[OpenSIPS-Users] LDAP Authentication

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Jun 19 02:11:54 CEST 2009


HI Alan,

sorry for the late reply - this week we have the OpenSIPS bootcamp and 
I'm getting my hands on the emails only from time to time..

So, Are you loading the passwd in raw format (plain text) ? If so, you 
need the calulcate_ha1 param to be set to 1 
(http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228275) - 
by default it is set to 0....  (see prev email)

Regards,
Bogdan

Alan Rubin wrote:
> Bogdan,
>
> I've attached a log from a test this morning.  I restarted opensips,
> tried connecting from my PC using LDAP credentials and failed.  Then I
> made sure that the local account was removed and tried again with LDAP
> credentials and it failed.  Hopefully that's all apparent in the
> logfile.  I am using the X-lite client to connect.
>
> Regards,
>
> Alan Rubin
>  
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
> Sent: Wednesday, 17 June 2009 1:29 AM
> To: Alan Rubin
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Hi Alan,
>
> the script looks ok - you can 1) use xlog just before the pv_auth() to 
> see if the user and passwd are properly filled in, or 2) use debug=6 to 
> get the logs and post them here.
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>   
>> Bogdan,
>>
>> If you have a minute, could you take a look at my opensips.cfg file?
>>     
> It
>   
>> is still authorizing against the users that were added by hand.  I
>>     
> have
>   
>> probably put the LDAP authentication in the wrong place, but I seem to
>> be going in circles.  
>>
>> Also, I used some of the template from Tristan Mahe for readability (I
>> adapted his LDAP search examples and used his variable names).  I
>>     
> don't
>   
>> think this is my issue, but it could be.
>>
>> Thanks for your time, 
>>
>>
>> Alan Rubin
>>  
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
>> Sent: Tuesday, 16 June 2009 10:49 AM
>> To: Alan Rubin
>> Cc: Thiago Rondon; users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> cool, in this case simply replace the existing code for proxy_auth
>>     
> with 
>   
>> the code I previously posted.
>>
>> Regards,
>> Bogdan
>>
>> Alan Rubin wrote:
>>   
>>     
>>> Bogdan,
>>>
>>> Yes, my script is derived from the default and I have enabled MySQL
>>>     
>>>       
>> and
>>   
>>     
>>> added PUA, PUA_userloc and Presence modules.
>>>
>>> Regards,
>>>
>>> Alan Rubin
>>> Unix Systems Administrator
>>> DCS Midrange Services
>>> Phone: +61 (08) 8999 5111
>>> Fax:      +61 (08) 8999 7493
>>> e-Mail: alan.rubin at nt.gov.au
>>>  
>>> -----Original Message-----
>>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
>>> Sent: Tuesday, 16 June 2009 9:59 AM
>>> To: Alan Rubin
>>> Cc: Thiago Rondon; users at lists.opensips.org
>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>
>>> Hi Alan,
>>>
>>> put in in the main route, where you need to do the
>>>       
> authentication...Is
>   
>>>     
>>>       
>>   
>>     
>>> your script derived from the default opensips cfg file ?
>>>
>>> Regards,
>>> Bogdan
>>>
>>> Alan Rubin wrote:
>>>   
>>>     
>>>       
>>>> Bogdan,
>>>>
>>>> Thanks for the help.  Is the script part inside of the main route or
>>>>     
>>>>       
>>>>         
>>> is
>>>   
>>>     
>>>       
>>>> it a separate section?
>>>>
>>>> Regards,
>>>>
>>>> Alan Rubin
>>>> Unix Systems Administrator
>>>> DCS Midrange Services
>>>> Phone: +61 (08) 8999 5111
>>>> Fax:      +61 (08) 8999 7493
>>>> e-Mail: alan.rubin at nt.gov.au
>>>>  
>>>> -----Original Message-----
>>>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
>>>> Sent: Tuesday, 16 June 2009 8:58 AM
>>>> To: Alan Rubin
>>>> Cc: Thiago Rondon; users at lists.opensips.org
>>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>>
>>>> Hi Alan,
>>>>
>>>> The way to do it is like:
>>>>
>>>> 1) configure the auth module to do authentication via
>>>>     
>>>>       
>>>>         
>>> Pseudo-variables:
>>>   
>>>     
>>>       
>>>> # -- auth params --
>>>> modparam("auth", "nonce_expire",  30)
>>>> modparam("auth", "secret", "my-deepest-and-darkest-secret")
>>>> modparam("auth", "disable_nonce_check", 0)
>>>> modparam("auth", "username_spec", "$avp(i:2)")
>>>> modparam("auth", "password_spec", "$avp(i:1)")
>>>> modparam("auth", "calculate_ha1", 1)
>>>>
>>>> 2)  and in script do:
>>>>
>>>>     # are any credentials available in the request ?
>>>>     if (!is_present_hf("Proxy-Authorization")) {
>>>>         proxy_challenge("", "0");
>>>>         exit;
>>>>     }
>>>>
>>>>     # run the ldap_query() and load the passwd into $avp(i:1)
>>>>     # TODO
>>>>
>>>>     # username to authenticate
>>>>     $avp(i:2) = $fU;
>>>>
>>>>     # do the authentication
>>>>     if(!pv_proxy_authorize("")){
>>>>         proxy_challenge("", "0");
>>>>         exit;
>>>>     }
>>>>
>>>>
>>>> Regards,
>>>> Bogdan
>>>>
>>>>
>>>> Alan Rubin wrote:
>>>>   
>>>>     
>>>>       
>>>>         
>>>>> Bogdan,
>>>>>
>>>>> I want to use LDAP to authenticate clients.  We're using it for our
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>> XMPP
>>>>   
>>>>     
>>>>       
>>>>         
>>>>> server (amongst other services) without issues.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Alan Rubin
>>>>> Unix Systems Administrator
>>>>> DCS Midrange Services
>>>>> Phone: +61 (08) 8999 5111
>>>>> Fax:      +61 (08) 8999 7493
>>>>> e-Mail: alan.rubin at nt.gov.au
>>>>>  
>>>>> -----Original Message-----
>>>>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
>>>>> Sent: Tuesday, 16 June 2009 8:24 AM
>>>>> To: Alan Rubin
>>>>> Cc: Thiago Rondon; users at lists.opensips.org
>>>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>>>
>>>>> Hi Alan,
>>>>>
>>>>> Do you want to use LDAP to authenticate clients or to authenticate 
>>>>> opensips against other SIP server?
>>>>>
>>>>> Regards,
>>>>> Bogdan
>>>>>
>>>>>
>>>>> Alan Rubin wrote:
>>>>>   
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>> Thiago, 
>>>>>>
>>>>>> Thanks for the reply; however, the module documentation does not
>>>>>>         
>>>>>>           
>>>>>>             
>>> seem
>>>   
>>>     
>>>       
>>>>>>     
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>>> to
>>>>>   
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>> give examples on how to configure LDAP with the auth mechanism.
>>>>>>             
> Or
>   
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>> is
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>> that not necessary?
>>>>>>
>>>>>> This is the section from the tutorial I found, mentioned
>>>>>>           
>>>>>>             
>> previously:
>>   
>>     
>>>>>> modparam("auth", "username_spec", "$avp(s:username)")
>>>>>> modparam("auth", "password_spec", "$avp(s:password)")
>>>>>> modparam("auth", "calculate_ha1", 1)
>>>>>> ...
>>>>>>
>>>>>> The possible difference (typo?) that concerns me is this next
>>>>>>     
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>>> reference
>>>>>   
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>> in the tutorial:
>>>>>>
>>>>>> route[11] {
>>>>>>     if(is_method("REGISTER"))
>>>>>>     {
>>>>>>         if(is_present_hf("Authorization"))
>>>>>>         {
>>>>>>             # ldap search
>>>>>>             if
>>>>>>
>>>>>>     
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
> (!ldap_search("ldap://sipaccounts/ou=sip,dc=example,dc=com?SIPUserName,S
>   
>>   
>>     
>>>   
>>>     
>>>       
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>   
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>> IPPassword?one?(cn=$fU)"))
>>>>>>             {
>>>>>>                 switch ($retcode)
>>>>>>                 {
>>>>>> ...
>>>>>>
>>>>>> I have no "route[11]" in my configuration file.  Am I meant to
>>>>>>         
>>>>>>           
>>>>>>             
>>> create
>>>   
>>>     
>>>       
>>>>>>     
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>>> a
>>>>>   
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>> new route section to handle LDAP authentication?  
>>>>>>
>>>>>> What I am trying to do, if it is not clear, is use LDAP as a
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>> mechanism
>>>>   
>>>>     
>>>>       
>>>>         
>>>>>> for authentication/registration of SIP accounts rather than having
>>>>>>         
>>>>>>           
>>>>>>             
>>> to
>>>   
>>>     
>>>       
>>>>>> configure, by hand and with a separate password, a SIP account for
>>>>>>     
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>>> each
>>>>>   
>>>>>     
>>>>>       
>>>>>         
>>>>>           
>>>>>> user of my SIP server.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Alan 
>>>>>>  
>>>>>> -----Original Message-----
>>>>>> From: users-bounces at lists.opensips.org
>>>>>> [mailto:users-bounces at lists.opensips.org] On Behalf Of Thiago
>>>>>>           
>>>>>>             
>> Rondon
>>   
>>     
>>>>>> Sent: Monday, 15 June 2009 1:47 PM
>>>>>> To: Alan Rubin
>>>>>> Cc: users at lists.opensips.org
>>>>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>>>>
>>>>>>
>>>>>>
>>>>>> Alan,
>>>>>>
>>>>>> How about the document of ldap module ?
>>>>>>
>>>>>> http://www.opensips.org/html/docs/modules/1.5.x/ldap.html
>>>>>>
>>>>>> -Thiago Rondon
>>>>>>
>>>>>> Alan Rubin escreveu:
>>>>>>   
>>>>>>     
>>>>>>       
>>>>>>         
>>>>>>           
>>>>>>             
>>>>   
>>>>     
>>>>       
>>>>         
>>>   
>>>     
>>>       
>>   
>>     
>
>   




More information about the Users mailing list