[OpenSIPS-Users] LDAP authentification
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Tue Dec 22 09:23:15 CET 2009
Hi Mehdi,
well, you configured the AUTH module to look for username and password
in $avp(i:1) and $avp(i:2), but you populate $var(userame) and
$var(password).....:D
i guess this is the error!
Regards,
Bogdan
Mehdi Bouchefra wrote:
> Hi Bogdan,
>
> Thank's for your reply,
>
> I followed the tutorial that you sent me, but I have a
> In my ldap I use plane format password.
>
> Thank's in advance,
> Mehdi
>
> Here my opensips.cfg file:
>
> ####### Global Parameters #########
>
> debug=3
> log_stderror=no
> log_facility=LOG_LOCAL0
>
> fork=yes
> children=4
>
> /* uncomment the following lines to enable debugging */
> #debug=6
> #fork=no
> #log_stderror=yes
>
> /* uncomment the next line to disable TCP (default on) */ #disable_tcp=yes
>
> /* uncomment the next line to enable the auto temporary blacklisting of
> not available destinations (default disabled) */
> #disable_dns_blacklist=no
>
> /* uncomment the next line to enable IPv6 lookup after IPv4 dns
> lookup failures (default disabled) */ #dns_try_ipv6=yes
>
> /* uncomment the next line to disable the auto discovery of local aliases
> based on revers DNS on IPs (default on) */ #auto_aliases=no
>
> /* uncomment the following lines to enable TLS support (default off) */
> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server = 1
> #tls_verify_client = 1 #tls_require_client_certificate = 0 #tls_method =
> TLSv1 #tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
> #tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
> #tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
>
> port=5060
>
> /* uncomment and configure the following line if you want opensips to
> bind on a specific interface/port/proto (default bind on all available)
> */ #listen=udp:192.168.1.2:5060
>
>
> ####### Modules Section ########
>
> #set module path
> mpath="/usr/local/lib/opensips/modules/"
>
> /* uncomment next line for MySQL DB support */ loadmodule "db_mysql.so"
> loadmodule "signaling.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "mi_fifo.so"
> loadmodule "uri.so"
> loadmodule "xlog.so"
> loadmodule "acc.so"
> loadmodule "ldap.so"
>
> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>
> modparam("usrloc", "db_mode", 2)
> modparam("usrloc", "db_url",
> "mysql://opensips:opensipsrw@localhost/opensips")
>
> modparam("uri", "use_uri_table", 0)
> modparam("acc", "detect_direction", 0)
> modparam("acc", "failed_transaction_flag", 3) modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 2)
>
> ####### Routing Logic ########
> # main request routing logic
>
> modparam("auth", "nonce_expire", 30)
> modparam("auth", "secret", "sunny2009")
> modparam("auth", "disable_nonce_check", 0)
> modparam("auth", "username_spec", "$avp(i:2)")
> modparam("auth", "password_spec", "$avp(i:1)")
> modparam("auth", "calculate_ha1", 0)
>
> route{
>
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> exit;
> }
>
> if (has_totag()) {
> # sequential request withing a dialog should
> # take the path determined by record-routing
> if (loose_route()) {
> if (is_method("BYE")) {
> setflag(1); # do accounting ...
> setflag(3); # ... even if the transaction
> fails
> } else if (is_method("INVITE")) {
> # even if in most of the cases is useless,
> do RR for
> # re-INVITEs alos, as some buggy clients do
> change route set
> # during the dialog.
> record_route();
> }
> # route it out to whatever destination was set by
> loose_route()
> # in $du (destination URI).
> route(1);
> } else {
> /* uncomment the following lines if you want to
> enable presence */
> ##if (is_method("SUBSCRIBE") && $rd ==
> "your.server.ip.address") {
> ## # in-dialog subscribe requests
> ## route(2);
> ## exit;
> ##}
> if ( is_method("ACK") ) {
> if ( t_check_trans() ) {
> # non loose-route, but stateful ACK;
> must be an ACK after
> # a 487 or e.g. 404 from upstream
> server
> t_relay();
> exit;
> } else {
> # ACK without matching transaction
> ->
> # ignore and discard
> exit;
> }
> }
> sl_send_reply("404","Not here");
> }
> exit;
> }
>
> #initial requests
>
> # CANCEL processing
> if (is_method("CANCEL"))
> {
> if (t_check_trans())
> t_relay();
> exit;
> }
>
> t_check_trans();
>
> if (!(method=="REGISTER") && from_uri==myself) /*no multidomain
> version*/
> ##if (!(method=="REGISTER") && is_from_local()) /*multidomain
> version*/
> {
> if (!is_present_hf("Proxy-Authorization")) {
> proxy_challenge("", "0");
> exit;
> }
>
> $var(username)=$fU;
>
> # run the ldap_query() and load the passwd into $avp(i:1)
> # TODO
>
> if(!ldap_search("ldap://sipaccounts/ou=accounts,dc=sunnyphone,dc=com??sub?(&
> (cn=$fU))"))
> {
> switch ($retcode)
> {
> case -1:
> # no LDAP entry found
> sl_send_reply("404", "SunnyLab : User Not
> Found");
> exit;
> case -2:
> # internal error
> sl_send_reply("500", "SunnyLab : Internal
> server error");
> exit;
> default:
> exit;
> }
>
> }
>
> xlog("L_INFO", "SunnyLab : ldap_search: found [$retcode]
> entries for (cn=$fU)");
>
> ldap_result("userPassword/$avp(s:password)");
>
> # username to authenticate
> #$avp(i:2) = $fU;
>
> # do the authentication
> if(!pv_proxy_authorize("")){
> proxy_challenge("", "0");
> exit;
> }
>
> # caller authenticated
> }
>
> if (loose_route()) {
> xlog("L_ERR",
> "Attempt to route with preloaded Route's
> [$fu/$tu/$ru/$ci]");
> if (!is_method("ACK"))
> sl_send_reply("403","Preload Route denied");
> exit;
> }
>
> # record routing
> if (!is_method("REGISTER|MESSAGE"))
> record_route();
>
> # account only INVITEs
> if (is_method("INVITE")) {
> setflag(1); # do accounting
> }
> if (!uri==myself)
> ## replace with following line if multi-domain support is used
> ##if (!is_uri_host_local())
> {
> append_hf("P-hint: outbound\r\n");
> route(1);
> }
>
> if (is_method("PUBLISH"))
> {
> sl_send_reply("503", "Service Unavailable");
> exit;
> }
>
> if (is_method("REGISTER"))
> {
> if (!is_present_hf("Authorization")) {
> www_challenge("", "0");
> exit;
> }
> $var(username)=$fU;
>
> if(!ldap_search("ldap://sipaccounts/ou=accounts,dc=sunnyphone,dc=com??sub?(&
> (cn=$fU))"))
> {
> switch ($retcode)
> {
> case -1:
> # no LDAP entry found
> sl_send_reply("404", "SunnyLab : User Not
> Found");
> exit;
> case -2:
> # internal error
> sl_send_reply("500", "SunnyLab : Internal
> server error");
> exit;
> default:
> exit;
> }
> }
> xlog("L_INFO", "SunnyLab : ldap_search: found [$retcode]
> entries for (cn=$fU)");
>
> if (!ldap_result("userPassword/$avp(s:password)"))
> {
> switch ($retcode)
> {
> case -1:
> # no SIPIdentityServiceLevel found
> sl_send_reply("403", "SunnyLab :
> Forbidden");
> exit;
> case -2:
> # internal error
> sl_send_reply("500", "SunnyLab :
> Internal server error");
> exit;
> default:
> exit;
> }
> }
> xlog("L_INFO", "SunnyLab : ldap_result: password est =
> $avp(s:password)");
> # do the authentication
> if(!pv_www_authorize("")){
> www_challenge("", "0");
> exit;
> }
> if (!save("location"))
> sl_reply_error();
> exit;
> }
>
> if ($rU==NULL) {
> # request with no Username in RURI
> sl_send_reply("484","Address Incomplete");
> exit;
> }
>
> if (!lookup("location","m")) {
> switch ($retcode) {
> case -1:
> case -3:
> t_newtran();
> t_reply("404", "Not Found");
> exit;
> case -2:
> sl_send_reply("405", "Method Not Allowed");
> exit;
> }
> }
> setflag(2);
> route(1);
> }
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
--
Bogdan-Andrei Iancu
www.voice-system.ro
More information about the Users
mailing list