[OpenSIPS-Users] LDAP Authentication

Alan Rubin Alan.Rubin at nt.gov.au
Thu Jul 2 00:14:27 CEST 2009


Bogdan,

If one request equals one user authentication/registration, then I don't
think it would hit 1000 binds per week (small environment).  If it has
to bind each time a packet is sent, then that is pretty inefficient.

Regards,

Alan Rubin
 
-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
Sent: Thursday, 2 July 2009 12:34 AM
To: Alan Rubin
Cc: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication

Hi Alan,

Got your point! Theoretically, dynamic ldap binding can be done, but the

question is how efficient will be (to bind for each auth)..Think that 
you may process thousands of requests per second!

Wouldn't be more reasonable to import the data into mysql?

Regards,
Bogdan

Alan Rubin wrote:
> Bogdan,
>
> I'm not an LDAP expert either, but I will try to explain the scenario
> better.  As you said, the LDAP bind is static - done once in the
> beginning and sourced from the ldap.cfg file.  Unfortunately, we have
a
> filter on our LDAP server that prevents ordinary users from seeing the
> password field in the LDAP entry.  The way we verify authentication in
> our environment is by dynamically substituting the LDAP bind DN with
the
> client's uid (and password) and making a simple LDAP query using that
> uid.  If that bind is successful, then we know that the password is
> correct.  It doesn't seem like there is anyway to configure opensips
in
> that manner.
>
> The aim, with LDAP, was to have a single-signon environment for our
LAN
> and SIP accounts.  This doesn't seem possible, unless you or anyone
else
> on the list has any further suggestions.  We could use kerberos/AD
> authentication from the client if that is a possibility.
>
> Regards,  
>
>
> Alan Rubin
>  
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
> Sent: Monday, 29 June 2009 10:13 PM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> I'm not an LDAP expert to get into details about how ldap should be 
> configured or so....What I can tell is that the bind is static (only 
> once done at the beginning at that's it)....Can you send me a link or 
> something to read more about what this dynamic bind means in LDAP ?
>
> Thanks and regards,
> Bogdan
>
> Alan Rubin wrote:
>   
>> Bogdan,
>>
>> Apparently the email administrator had a regex on the SMTP gateway to
>> reject messages with pass (and) word (combined) because of previous
>> users succumbing to phishing exercises.  It may work now, but I will
>> continue to check the archives. Oh well.
>>
>> Regarding: 
>> "Now, going to the actual issue, the problem is related to password -

>> about how the client and server (ldap) are keeping the password - do 
>> they both keep it same format (like plain text) ?
>>
>> Regards,
>> Bogdan"
>>
>> I think I've figured out the issue, although I don't believe there is
>>     
> a
>   
>> solution.  Hopefully you can verify, either way.  
>>
>> The bind user in the ldap.cfg file does not have the privilege to
>> retrieve the pass  word field from our LDAP directory.  The only way
>>     
> our
>   
>> LDAP setup is supposed to work is by binding using the
>> user-to-be-authenticated directly with the LDAP directory server.  It
>>     
> is
>   
>> my understanding, and this is where you can verify or correct me,
that
>> opensips and the LDAP module can not change the bind user
dynamically.
>>
>> Regards,
>>
>> Alan Rubin
>>  
>>     
>
>   




More information about the Users mailing list