[OpenSIPS-Users] LDAP authentification

Mehdi Bouchefra mehdi.bouchefra at sunnyphone.fr
Tue Dec 22 11:56:20 CET 2009


Thank's à lot bogdan :)
Regards,
mehdi

Mehdi Bouchefra
Ingénieur Développement
SunnyPhone 
3 rue Galvani. 91300 Massy | T: +33 1 60 13 88 00 | F: +33 1 60 13 88 09 |
M: +33 645 758 012
www.sunnyphone.fr



-----Message d'origine-----
De : users-bounces at lists.opensips.org
[mailto:users-bounces at lists.opensips.org] De la part de Bogdan-Andrei Iancu
Envoyé : mardi 22 décembre 2009 09:23
À : OpenSIPS users mailling list
Objet : Re: [OpenSIPS-Users] LDAP authentification

Hi Mehdi,

well, you configured the AUTH module to look for username and password 
in $avp(i:1) and $avp(i:2), but you populate $var(userame) and 
$var(password).....:D
i guess this is the error!

Regards,
Bogdan

Mehdi Bouchefra wrote:
> Hi Bogdan,
>
> Thank's for your reply, 
>
> I followed the tutorial that you sent me, but I have a 
> In my ldap I use plane format password.
>
> Thank's in advance,
> Mehdi
>
> Here my opensips.cfg file:
>
> ####### Global Parameters #########
>
> debug=3
> log_stderror=no
> log_facility=LOG_LOCAL0
>
> fork=yes
> children=4
>
> /* uncomment the following lines to enable debugging */
> #debug=6
> #fork=no
> #log_stderror=yes
>
> /* uncomment the next line to disable TCP (default on) */ #disable_tcp=yes
>
> /* uncomment the next line to enable the auto temporary blacklisting of
>    not available destinations (default disabled) */
> #disable_dns_blacklist=no
>
> /* uncomment the next line to enable IPv6 lookup after IPv4 dns
>    lookup failures (default disabled) */ #dns_try_ipv6=yes
>
> /* uncomment the next line to disable the auto discovery of local aliases
>    based on revers DNS on IPs (default on) */ #auto_aliases=no
>
> /* uncomment the following lines to enable TLS support  (default off) */
> #disable_tls = no #listen = tls:your_IP:5061 #tls_verify_server = 1
> #tls_verify_client = 1 #tls_require_client_certificate = 0 #tls_method =
> TLSv1 #tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
> #tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
> #tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
>
> port=5060
>
> /* uncomment and configure the following line if you want opensips to
>    bind on a specific interface/port/proto (default bind on all available)
> */ #listen=udp:192.168.1.2:5060
>
>
> ####### Modules Section ########
>
> #set module path
> mpath="/usr/local/lib/opensips/modules/"
>
> /* uncomment next line for MySQL DB support */ loadmodule "db_mysql.so"
> loadmodule "signaling.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "mi_fifo.so"
> loadmodule "uri.so"
> loadmodule "xlog.so"
> loadmodule "acc.so"
> loadmodule "ldap.so"
>
> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>
> modparam("usrloc", "db_mode",   2)
> modparam("usrloc", "db_url",
>         "mysql://opensips:opensipsrw@localhost/opensips")
>
> modparam("uri", "use_uri_table", 0)
> modparam("acc", "detect_direction", 0)
> modparam("acc", "failed_transaction_flag", 3) modparam("acc", "log_flag",
1)
> modparam("acc", "log_missed_flag", 2)
>
> ####### Routing Logic ########
> # main request routing logic
>
> modparam("auth", "nonce_expire",  30)
> modparam("auth", "secret", "sunny2009")
> modparam("auth", "disable_nonce_check", 0)
> modparam("auth", "username_spec", "$avp(i:2)")
> modparam("auth", "password_spec", "$avp(i:1)") 
> modparam("auth", "calculate_ha1", 0)
>
> route{
>
>         if (!mf_process_maxfwd_header("10")) {
>                 sl_send_reply("483","Too Many Hops");
>                 exit;
>         }
>
>         if (has_totag()) {
>                 # sequential request withing a dialog should
>                 # take the path determined by record-routing
>                 if (loose_route()) {
>                         if (is_method("BYE")) {
>                                 setflag(1); # do accounting ...
>                                 setflag(3); # ... even if the transaction
> fails
>                         } else if (is_method("INVITE")) {
>                                 # even if in most of the cases is useless,
> do RR for
>                                 # re-INVITEs alos, as some buggy clients
do
> change route set
>                                 # during the dialog.
>                                 record_route();
>                         }
>                         # route it out to whatever destination was set by
> loose_route()
>                         # in $du (destination URI).
>                         route(1);
>                 } else {
>                         /* uncomment the following lines if you want to
> enable presence */
>                         ##if (is_method("SUBSCRIBE") && $rd ==
> "your.server.ip.address") {
>                         ##      # in-dialog subscribe requests
>                         ##      route(2);
>                         ##      exit;
>                         ##}
>                         if ( is_method("ACK") ) {
>                                 if ( t_check_trans() ) {
>                                         # non loose-route, but stateful
ACK;
> must be an ACK after
>                                         # a 487 or e.g. 404 from upstream
> server
>                                         t_relay();
>                                         exit;
>                                 } else {
>                                         # ACK without matching transaction
> ->
>                                         # ignore and discard
>                                         exit;
>                                 }
>                         }
>                         sl_send_reply("404","Not here");
>                 }
>                 exit;
>         }
>
>   #initial requests
>
>         # CANCEL processing
>         if (is_method("CANCEL"))
>         {
>                 if (t_check_trans())
>                         t_relay();
>                 exit;
>         }
>
>         t_check_trans();
>
>         if (!(method=="REGISTER") && from_uri==myself) /*no multidomain
> version*/
>         ##if (!(method=="REGISTER") && is_from_local())  /*multidomain
> version*/
>         {
>                 if (!is_present_hf("Proxy-Authorization")) {
>                 proxy_challenge("", "0");
>                 exit;
>                 }
>
>                 $var(username)=$fU;
>
>                 # run the ldap_query() and load the passwd into $avp(i:1)
>                 # TODO
>  
>
if(!ldap_search("ldap://sipaccounts/ou=accounts,dc=sunnyphone,dc=com??sub?(&
> (cn=$fU))"))
>                 {
>                         switch ($retcode)
>                         {
>                                 case -1:
>                                 # no LDAP entry found
>                                 sl_send_reply("404", "SunnyLab : User Not
> Found");
>                                 exit;
>                                 case -2:
>                                 # internal error
>                                 sl_send_reply("500", "SunnyLab : Internal
> server error");
>                                 exit;
>                                 default:
>                                 exit;
>                         }
>
>                 }
>
>                 xlog("L_INFO", "SunnyLab : ldap_search: found [$retcode]
> entries for (cn=$fU)");
>
>                 ldap_result("userPassword/$avp(s:password)");
>
> 		    # username to authenticate
>                 #$avp(i:2) = $fU;
>
>                 # do the authentication
>                 if(!pv_proxy_authorize("")){
>                 proxy_challenge("", "0");
>                 exit;
>                 }
>
>                 # caller authenticated
>         }
>
>         if (loose_route()) {
>                 xlog("L_ERR",
>                 "Attempt to route with preloaded Route's
> [$fu/$tu/$ru/$ci]");
>                 if (!is_method("ACK"))
>                         sl_send_reply("403","Preload Route denied");
>                 exit;
>         }
>
>         # record routing
>         if (!is_method("REGISTER|MESSAGE"))
>                 record_route();
>
>         # account only INVITEs
>         if (is_method("INVITE")) {
>                 setflag(1); # do accounting
>         }
>         if (!uri==myself)
>         ## replace with following line if multi-domain support is used
>         ##if (!is_uri_host_local())
>         {
>                 append_hf("P-hint: outbound\r\n");
>                 route(1);
>         }
>
>         if (is_method("PUBLISH"))
>         {
>                 sl_send_reply("503", "Service Unavailable");
>                 exit;
>         }
>
>         if (is_method("REGISTER"))
>         {
>                 if (!is_present_hf("Authorization")) {
>                         www_challenge("", "0");
>                 exit;
>                 }
>                 $var(username)=$fU;
>  
>
if(!ldap_search("ldap://sipaccounts/ou=accounts,dc=sunnyphone,dc=com??sub?(&
> (cn=$fU))"))
>                 {
>                         switch ($retcode)
>                         {
>                                 case -1:
>                                 # no LDAP entry found
>                                 sl_send_reply("404", "SunnyLab : User Not
> Found");
>                                 exit;
>                                 case -2:
>                                 # internal error
>                                 sl_send_reply("500", "SunnyLab : Internal
> server error");
>                                 exit;
>                                 default:
>                                 exit;
>                         }
>                 }
>                 xlog("L_INFO", "SunnyLab : ldap_search: found [$retcode]
> entries for (cn=$fU)");
>
>                 if (!ldap_result("userPassword/$avp(s:password)"))
>                 {
>                  switch ($retcode)
>                         {
>                                 case -1:
>                                         # no SIPIdentityServiceLevel found
>                                         sl_send_reply("403", "SunnyLab :
> Forbidden");
>                                         exit;
>                                 case -2:
>                                         # internal error
>                                         sl_send_reply("500", "SunnyLab :
> Internal server error");
>                                 exit;
>                                 default:
>                                         exit;
>                         }
>                 }
>                 xlog("L_INFO", "SunnyLab : ldap_result: password est =
> $avp(s:password)");
>                 # do the authentication
>                 if(!pv_www_authorize("")){
>                         www_challenge("", "0");
>                         exit;
>                 }
>                 if (!save("location"))
>                         sl_reply_error();
>                 exit;
>         }
>
>         if ($rU==NULL) {
>               # request with no Username in RURI
>                 sl_send_reply("484","Address Incomplete");
>                 exit;
>         }
>
>         if (!lookup("location","m")) {
>                 switch ($retcode) {
>                         case -1:
>                         case -3:
>                                 t_newtran();
>                                 t_reply("404", "Not Found");
>                                 exit;
>                         case -2:
>                                 sl_send_reply("405", "Method Not
Allowed");
>                                 exit;
>                 }
>         }
>         setflag(2);
>         route(1);
> }
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>   


-- 
Bogdan-Andrei Iancu
www.voice-system.ro


_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list