[OpenSIPS-Users] LDAP Authentication
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Tue Jun 23 10:57:33 CEST 2009
Hi Alan,
OK, good to be back on tracks :)
First note that the auth for REGISTERs and INVITEs is done in separate
ways (one is "www", other "proxy" auth). So you cannot mix them and put
together. I guess you want to do for both LDAP auth, right ? If so, put
back the ! in the first auth block (which is for proxy auth - non-INVITE
auth):
if ( !(method=="REGISTER") && from_uri==myself) { /*no multidomain
version*/
# are any credentials available in the request ?
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
# run the ldap_query() and load the passwd into
$avp(s:password)
# TODO
$var(username)=$fU;
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
6)(ntguserstatus=Active))");
ldap_result("userPassword/$avp(s:password)");
# username to authenticate
#$var(username) = $fU;
# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}
}
...
And do for REGISTER : (A) for REGISTER you must use TO URI to identify
the user (and not FROM URI) and (B) you do www auth and not proxy auht.
So you should have something like:
if ( is_method("REGISTER") ) {
# are any credentials available in the request ?
if (!is_present_hf("Authorization")) {
wwww_challenge("", "0");
exit;
}
$var(username)=$tU;
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$tU)(departmentNumber=66)(ntguserstatus=Active))");
ldap_result("userPassword/$avp(s:password)");
# do the authentication
if(!pv_www_authorize("")){
www_challenge("", "0");
exit;
}
if (!save("location"))
sl_reply_error();
}
Regards,
Bogdan
Alan Rubin wrote:
> On a whim, I checked the archives for this list and apparently there
> have been messages on this thread but they haven't been delivered to me.
> I do not know if Mailman chose to filter out this topic or some
> anti-spam device on my domain has started blocking ONLY messages on this
> subject (got many other OpenSIPS messages over the weekend).
>
> Hope I can see them now after tinkering with my Mailman options.
>
>
> In response to:
>
> Alan,
>
> Could you post the part of the script taking care of the REGISTRATION
> part, just for double checking ?
>
> Also, for the password...does not look ok - not sure how that value is
> computed, but please check the Digest Auth RFC to see the definition of
> HA1 .
>
> Regards,
> Bogdan
> ...
>
> Here is the REGISTER section involving LDAP:
>
> if ((method=="REGISTER") && from_uri==myself) { /*no multidomain
> version*/
> # are any credentials available in the request ?
> if (!is_present_hf("Proxy-Authorization")) {
> proxy_challenge("", "0");
> exit;
> }
>
> # run the ldap_query() and load the passwd into
> $avp(s:password)
> # TODO
> $var(username)=$fU;
>
> ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
> 6)(ntguserstatus=Active))");
> ldap_result("userPassword/$avp(s:password)");
>
> # username to authenticate
> #$var(username) = $fU;
>
> # do the authentication
> if(!pv_proxy_authorize("")){
> proxy_challenge("", "0");
> exit;
> }
> }
> ...
>
> and there is also this section, still in "route":
>
> if (is_method("REGISTER"))
> {
> # authenticate the REGISTER requests (uncomment to
> enable auth)
> if (!www_authorize("155.205.69.126", "subscriber"))
> {
> www_challenge("155.205.69.126", "0");
> exit;
> }
> ##
> ##if (!check_to())
> ##{
> ## sl_send_reply("403","Forbidden auth ID");
> ## exit;
> ##}
>
> ## make pua_usrloc send PUBLISH for phones which do not
> support presence
> ## filter after User-Agent header
> #if(!search("^User-Agent:"))
> # pua_set_publish();
>
> # save("location");
> # exit;
>
> if(is_method("REGISTER") &&
> from_uri=~"@galah.cprod.corp.ntgov")
> pua_set_publish();
>
>
> if (!save("location"))
> sl_reply_error();
>
> exit;
> }
>
>
> Regards,
>
> Alan Rubin
>
> -----Original Message-----
> From: Alan Rubin
> Sent: Tuesday, 23 June 2009 9:05 AM
> To: 'Bogdan-Andrei Iancu'
> Cc: 'users at lists.opensips.org'
> Subject: RE: [OpenSIPS-Users] LDAP Authentication
>
>
> Bogdan,
>
> I think my message to the list may have been lost after I cancelled the
> original version due to size issues and re-sent an edited version.
> Trying again...
>
> 2) I removed the "!" from the REGISTER section. This seems to have at
> least pushed me on to the next stage of actually doing an LDAP query:
>
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
> [sipaccounts], base [o=ntg], scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
> scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
> [5000000] usecs
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:check_nonce: comparing
> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a] and
> [4a3ae9d000000001b43a57f1ad95192b98ace5030eb50d1a]
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:reserve_nonce_index: second= 12, sec_monit= -1, index= 2
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:build_auth_hf: nonce index= 2
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:auth:build_auth_hf: 'Proxy-Authenticate: Digest
> realm="155.205.69.126",
> nonce="4a3ae9d000000002c65c88df6909b9e945bdbaaa5e495b3a" '
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:destroy_avp_list: destroying list (nil)
> Jun 19 10:58:18 dcshub1 /usr/local/opensips/sbin/opensips[31159]:
> DBG:core:receive_msg: cleaning up
> ...
>
> Still failing, but this time it is code 407: Proxy Authentication
> Required. Getting closer?
>
> 1) Perhaps I mean "encoded" and am just using the wrong term. An
> example return from our LDAP search:
> userPassword: {SSHA}twmolvRuvt11fr4GVJOxIasfcGi6yci9LIEfaUQ==
>
> Regards,
>
> Alan Rubin
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
> Sent: Friday, 19 June 2009 10:52 AM
> To: Alan Rubin
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>
> Alan,
>
> 2 points:
>
> 1) what you mean by "encrypted" ? the module supports only ha1 encoded
> passwords.
>
> 2) I see you deal with a REGISTER request, but in your script you
> changed the auth (from DB to LDAP) only for INVITES - check in the
> script the second auth block (for REGISTERS) and change it in the same
> time as we did for the INVITEs.
>
> Regards,
> Bogdan
>
> Alan Rubin wrote:
>
>> Bogdan,
>>
>> Thanks for your help. I reset the configuration for calculate_ha1 to
>>
> 0
>
>> (it was set to 1), but I am still getting a "401 - Unauthorized"
>>
> error.
>
>> The password returning from the LDAP server should be an encrypted
>> string.
>>
>> # ----- auth_db params -----
>> /* uncomment the following lines if you want to enable the DB based
>> authentication */
>> #modparam("auth_db", "calculate_ha1", yes)
>> #modparam("auth_db", "password_column", "password")
>> #modparam("auth_db", "db_url",
>> # "mysql://opensips:<redacted>@localhost/opensips")
>> #modparam("auth_db", "load_credentials", "")
>>
>> # ------ auth params -----
>> #modparam("auth", "username_spec", "$var(username)")
>> #modparam("auth", "password_spec", "$avp(s:password)")
>> modparam("auth", "nonce_expire", 30)
>> modparam("auth", "secret", "<redacted>")
>> modparam("auth", "disable_nonce_check", 0)
>> modparam("auth", "username_spec", "$var(username)")
>> modparam("auth", "password_spec", "$avp(s:password)")
>> modparam("auth", "calculate_ha1", 0)
>>
>>
>>
>> And here are the changes I made to the main route, for the benefit of
>> anyone else who might have an idea for me:
>>
>> if (!(method=="REGISTER") && from_uri==myself) { /*no
>> multidomain version*/
>> # are any credentials available in the request ?
>> if (!is_present_hf("Proxy-Authorization")) {
>> proxy_challenge("", "0");
>> exit;
>> }
>>
>> # run the ldap_query() and load the passwd into
>> $avp(s:password)
>> # TODO
>> $var(username)=$fU;
>>
>>
>>
> ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
>
>> 6)(ntguserstatus=Active))");
>> ldap_result("userPassword/$avp(s:password)");
>>
>> # username to authenticate
>> #$var(username) = $fU;
>>
>> # do the authentication
>> if(!pv_proxy_authorize("")){
>> proxy_challenge("", "0");
>> exit;
>> }
>>
>> Regards,
>>
>> Alan Rubin
>>
>> -----Original Message-----
>> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
>> Sent: Friday, 19 June 2009 9:42 AM
>> To: Alan Rubin; users at lists.opensips.org
>> Subject: Re: [OpenSIPS-Users] LDAP Authentication
>>
>> HI Alan,
>>
>> sorry for the late reply - this week we have the OpenSIPS bootcamp and
>>
>
>
>> I'm getting my hands on the emails only from time to time..
>>
>> So, Are you loading the passwd in raw format (plain text) ? If so, you
>>
>
>
>> need the calulcate_ha1 param to be set to 1
>> (http://www.opensips.org/html/docs/modules/1.5.x/auth.html#id228275) -
>>
>
>
>> by default it is set to 0.... (see prev email)
>>
>> Regards,
>> Bogdan
>>
>>
>
>
More information about the Users
mailing list