[OpenSIPS-Users] LDAP Authentication

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Jun 19 02:09:21 CEST 2009 

Hi Gavin,

in this case the Password must be in take plane format. If you turn off 
the the "calculate_ha1" param 
(http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228275), 
then OpenSIPS expects an HA1 string in the password AVP.

Regards,
Bogdan

Gavin Henry wrote:
> What format does the LDAP password need to be in?
>
> On 16/06/2009, Alan Rubin <Alan.Rubin at nt.gov.au> wrote:
>   
>> Bogdan,
>>
>> Thanks for the help.  Is the script part inside of the main route or is
>> it a separate section?
>>
>> Regards,
>>
>> Alan Rubin
>> Unix Systems Administrator
>> DCS Midrange Services
>> Phone: +61 (08) 8999 5111
>> Fax:      +61 (08) 8999 7493
>> e-Mail: alan.rubin at nt.gov.au
>>
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>> Sent: Tuesday, 16 June 2009 8:58 AM
>> To: Alan Rubin
>> Cc: Thiago Rondon; users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Hi Alan,
>>
>> The way to do it is like:
>>
>> 1) configure the auth module to do authentication via Pseudo-variables:
>>
>> # -- auth params --
>> modparam("auth", "nonce_expire",  30)
>> modparam("auth", "secret", "my-deepest-and-darkest-secret")
>> modparam("auth", "disable_nonce_check", 0)
>> modparam("auth", "username_spec", "$avp(i:2)")
>> modparam("auth", "password_spec", "$avp(i:1)")
>> modparam("auth", "calculate_ha1", 1)
>>
>> 2)  and in script do:
>>
>>     # are any credentials available in the request ?
>>     if (!is_present_hf("Proxy-Authorization")) {
>>         proxy_challenge("", "0");
>>         exit;
>>     }
>>
>>     # run the ldap_query() and load the passwd into $avp(i:1)
>>     # TODO
>>
>>     # username to authenticate
>>     $avp(i:2) = $fU;
>>
>>     # do the authentication
>>     if(!pv_proxy_authorize("")){
>>         proxy_challenge("", "0");
>>         exit;
>>     }
>>
>>
>> Regards,
>> Bogdan
>>
>>
>> Alan Rubin wrote:
>>     
>>> Bogdan,
>>>
>>> I want to use LDAP to authenticate clients.  We're using it for our
>>>       
>> XMPP
>>     
>>> server (amongst other services) without issues.
>>>
>>> Regards,
>>>
>>> Alan Rubin
>>> Unix Systems Administrator
>>> DCS Midrange Services
>>> Phone: +61 (08) 8999 5111
>>> Fax:      +61 (08) 8999 7493
>>> e-Mail: alan.rubin at nt.gov.au
>>>
>>> -----Original Message-----
>>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>>> Sent: Tuesday, 16 June 2009 8:24 AM
>>> To: Alan Rubin
>>> Cc: Thiago Rondon; users at lists.opensips.org
>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>
>>> Hi Alan,
>>>
>>> Do you want to use LDAP to authenticate clients or to authenticate
>>> opensips against other SIP server?
>>>
>>> Regards,
>>> Bogdan
>>>
>>>
>>> Alan Rubin wrote:
>>>
>>>       
>>>> Thiago,
>>>>
>>>> Thanks for the reply; however, the module documentation does not seem
>>>>
>>>>         
>>> to
>>>
>>>       
>>>> give examples on how to configure LDAP with the auth mechanism.  Or
>>>>         
>> is
>>     
>>>> that not necessary?
>>>>
>>>> This is the section from the tutorial I found, mentioned previously:
>>>>
>>>> modparam("auth", "username_spec", "$avp(s:username)")
>>>> modparam("auth", "password_spec", "$avp(s:password)")
>>>> modparam("auth", "calculate_ha1", 1)
>>>> ...
>>>>
>>>> The possible difference (typo?) that concerns me is this next
>>>>
>>>>         
>>> reference
>>>
>>>       
>>>> in the tutorial:
>>>>
>>>> route[11] {
>>>>     if(is_method("REGISTER"))
>>>>     {
>>>>         if(is_present_hf("Authorization"))
>>>>         {
>>>>             # ldap search
>>>>             if
>>>>
>>>>
>>>>         
>> (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S
>>     
>>>> IPPassword?one?(cn=$fU)"))
>>>>             {
>>>>                 switch ($retcode)
>>>>                 {
>>>> ...
>>>>
>>>> I have no "route[11]" in my configuration file.  Am I meant to create
>>>>
>>>>         
>>> a
>>>
>>>       
>>>> new route section to handle LDAP authentication?
>>>>
>>>> What I am trying to do, if it is not clear, is use LDAP as a
>>>>         
>> mechanism
>>     
>>>> for authentication/registration of SIP accounts rather than having to
>>>> configure, by hand and with a separate password, a SIP account for
>>>>
>>>>         
>>> each
>>>
>>>       
>>>> user of my SIP server.
>>>>
>>>> Regards,
>>>>
>>>> Alan
>>>>
>>>> -----Original Message-----
>>>> From: users-bounces at lists.opensips.org
>>>> [mailto:users-bounces at lists.opensips.org] On Behalf Of Thiago Rondon
>>>> Sent: Monday, 15 June 2009 1:47 PM
>>>> To: Alan Rubin
>>>> Cc: users at lists.opensips.org
>>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>>
>>>>
>>>>
>>>> Alan,
>>>>
>>>> How about the document of ldap module ?
>>>>
>>>> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html
>>>>
>>>> -Thiago Rondon
>>>>
>>>> Alan Rubin escreveu:
>>>>
>>>>
>>>>         
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>     
>
>

More information about the Users mailing list