[OpenSIPS-Users] LDAP Authentication
Gavin Henry
gavin.henry at gmail.com
Wed Jul 1 00:36:09 CEST 2009
These are my points too and how I thought the auth should work. But
you need some kind of mapping here for user dns etc. ?
On 30/06/2009, Alan Rubin <Alan.Rubin at nt.gov.au> wrote:
> Bogdan,
>
> I'm not an LDAP expert either, but I will try to explain the scenario
> better. As you said, the LDAP bind is static - done once in the
> beginning and sourced from the ldap.cfg file. Unfortunately, we have a
> filter on our LDAP server that prevents ordinary users from seeing the
> password field in the LDAP entry. The way we verify authentication in
> our environment is by dynamically substituting the LDAP bind DN with the
> client's uid (and password) and making a simple LDAP query using that
> uid. If that bind is successful, then we know that the password is
> correct. It doesn't seem like there is anyway to configure opensips in
> that manner.
>
> The aim, with LDAP, was to have a single-signon environment for our LAN
> and SIP accounts. This doesn't seem possible, unless you or anyone else
> on the list has any further suggestions. We could use kerberos/AD
> authentication from the client if that is a possibility.
>
> Regards,
>
>
> Alan Rubin
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
> Sent: Monday, 29 June 2009 10:13 PM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> I'm not an LDAP expert to get into details about how ldap should be
> configured or so....What I can tell is that the bind is static (only
> once done at the beginning at that's it)....Can you send me a link or
> something to read more about what this dynamic bind means in LDAP ?
>
> Thanks and regards,
> Bogdan
>
> Alan Rubin wrote:
>> Bogdan,
>>
>> Apparently the email administrator had a regex on the SMTP gateway to
>> reject messages with pass (and) word (combined) because of previous
>> users succumbing to phishing exercises. It may work now, but I will
>> continue to check the archives. Oh well.
>>
>> Regarding:
>> "Now, going to the actual issue, the problem is related to password -
>> about how the client and server (ldap) are keeping the password - do
>> they both keep it same format (like plain text) ?
>>
>> Regards,
>> Bogdan"
>>
>> I think I've figured out the issue, although I don't believe there is
> a
>> solution. Hopefully you can verify, either way.
>>
>> The bind user in the ldap.cfg file does not have the privilege to
>> retrieve the pass word field from our LDAP directory. The only way
> our
>> LDAP setup is supposed to work is by binding using the
>> user-to-be-authenticated directly with the LDAP directory server. It
> is
>> my understanding, and this is where you can verify or correct me, that
>> opensips and the LDAP module can not change the bind user dynamically.
>>
>> Regards,
>>
>> Alan Rubin
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
--
Sent from my mobile device
http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com
More information about the Users
mailing list