[OpenSIPS-Users] LDAP Authentication
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Wed Jul 1 17:03:33 CEST 2009
Hi Alan,
Got your point! Theoretically, dynamic ldap binding can be done, but the
question is how efficient will be (to bind for each auth)..Think that
you may process thousands of requests per second!
Wouldn't be more reasonable to import the data into mysql?
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> I'm not an LDAP expert either, but I will try to explain the scenario
> better. As you said, the LDAP bind is static - done once in the
> beginning and sourced from the ldap.cfg file. Unfortunately, we have a
> filter on our LDAP server that prevents ordinary users from seeing the
> password field in the LDAP entry. The way we verify authentication in
> our environment is by dynamically substituting the LDAP bind DN with the
> client's uid (and password) and making a simple LDAP query using that
> uid. If that bind is successful, then we know that the password is
> correct. It doesn't seem like there is anyway to configure opensips in
> that manner.
>
> The aim, with LDAP, was to have a single-signon environment for our LAN
> and SIP accounts. This doesn't seem possible, unless you or anyone else
> on the list has any further suggestions. We could use kerberos/AD
> authentication from the client if that is a possibility.
>
> Regards,
>
>
> Alan Rubin
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
> Sent: Monday, 29 June 2009 10:13 PM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> I'm not an LDAP expert to get into details about how ldap should be
> configured or so....What I can tell is that the bind is static (only
> once done at the beginning at that's it)....Can you send me a link or
> something to read more about what this dynamic bind means in LDAP ?
>
> Thanks and regards,
> Bogdan
>
> Alan Rubin wrote:
>
>> Bogdan,
>>
>> Apparently the email administrator had a regex on the SMTP gateway to
>> reject messages with pass (and) word (combined) because of previous
>> users succumbing to phishing exercises. It may work now, but I will
>> continue to check the archives. Oh well.
>>
>> Regarding:
>> "Now, going to the actual issue, the problem is related to password -
>> about how the client and server (ldap) are keeping the password - do
>> they both keep it same format (like plain text) ?
>>
>> Regards,
>> Bogdan"
>>
>> I think I've figured out the issue, although I don't believe there is
>>
> a
>
>> solution. Hopefully you can verify, either way.
>>
>> The bind user in the ldap.cfg file does not have the privilege to
>> retrieve the pass word field from our LDAP directory. The only way
>>
> our
>
>> LDAP setup is supposed to work is by binding using the
>> user-to-be-authenticated directly with the LDAP directory server. It
>>
> is
>
>> my understanding, and this is where you can verify or correct me, that
>> opensips and the LDAP module can not change the bind user dynamically.
>>
>> Regards,
>>
>> Alan Rubin
>>
>>
>
>
More information about the Users
mailing list