[OpenSIPS-Users] LDAP Authentication
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Fri Jul 3 13:15:34 CEST 2009
But Alan, you will need to re-bind each time you do an Authentication.
So, even on a system with 1000 online subscribers, registering each 30
minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds
per day -> 36 binds per minute.
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> If one request equals one user authentication/registration, then I don't
> think it would hit 1000 binds per week (small environment). If it has
> to bind each time a packet is sent, then that is pretty inefficient.
>
> Regards,
>
> Alan Rubin
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
> Sent: Thursday, 2 July 2009 12:34 AM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> Got your point! Theoretically, dynamic ldap binding can be done, but the
>
> question is how efficient will be (to bind for each auth)..Think that
> you may process thousands of requests per second!
>
> Wouldn't be more reasonable to import the data into mysql?
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>
>> Bogdan,
>>
>> I'm not an LDAP expert either, but I will try to explain the scenario
>> better. As you said, the LDAP bind is static - done once in the
>> beginning and sourced from the ldap.cfg file. Unfortunately, we have
>>
> a
>
>> filter on our LDAP server that prevents ordinary users from seeing the
>> password field in the LDAP entry. The way we verify authentication in
>> our environment is by dynamically substituting the LDAP bind DN with
>>
> the
>
>> client's uid (and password) and making a simple LDAP query using that
>> uid. If that bind is successful, then we know that the password is
>> correct. It doesn't seem like there is anyway to configure opensips
>>
> in
>
>> that manner.
>>
>> The aim, with LDAP, was to have a single-signon environment for our
>>
> LAN
>
>> and SIP accounts. This doesn't seem possible, unless you or anyone
>>
> else
>
>> on the list has any further suggestions. We could use kerberos/AD
>> authentication from the client if that is a possibility.
>>
>> Regards,
>>
>>
>> Alan Rubin
>>
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>> Sent: Monday, 29 June 2009 10:13 PM
>> To: Alan Rubin
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Hi Alan,
>>
>> I'm not an LDAP expert to get into details about how ldap should be
>> configured or so....What I can tell is that the bind is static (only
>> once done at the beginning at that's it)....Can you send me a link or
>> something to read more about what this dynamic bind means in LDAP ?
>>
>> Thanks and regards,
>> Bogdan
>>
>> Alan Rubin wrote:
>>
>>
>>> Bogdan,
>>>
>>> Apparently the email administrator had a regex on the SMTP gateway to
>>> reject messages with pass (and) word (combined) because of previous
>>> users succumbing to phishing exercises. It may work now, but I will
>>> continue to check the archives. Oh well.
>>>
>>> Regarding:
>>> "Now, going to the actual issue, the problem is related to password -
>>>
>
>
>>> about how the client and server (ldap) are keeping the password - do
>>> they both keep it same format (like plain text) ?
>>>
>>> Regards,
>>> Bogdan"
>>>
>>> I think I've figured out the issue, although I don't believe there is
>>>
>>>
>> a
>>
>>
>>> solution. Hopefully you can verify, either way.
>>>
>>> The bind user in the ldap.cfg file does not have the privilege to
>>> retrieve the pass word field from our LDAP directory. The only way
>>>
>>>
>> our
>>
>>
>>> LDAP setup is supposed to work is by binding using the
>>> user-to-be-authenticated directly with the LDAP directory server. It
>>>
>>>
>> is
>>
>>
>>> my understanding, and this is where you can verify or correct me,
>>>
> that
>
>>> opensips and the LDAP module can not change the bind user
>>>
> dynamically.
>
>>> Regards,
>>>
>>> Alan Rubin
>>>
>>>
>>>
>>
>>
>
>
>
More information about the Users
mailing list