Bogdan, My site would actually be smaller than that, but that doesn't really address the argument. Is there basically no way, then, to have a single signon-type environment because OpenSIPS requires so much authentication/registration traffic?
Regards, Alan Rubin -----Original Message----- From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] Sent: Friday, 3 July 2009 8:46 PM To: Alan Rubin Cc: users@lists.opensips.org Subject: Re: [OpenSIPS-Users] LDAP Authentication But Alan, you will need to re-bind each time you do an Authentication. So, even on a system with 1000 online subscribers, registering each 30 minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds per day -> 36 binds per minute. Regards, Bogdan Alan Rubin wrote: > Bogdan, > > If one request equals one user authentication/registration, then I don't > think it would hit 1000 binds per week (small environment). If it has > to bind each time a packet is sent, then that is pretty inefficient. > > Regards, > > Alan Rubin > > -----Original Message----- > From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] > Sent: Thursday, 2 July 2009 12:34 AM > To: Alan Rubin > Cc: users@lists.opensips.org > Subject: Re: [OpenSIPS-Users] LDAP Authentication > > Hi Alan, > > Got your point! Theoretically, dynamic ldap binding can be done, but the > > question is how efficient will be (to bind for each auth)..Think that > you may process thousands of requests per second! > > Wouldn't be more reasonable to import the data into mysql? > > Regards, > Bogdan > > Alan Rubin wrote: > >> Bogdan, >> >> I'm not an LDAP expert either, but I will try to explain the scenario >> better. As you said, the LDAP bind is static - done once in the >> beginning and sourced from the ldap.cfg file. Unfortunately, we have >> > a > >> filter on our LDAP server that prevents ordinary users from seeing the >> password field in the LDAP entry. The way we verify authentication in >> our environment is by dynamically substituting the LDAP bind DN with >> > the > >> client's uid (and password) and making a simple LDAP query using that >> uid. If that bind is successful, then we know that the password is >> correct. It doesn't seem like there is anyway to configure opensips >> > in > >> that manner. >> >> The aim, with LDAP, was to have a single-signon environment for our >> > LAN > >> and SIP accounts. This doesn't seem possible, unless you or anyone >> > else > >> on the list has any further suggestions. We could use kerberos/AD >> authentication from the client if that is a possibility. >> >> Regards, >> >> >> Alan Rubin >> >> -----Original Message----- >> From: Bogdan-Andrei Iancu [mailto:bog...@voice-system.ro] >> Sent: Monday, 29 June 2009 10:13 PM >> To: Alan Rubin >> Cc: users@lists.opensips.org >> Subject: Re: [OpenSIPS-Users] LDAP Authentication >> >> Hi Alan, >> >> I'm not an LDAP expert to get into details about how ldap should be >> configured or so....What I can tell is that the bind is static (only >> once done at the beginning at that's it)....Can you send me a link or >> something to read more about what this dynamic bind means in LDAP ? >> >> Thanks and regards, >> Bogdan >> >> Alan Rubin wrote: >> >> >>> Bogdan, >>> >>> Apparently the email administrator had a regex on the SMTP gateway to >>> reject messages with pass (and) word (combined) because of previous >>> users succumbing to phishing exercises. It may work now, but I will >>> continue to check the archives. Oh well. >>> >>> Regarding: >>> "Now, going to the actual issue, the problem is related to password - >>> > > >>> about how the client and server (ldap) are keeping the password - do >>> they both keep it same format (like plain text) ? >>> >>> Regards, >>> Bogdan" >>> >>> I think I've figured out the issue, although I don't believe there is >>> >>> >> a >> >> >>> solution. Hopefully you can verify, either way. >>> >>> The bind user in the ldap.cfg file does not have the privilege to >>> retrieve the pass word field from our LDAP directory. The only way >>> >>> >> our >> >> >>> LDAP setup is supposed to work is by binding using the >>> user-to-be-authenticated directly with the LDAP directory server. It >>> >>> >> is >> >> >>> my understanding, and this is where you can verify or correct me, >>> > that > >>> opensips and the LDAP module can not change the bind user >>> > dynamically. > >>> Regards, >>> >>> Alan Rubin >>> >>> >>> >> >> > > > _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users