[OpenSIPS-Users] LDAP authentification

Mehdi Bouchefra mehdi.bouchefra at sunnyphone.fr
Thu Dec 17 18:18:11 CET 2009


Hi Bogdan,

Thank's for your reply, 

I followed the tutorial that you sent me, but I have a 
In my ldap I use plane format password.

Thank's in advance,
Mehdi

Here my opensips.cfg file:

####### Global Parameters #########

debug=3
log_stderror=no
log_facility=LOG_LOCAL0

fork=yes
children=4

/* uncomment the following lines to enable debugging */
#debug=6
#fork=no
#log_stderror=yes

/* uncomment the next line to disable TCP (default on) */ #disable_tcp=yes

/* uncomment the next line to enable the auto temporary blacklisting of
   not available destinations (default disabled) */
#disable_dns_blacklist=no

/* uncomment the next line to enable IPv6 lookup after IPv4 dns
   lookup failures (default disabled) */ #dns_try_ipv6=yes

/* uncomment the next line to disable the auto discovery of local aliases
   based on revers DNS on IPs (default on) */ #auto_aliases=no

/* uncomment the following lines to enable TLS support  (default off) */
#disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server = 1
#tls_verify_client = 1 #tls_require_client_certificate = 0 #tls_method =
TLSv1 #tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"

port=5060

/* uncomment and configure the following line if you want opensips to
   bind on a specific interface/port/proto (default bind on all available)
*/ #listen=udp:192.168.1.2:5060


####### Modules Section ########

#set module path
mpath="/usr/local/lib/opensips/modules/"

/* uncomment next line for MySQL DB support */ loadmodule "db_mysql.so"
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
loadmodule "ldap.so"

modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

modparam("usrloc", "db_mode",   2)
modparam("usrloc", "db_url",
        "mysql://opensips:opensipsrw@localhost/opensips")

modparam("uri", "use_uri_table", 0)
modparam("acc", "detect_direction", 0)
modparam("acc", "failed_transaction_flag", 3) modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)

####### Routing Logic ########
# main request routing logic

modparam("auth", "nonce_expire",  30)
modparam("auth", "secret", "sunny2009")
modparam("auth", "disable_nonce_check", 0)
modparam("auth", "username_spec", "$avp(i:2)")
modparam("auth", "password_spec", "$avp(i:1)") 
modparam("auth", "calculate_ha1", 0)

route{

        if (!mf_process_maxfwd_header("10")) {
                sl_send_reply("483","Too Many Hops");
                exit;
        }

        if (has_totag()) {
                # sequential request withing a dialog should
                # take the path determined by record-routing
                if (loose_route()) {
                        if (is_method("BYE")) {
                                setflag(1); # do accounting ...
                                setflag(3); # ... even if the transaction
fails
                        } else if (is_method("INVITE")) {
                                # even if in most of the cases is useless,
do RR for
                                # re-INVITEs alos, as some buggy clients do
change route set
                                # during the dialog.
                                record_route();
                        }
                        # route it out to whatever destination was set by
loose_route()
                        # in $du (destination URI).
                        route(1);
                } else {
                        /* uncomment the following lines if you want to
enable presence */
                        ##if (is_method("SUBSCRIBE") && $rd ==
"your.server.ip.address") {
                        ##      # in-dialog subscribe requests
                        ##      route(2);
                        ##      exit;
                        ##}
                        if ( is_method("ACK") ) {
                                if ( t_check_trans() ) {
                                        # non loose-route, but stateful ACK;
must be an ACK after
                                        # a 487 or e.g. 404 from upstream
server
                                        t_relay();
                                        exit;
                                } else {
                                        # ACK without matching transaction
->
                                        # ignore and discard
                                        exit;
                                }
                        }
                        sl_send_reply("404","Not here");
                }
                exit;
        }

  #initial requests

        # CANCEL processing
        if (is_method("CANCEL"))
        {
                if (t_check_trans())
                        t_relay();
                exit;
        }

        t_check_trans();

        if (!(method=="REGISTER") && from_uri==myself) /*no multidomain
version*/
        ##if (!(method=="REGISTER") && is_from_local())  /*multidomain
version*/
        {
                if (!is_present_hf("Proxy-Authorization")) {
                proxy_challenge("", "0");
                exit;
                }

                $var(username)=$fU;

                # run the ldap_query() and load the passwd into $avp(i:1)
                # TODO
 
if(!ldap_search("ldap://sipaccounts/ou=accounts,dc=sunnyphone,dc=com??sub?(&
(cn=$fU))"))
                {
                        switch ($retcode)
                        {
                                case -1:
                                # no LDAP entry found
                                sl_send_reply("404", "SunnyLab : User Not
Found");
                                exit;
                                case -2:
                                # internal error
                                sl_send_reply("500", "SunnyLab : Internal
server error");
                                exit;
                                default:
                                exit;
                        }

                }

                xlog("L_INFO", "SunnyLab : ldap_search: found [$retcode]
entries for (cn=$fU)");

                ldap_result("userPassword/$avp(s:password)");

		    # username to authenticate
                #$avp(i:2) = $fU;

                # do the authentication
                if(!pv_proxy_authorize("")){
                proxy_challenge("", "0");
                exit;
                }

                # caller authenticated
        }

        if (loose_route()) {
                xlog("L_ERR",
                "Attempt to route with preloaded Route's
[$fu/$tu/$ru/$ci]");
                if (!is_method("ACK"))
                        sl_send_reply("403","Preload Route denied");
                exit;
        }

        # record routing
        if (!is_method("REGISTER|MESSAGE"))
                record_route();

        # account only INVITEs
        if (is_method("INVITE")) {
                setflag(1); # do accounting
        }
        if (!uri==myself)
        ## replace with following line if multi-domain support is used
        ##if (!is_uri_host_local())
        {
                append_hf("P-hint: outbound\r\n");
                route(1);
        }

        if (is_method("PUBLISH"))
        {
                sl_send_reply("503", "Service Unavailable");
                exit;
        }

        if (is_method("REGISTER"))
        {
                if (!is_present_hf("Authorization")) {
                        www_challenge("", "0");
                exit;
                }
                $var(username)=$fU;
 
if(!ldap_search("ldap://sipaccounts/ou=accounts,dc=sunnyphone,dc=com??sub?(&
(cn=$fU))"))
                {
                        switch ($retcode)
                        {
                                case -1:
                                # no LDAP entry found
                                sl_send_reply("404", "SunnyLab : User Not
Found");
                                exit;
                                case -2:
                                # internal error
                                sl_send_reply("500", "SunnyLab : Internal
server error");
                                exit;
                                default:
                                exit;
                        }
                }
                xlog("L_INFO", "SunnyLab : ldap_search: found [$retcode]
entries for (cn=$fU)");

                if (!ldap_result("userPassword/$avp(s:password)"))
                {
                 switch ($retcode)
                        {
                                case -1:
                                        # no SIPIdentityServiceLevel found
                                        sl_send_reply("403", "SunnyLab :
Forbidden");
                                        exit;
                                case -2:
                                        # internal error
                                        sl_send_reply("500", "SunnyLab :
Internal server error");
                                exit;
                                default:
                                        exit;
                        }
                }
                xlog("L_INFO", "SunnyLab : ldap_result: password est =
$avp(s:password)");
                # do the authentication
                if(!pv_www_authorize("")){
                        www_challenge("", "0");
                        exit;
                }
                if (!save("location"))
                        sl_reply_error();
                exit;
        }

        if ($rU==NULL) {
              # request with no Username in RURI
                sl_send_reply("484","Address Incomplete");
                exit;
        }

        if (!lookup("location","m")) {
                switch ($retcode) {
                        case -1:
                        case -3:
                                t_newtran();
                                t_reply("404", "Not Found");
                                exit;
                        case -2:
                                sl_send_reply("405", "Method Not Allowed");
                                exit;
                }
        }
        setflag(2);
        route(1);
}







More information about the Users mailing list