prevents ordinary users from seeing the >>> password field in the LDAP entry. The way we verify authentication in >>> our environment is by dynamically substituting the LDAP bind DN with the >>> client's uid (and password) and making a simple LDAP query using that >>> uid. If that bind is successful, then we know that the password is >>> correct. It doesn't seem like there is anyway to configure opensips in >>> that manner. >>> >>> The aim, with LDAP, was to have a single-signon environment for our LAN >>> and SIP accounts. This doesn't seem possible, unless you or anyone else >>> on the list has any further suggestions. We could use kerberos/AD >>> authentication from the client if that is a possibility. >>> >>> Regards, >>> >>> >>> Alan Rubin >>> >>> -----Original Message----- >>> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >>> Sent: Monday, 29 June 2009 10:13 PM >>> To: Alan Rubin >>> Cc: users@lists.opensips.org >>> Subject: Re: [OpenSIPS-Users] LDAP Authentication >>> >>> Hi Alan, >>> >>> I'm not an LDAP expert to get into details about how ldap should be >>> configured or so....What I can tell is that the bind is static (only >>> once done at the beginning at that's it)....Can you send me a link or >>> something to read more about what this dynamic bind means in LDAP ? >>> >>> Thanks and regards, >>> Bogdan >>> >>> Alan Rubin wrote: >>> >>> >>>> Bogdan, >>>> >>>> Apparently the email administrator had a regex on the SMTP gateway to >>>> reject messages with pass (and) word (combined) because of previous >>>> users succumbing to phishing exercises. It may work now, but I will >>>> continue to check the archives. Oh well. >>>> >>>> Regarding: >>>> "Now, going to the actual issue, the problem is related to password - >>>> about how the client and server (ldap) are keeping the password - do >>>> they both keep it same format (like plain text) ? >>>> >>>> Regards, >>>> Bogdan" >>>> >>>> I think I've figured out the issue, although I don't believe there is >>>> >>>> >>> a >>> >>> >>>> solution. Hopefully you can verify, either way. >>>> >>>> The bind user in the ldap.cfg file does not have the privilege to >>>> retrieve the pass word field from our LDAP directory. The only way >>>> >>>> >>> our >>> >>> >>>> LDAP setup is supposed to work is by binding using the >>>> user-to-be-authenticated directly with the LDAP directory server. It >>>> >>>> >>> is >>> >>> >>>> my understanding, and this is where you can verify or correct me, that >>>> opensips and the LDAP module can not change the bind user dynamically. >>>> >>>> Regards, >>>> >>>> Alan Rubin >>>> >>>> >>>> >>> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> > > _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users