[OpenSIPS-Users] LDAP Authentication

Bogdan-Andrei Iancu bogdan at voice-system.ro
Fri Jun 19 23:20:34 CEST 2009


Gavin,

Actually the modules does use the ldap_sasl_bind() function for binding 
to LDAP, but I guess the additional params are no passed via ldap config 
file.

Regards,
Bogdan

Gavin Henry wrote:
> This is why I submitted a feature request for the ldap_sasl_bind
> function to be added. Then a sucessful bind is all that is needed by
> opensips. The problem is converting the password to plain on the
> opensips side to use it to bind with against the ldap directory. Is
> this possible?
>
> That way, we know the digest format in sip, but we don't need to care
> about the ldap hash format (most are ssha1) *and* we don't need to
> change the directory.
>
> On 19/06/2009, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
>   
>> Alan,
>>
>> Could you post the part of the script taking care of the REGISTRATION
>> part, just for double checking ?
>>
>> Also, for the password...does not look ok - not sure how that value is
>> computed, but please check the Digest Auth RFC to see the definition of
>> HA1 .
>>
>> Regards,
>> Bogdan
>>
>>
>>
>> Alan Rubin wrote:
>>     
>>> (reposting to fit the list size limits)
>>>
>>> Bogdan,
>>>
>>> 2) I removed the "!" from the REGISTER section.  This seems to have at
>>> least pushed me on to the next stage of actually doing an LDAP query:
>>>
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
>>> [sipaccounts], base [o=ntg], scope [2], filter
>>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
>>> scope [2], filter
>>> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
>>> [5000000] usecs
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:auth:check_nonce: comparing
>>> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a] and
>>> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a]
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1,  index= 2
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:auth:build_auth_hf: nonce index= 2
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
>>> realm="155.205.69.126",
>>> nonce="4a3ae9d000000002c65c88df6909b9e945bdbaaa5e495b3a"  '
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:core:parse_headers: flags=ffffffffffffffff
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:core:destroy_avp_list: destroying list (nil)
>>> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
>>> DBG:core:receive_msg: cleaning up
>>> ...
>>>
>>> Still failing, but this time it is code 407: Proxy Authentication
>>> Required.  Getting closer?
>>>
>>> 1) Perhaps I mean "encoded" and am just using the wrong term.  An
>>> example return from our LDAP search:
>>>  userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ==
>>>
>>> Regards,
>>>
>>> Alan Rubin
>>>
>>> -----Original Message-----
>>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>>> Sent: Friday, 19 June 2009 10:52 AM
>>> To: Alan Rubin
>>> Cc: users at lists.opensips.org
>>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>>
>>> Alan,
>>>
>>> 2 points:
>>>
>>> 1) what you mean by "encrypted" ? the module supports only ha1 encoded
>>> passwords.
>>>
>>> 2) I see you deal with a REGISTER request, but in your script you
>>> changed the auth (from DB to LDAP) only for INVITES - check in the
>>> script the second auth block (for REGISTERS) and change it in the same
>>> time as we did for the INVITEs.
>>>
>>> Regards,
>>> Bogdan
>>>
>>> Alan Rubin wrote:
>>>
>>>       
>>>> Bogdan,
>>>>
>>>> Thanks for your help.  I reset the configuration for calculate_ha1 to
>>>>
>>>>         
>>> 0
>>>
>>>       
>>>> (it was set to 1), but I am still getting a "401 - Unauthorized"
>>>>
>>>>         
>>> error.
>>>
>>>       
>>>> The password returning from the LDAP server should be an encrypted
>>>> string.
>>>>
>>>> # ----- auth_db params -----
>>>> /* uncomment the following lines if you want to enable the DB based
>>>>    authentication */
>>>> #modparam("auth_db", "calculate_ha1", yes)
>>>> #modparam("auth_db", "password_column", "password")
>>>> #modparam("auth_db", "db_url",
>>>> #       "mysql://opensips:<redacted>@localhost/opensips")
>>>> #modparam("auth_db", "load_credentials", "")
>>>>
>>>> # ------ auth params -----
>>>> #modparam("auth", "username_spec", "$var(username)")
>>>> #modparam("auth", "password_spec", "$avp(s:password)")
>>>> modparam("auth", "nonce_expire",  30)
>>>> modparam("auth", "secret", "<redacted>")
>>>> modparam("auth", "disable_nonce_check", 0)
>>>> modparam("auth", "username_spec", "$var(username)")
>>>> modparam("auth", "password_spec", "$avp(s:password)")
>>>> modparam("auth", "calculate_ha1", 0)
>>>>
>>>> Here are the relevant logs from the connection (I think):
>>>>
>>>>
>>>>
>>>>         
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>     
>
>   




More information about the Users mailing list