[OpenSIPS-Users] LDAP Authentication
Alan Rubin
Alan.Rubin at nt.gov.au
Tue Jun 23 03:07:52 CEST 2009
On a whim, I checked the archives for this list and apparently there
have been messages on this thread but they haven't been delivered to me.
I do not know if Mailman chose to filter out this topic or some
anti-spam device on my domain has started blocking ONLY messages on this
subject (got many other OpenSIPS messages over the weekend).
Hope I can see them now after tinkering with my Mailman options.
In response to:
Alan,
Could you post the part of the script taking care of the REGISTRATION
part, just for double checking ?
Also, for the password...does not look ok - not sure how that value is
computed, but please check the Digest Auth RFC to see the definition of
HA1 .
Regards,
Bogdan
...
Here is the REGISTER section involving LDAP:
if ((method=="REGISTER") && from_uri==myself) { /*no multidomain
version*/
# are any credentials available in the request ?
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
# run the ldap_query() and load the passwd into
$avp(s:password)
# TODO
$var(username)=$fU;
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
6)(ntguserstatus=Active))");
ldap_result("userPassword/$avp(s:password)");
# username to authenticate
#$var(username) = $fU;
# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}
}
...
and there is also this section, still in "route":
if (is_method("REGISTER"))
{
# authenticate the REGISTER requests (uncomment to
enable auth)
if (!www_authorize("155.205.69.126", "subscriber"))
{
www_challenge("155.205.69.126", "0");
exit;
}
##
##if (!check_to())
##{
## sl_send_reply("403","Forbidden auth ID");
## exit;
##}
## make pua_usrloc send PUBLISH for phones which do not
support presence
## filter after User-Agent header
#if(!search("^User-Agent:"))
# pua_set_publish();
# save("location");
# exit;
if(is_method("REGISTER") &&
from_uri=~"@galah.cprod.corp.ntgov")
pua_set_publish();
if (!save("location"))
sl_reply_error();
exit;
}
Regards,
Alan Rubin
-----Original Message-----
From: Alan Rubin
Sent: Tuesday, 23 June 2009 9:05 AM
To: 'Bogdan-Andrei Iancu'
Cc: 'users at lists.opensips.org'
Subject: RE: [OpenSIPS-Users] LDAP Authentication
Bogdan,
I think my message to the list may have been lost after I cancelled the
original version due to size issues and re-sent an edited version.
Trying again...
2) I removed the "!" from the REGISTER section. This seems to have at
least pushed me on to the next stage of actually doing an LDAP query:
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
[sipaccounts], base [o=ntg], scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
[5000000] usecs
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:check_nonce: comparing
[4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a] and
[4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a]
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: nonce index= 2
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
realm="155.205.69.126",
nonce="4a3ae9d000000002c65c88df6909b9e945bdbaaa5e495b3a" '
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:parse_headers: flags=ffffffffffffffff
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:destroy_avp_list: destroying list (nil)
Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
DBG:core:receive_msg: cleaning up
...
Still failing, but this time it is code 407: Proxy Authentication
Required. Getting closer?
1) Perhaps I mean "encoded" and am just using the wrong term. An
example return from our LDAP search:
userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ==
Regards,
Alan Rubin
-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
Sent: Friday, 19 June 2009 10:52 AM
To: Alan Rubin
Cc: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] LDAP Authentication
Alan,
2 points:
1) what you mean by "encrypted" ? the module supports only ha1 encoded
passwords.
2) I see you deal with a REGISTER request, but in your script you
changed the auth (from DB to LDAP) only for INVITES - check in the
script the second auth block (for REGISTERS) and change it in the same
time as we did for the INVITEs.
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> Thanks for your help. I reset the configuration for calculate_ha1 to
0
> (it was set to 1), but I am still getting a "401 - Unauthorized"
error.
> The password returning from the LDAP server should be an encrypted
> string.
>
> # ----- auth_db params -----
> /* uncomment the following lines if you want to enable the DB based
> authentication */
> #modparam("auth_db", "calculate_ha1", yes)
> #modparam("auth_db", "password_column", "password")
> #modparam("auth_db", "db_url",
> # "mysql://opensips:<redacted>@localhost/opensips")
> #modparam("auth_db", "load_credentials", "")
>
> # ------ auth params -----
> #modparam("auth", "username_spec", "$var(username)")
> #modparam("auth", "password_spec", "$avp(s:password)")
> modparam("auth", "nonce_expire", 30)
> modparam("auth", "secret", "<redacted>")
> modparam("auth", "disable_nonce_check", 0)
> modparam("auth", "username_spec", "$var(username)")
> modparam("auth", "password_spec", "$avp(s:password)")
> modparam("auth", "calculate_ha1", 0)
>
>
>
> And here are the changes I made to the main route, for the benefit of
> anyone else who might have an idea for me:
>
> if (!(method=="REGISTER") && from_uri==myself) { /*no
> multidomain version*/
> # are any credentials available in the request ?
> if (!is_present_hf("Proxy-Authorization")) {
> proxy_challenge("", "0");
> exit;
> }
>
> # run the ldap_query() and load the passwd into
> $avp(s:password)
> # TODO
> $var(username)=$fU;
>
>
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
> 6)(ntguserstatus=Active))");
> ldap_result("userPassword/$avp(s:password)");
>
> # username to authenticate
> #$var(username) = $fU;
>
> # do the authentication
> if(!pv_proxy_authorize("")){
> proxy_challenge("", "0");
> exit;
> }
>
> Regards,
>
> Alan Rubin
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
> Sent: Friday, 19 June 2009 9:42 AM
> To: Alan Rubin; users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> HI Alan,
>
> sorry for the late reply - this week we have the OpenSIPS bootcamp and
> I'm getting my hands on the emails only from time to time..
>
> So, Are you loading the passwd in raw format (plain text) ? If so, you
> need the calulcate_ha1 param to be set to 1
> (http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228275) -
> by default it is set to 0.... (see prev email)
>
> Regards,
> Bogdan
>
More information about the Users
mailing list