[OpenSIPS-Users] LDAP Authentication

Mon Jul 13 15:55:25 CEST 2009

Hi Alan,

It is not OpenSIPS requiring it, it is how SIP works if you want to do 
it in a secure way :).

But feel free and upload a feature request on the tracker for having 
dynamic binding.

Regards,
Bogdan

Alan Rubin wrote:
> Bogdan,
>
> My site would actually be smaller than that, but that doesn't really
> address the argument.  Is there basically no way, then, to have a single
> signon-type environment because OpenSIPS requires so much
> authentication/registration traffic? 
>
> Regards,
>
> Alan Rubin
>  
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
> Sent: Friday, 3 July 2009 8:46 PM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
>
> But Alan, you will need to re-bind each time you do an Authentication. 
> So, even on a system with 1000 online subscribers, registering each 30 
> minutes and making a call each 3 hours, means 1000 * 53 = 53000 binds 
> per day -> 36 binds per minute.
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>   
>> Bogdan,
>>
>> If one request equals one user authentication/registration, then I
>>     
> don't
>   
>> think it would hit 1000 binds per week (small environment).  If it has
>> to bind each time a packet is sent, then that is pretty inefficient.
>>
>> Regards,
>>
>> Alan Rubin
>>  
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
>> Sent: Thursday, 2 July 2009 12:34 AM
>> To: Alan Rubin
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Hi Alan,
>>
>> Got your point! Theoretically, dynamic ldap binding can be done, but
>>     
> the
>   
>> question is how efficient will be (to bind for each auth)..Think that 
>> you may process thousands of requests per second!
>>
>> Wouldn't be more reasonable to import the data into mysql?
>>
>> Regards,
>> Bogdan
>>
>> Alan Rubin wrote:
>>   
>>     
>>> Bogdan,
>>>
>>> I'm not an LDAP expert either, but I will try to explain the scenario
>>> better.  As you said, the LDAP bind is static - done once in the
>>> beginning and sourced from the ldap.cfg file.  Unfortunately, we have
>>>     
>>>       
>> a
>>   
>>     
>>> filter on our LDAP server that prevents ordinary users from seeing
>>>       
> the
>   
>>> password field in the LDAP entry.  The way we verify authentication
>>>       
> in
>   
>>> our environment is by dynamically substituting the LDAP bind DN with
>>>     
>>>       
>> the
>>   
>>     
>>> client's uid (and password) and making a simple LDAP query using that
>>> uid.  If that bind is successful, then we know that the password is
>>> correct.  It doesn't seem like there is anyway to configure opensips
>>>     
>>>       
>> in
>>   
>>     
>>> that manner.
>>>
>>> The aim, with LDAP, was to have a single-signon environment for our
>>>     
>>>       
>> LAN
>>   
>>     
>>> and SIP accounts.  This doesn't seem possible, unless you or anyone
>>>     
>>>       
>> else
>>   
>>     
>>> on the list has any further suggestions.  We could use kerberos/AD
>>> authentication from the client if that is a possibility.
>>>
>>> Regards,  
>>>
>>>
>>> Alan Rubin
>>>  
>>> -----Original Message-----
>>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
>>> Sent: Monday, 29 June 2009 10:13 PM
>>> To: Alan Rubin
>>> Cc: users at lists.opensips.org
>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>
>>> Hi Alan,
>>>
>>> I'm not an LDAP expert to get into details about how ldap should be 
>>> configured or so....What I can tell is that the bind is static (only 
>>> once done at the beginning at that's it)....Can you send me a link or
>>>       
>
>   
>>> something to read more about what this dynamic bind means in LDAP ?
>>>
>>> Thanks and regards,
>>> Bogdan
>>>
>>> Alan Rubin wrote:
>>>   
>>>     
>>>       
>>>> Bogdan,
>>>>
>>>> Apparently the email administrator had a regex on the SMTP gateway
>>>>         
> to
>   
>>>> reject messages with pass (and) word (combined) because of previous
>>>> users succumbing to phishing exercises.  It may work now, but I will
>>>> continue to check the archives. Oh well.
>>>>
>>>> Regarding: 
>>>> "Now, going to the actual issue, the problem is related to password
>>>>         
> -
>   
>>>>       
>>>>         
>>   
>>     
>>>> about how the client and server (ldap) are keeping the password - do
>>>>         
>
>   
>>>> they both keep it same format (like plain text) ?
>>>>
>>>> Regards,
>>>> Bogdan"
>>>>
>>>> I think I've figured out the issue, although I don't believe there
>>>>         
> is
>   
>>>>     
>>>>       
>>>>         
>>> a
>>>   
>>>     
>>>       
>>>> solution.  Hopefully you can verify, either way.  
>>>>
>>>> The bind user in the ldap.cfg file does not have the privilege to
>>>> retrieve the pass  word field from our LDAP directory.  The only way
>>>>     
>>>>       
>>>>         
>>> our
>>>   
>>>     
>>>       
>>>> LDAP setup is supposed to work is by binding using the
>>>> user-to-be-authenticated directly with the LDAP directory server.
>>>>         
> It
>   
>>>>     
>>>>       
>>>>         
>>> is
>>>   
>>>     
>>>       
>>>> my understanding, and this is where you can verify or correct me,
>>>>       
>>>>         
>> that
>>   
>>     
>>>> opensips and the LDAP module can not change the bind user
>>>>       
>>>>         
>> dynamically.
>>   
>>     
>>>> Regards,
>>>>
>>>> Alan Rubin
>>>>  
>>>>     
>>>>       
>>>>         
>>>   
>>>     
>>>       
>>   
>>     
>
>
>   