[OpenSIPS-Users] LDAP Authentication

Gavin Henry gavin.henry at gmail.com
Fri Jun 19 10:36:12 CEST 2009 

This is why I submitted a feature request for the ldap_sasl_bind
function to be added. Then a sucessful bind is all that is needed by
opensips. The problem is converting the password to plain on the
opensips side to use it to bind with against the ldap directory. Is
this possible?

That way, we know the digest format in sip, but we don't need to care
about the ldap hash format (most are ssha1) *and* we don't need to
change the directory.

On 19/06/2009, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
> Alan,
>
> Could you post the part of the script taking care of the REGISTRATION
> part, just for double checking ?
>
> Also, for the password...does not look ok - not sure how that value is
> computed, but please check the Digest Auth RFC to see the definition of
> HA1 .
>
> Regards,
> Bogdan
>
>
>
> Alan Rubin wrote:
>> (reposting to fit the list size limits)
>>
>> Bogdan,
>>
>> 2) I removed the "!" from the REGISTER section.  This seems to have at
>> least pushed me on to the next stage of actually doing an LDAP query:
>>
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
>> [sipaccounts], base [o=ntg], scope [2], filter
>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
>> scope [2], filter
>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
>> [5000000] usecs
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:auth:check_nonce: comparing
>> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a] and
>> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a]
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1,  index= 2
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:auth:build_auth_hf: nonce index= 2
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
>> realm="155.205.69.126",
>> nonce="4a3ae9d000000002c65c88df6909b9e945bdbaaa5e495b3a"  '
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:core:parse_headers: flags=ffffffffffffffff
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:core:destroy_avp_list: destroying list (nil)
>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>> DBG:core:receive_msg: cleaning up
>> ...
>>
>> Still failing, but this time it is code 407: Proxy Authentication
>> Required.  Getting closer?
>>
>> 1) Perhaps I mean "encoded" and am just using the wrong term.  An
>> example return from our LDAP search:
>>  userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ==
>>
>> Regards,
>>
>> Alan Rubin
>>
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>> Sent: Friday, 19 June 2009 10:52 AM
>> To: Alan Rubin
>> Cc: users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> Alan,
>>
>> 2 points:
>>
>> 1) what you mean by "encrypted" ? the module supports only ha1 encoded
>> passwords.
>>
>> 2) I see you deal with a REGISTER request, but in your script you
>> changed the auth (from DB to LDAP) only for INVITES - check in the
>> script the second auth block (for REGISTERS) and change it in the same
>> time as we did for the INVITEs.
>>
>> Regards,
>> Bogdan
>>
>> Alan Rubin wrote:
>>
>>> Bogdan,
>>>
>>> Thanks for your help.  I reset the configuration for calculate_ha1 to
>>>
>> 0
>>
>>> (it was set to 1), but I am still getting a "401 - Unauthorized"
>>>
>> error.
>>
>>> The password returning from the LDAP server should be an encrypted
>>> string.
>>>
>>> # ----- auth_db params -----
>>> /* uncomment the following lines if you want to enable the DB based
>>>    authentication */
>>> #modparam("auth_db", "calculate_ha1", yes)
>>> #modparam("auth_db", "password_column", "password")
>>> #modparam("auth_db", "db_url",
>>> #       "mysql://opensips:<redacted>@localhost/opensips")
>>> #modparam("auth_db", "load_credentials", "")
>>>
>>> # ------ auth params -----
>>> #modparam("auth", "username_spec", "$var(username)")
>>> #modparam("auth", "password_spec", "$avp(s:password)")
>>> modparam("auth", "nonce_expire",  30)
>>> modparam("auth", "secret", "<redacted>")
>>> modparam("auth", "disable_nonce_check", 0)
>>> modparam("auth", "username_spec", "$var(username)")
>>> modparam("auth", "password_spec", "$avp(s:password)")
>>> modparam("auth", "calculate_ha1", 0)
>>>
>>> Here are the relevant logs from the connection (I think):
>>>
>>>
>>>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-- 
Sent from my mobile device

http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com

More information about the Users mailing list