[OpenSIPS-Users] LDAP Authentication
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Thu Jun 25 19:27:57 CEST 2009
Hi Alan,
I get this error each time I'm emailing you:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
Alan.Rubin at nt.gov.au
SMTP error from remote mail server after end of data:
host emdch-mx21.nt.gov.au [203.26.75.16]: 550 5.7.1 Phish_1
Now, going to the actual issue, the problem is related to password -
about how the client and server (ldap) are keeping the password - do
they both keep it same format (like plain text) ?
Regards,
Bogdan
Alan Rubin wrote:
> Bogdan,
>
> The LDAP messages from the mailing list are still not reaching my
> mailbox, which is unusual. I am checking the mail services on my end.
>
> Still managed to pick up your last message from the Archive. After
> making the changes suggested for my config file, I'm still failing with
> a "401 - Unauthorized". Here are the relevant logs:
>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
> scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
> [5000000] usecs
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:check_nonce: comparing
> [4a41558400000004dcd97551d7189591cf32402f006987b9] and
> [4a41558400000004dcd97551d7189591cf32402f006987b9]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:build_auth_hf: nonce index= 5
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
> realm="155.205.69.126",
> nonce="4a4155840000000573fd091deb999f17423ea6b4be4cb6e2" '
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:destroy_avp_list: destroying list (nil)
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:receive_msg: cleaning up
> dcshub1:/usr/local/opensips/etc/opensips #
> dcshub1:/usr/local/opensips/etc/opensips #
> dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26
> /var/log/localmessages | less
> dcshub1:/usr/local/opensips/etc/opensips #
> dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26
> /var/log/localmessages
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_msg: SIP Request:
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_msg: method: <REGISTER>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_msg: uri: <sip:155.205.69.126>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_msg: version: <SIP/2.0>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: flags=2
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_via_param: found param type 232, <branch> =
> <z9hG4bK-d8754z-02350078246c1c6a-1---d8754z->; state=6
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_via_param: found param type 235, <rport> = <n/a>;
> state=17
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_via: end of header reached, state=5
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: via found, flags=2
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: this is the first via
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:receive_msg: After parse_msg...
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:receive_msg: preparing to run routing scripts...
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: flags=100
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:maxfwd:is_maxfwd_present: value = 70
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: flags=8
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_to: end of header reached, state=10
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_to: display={"alan"}, ruri={sip:oh5 at 155.205.69.126}
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:get_hdr_field: <To> [32]; uri=[sip:oh5 at 155.205.69.126]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:get_hdr_field: to body ["alan"<sip:oh5 at 155.205.69.126> ]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:uri:has_totag: no totag
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: flags=78
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:get_hdr_field: cseq <CSeq>: <2> <REGISTER>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:tm:t_lookup_request: start searching: hash=48267, isACK=0
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:tm:matching_3261: RFC3261 transaction matching failed
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:tm:t_lookup_request: no transaction found
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:get_hdr_field: content_length=0
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:get_hdr_field: found end of header
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
> [sipaccounts], base [o=ntg], scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
> scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
> [5000000] usecs
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:auth:check_nonce: comparing
> [4a41558300000003489e75bbcc433a8035de29ba6fd0c3e6] and
> [4a41558300000003489e75bbcc433a8035de29ba6fd0c3e6]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 4
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:auth:build_auth_hf: nonce index= 4
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
> realm="155.205.69.126",
> nonce="4a41558400000004dcd97551d7189591cf32402f006987b9" '
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:destroy_avp_list: destroying list (nil)
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
> DBG:core:receive_msg: cleaning up
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_msg: SIP Request:
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_msg: method: <REGISTER>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_msg: uri: <sip:155.205.69.126>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_msg: version: <SIP/2.0>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: flags=2
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_via_param: found param type 232, <branch> =
> <z9hG4bK-d8754z-e755c268ad186c3e-1---d8754z->; state=6
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_via_param: found param type 235, <rport> = <n/a>;
> state=17
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_via: end of header reached, state=5
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: via found, flags=2
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: this is the first via
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:receive_msg: After parse_msg...
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:receive_msg: preparing to run routing scripts...
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: flags=100
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:maxfwd:is_maxfwd_present: value = 70
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: flags=8
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_to: end of header reached, state=10
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_to: display={"alan"}, ruri={sip:oh5 at 155.205.69.126}
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:get_hdr_field: <To> [32]; uri=[sip:oh5 at 155.205.69.126]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:get_hdr_field: to body ["alan"<sip:oh5 at 155.205.69.126> ]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:uri:has_totag: no totag
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: flags=78
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:get_hdr_field: cseq <CSeq>: <3> <REGISTER>
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:tm:t_lookup_request: start searching: hash=48268, isACK=0
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:tm:matching_3261: RFC3261 transaction matching failed
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:tm:t_lookup_request: no transaction found
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:get_hdr_field: content_length=0
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:get_hdr_field: found end of header
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
> [sipaccounts], base [o=ntg], scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
> scope [2], filter
> [(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
> [5000000] usecs
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:check_nonce: comparing
> [4a41558400000004dcd97551d7189591cf32402f006987b9] and
> [4a41558400000004dcd97551d7189591cf32402f006987b9]
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:build_auth_hf: nonce index= 5
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
> realm="155.205.69.126",
> nonce="4a4155840000000573fd091deb999f17423ea6b4be4cb6e2" '
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:destroy_avp_list: destroying list (nil)
> Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
> DBG:core:receive_msg: cleaning up
> ...
>
> Here's my main route section from the opensips.cfg file:
>
> # main request routing logic
>
> route{
>
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> exit;
> }
>
> if (has_totag()) {
> # sequential request withing a dialog should
> # take the path determined by record-routing
> if (loose_route()) {
> if (is_method("BYE")) {
> setflag(1); # do accounting ...
> setflag(3); # ... even if the
> transaction fails
> } else if (is_method("INVITE")) {
> # even if in most of the cases is
> useless, do RR for
> # re-INVITEs alos, as some buggy clients
> do change route set
> # during the dialog.
> record_route();
> }
> # route it out to whatever destination was set
> by loose_route()
> # in $du (destination URI).
> route(1);
> } else {
> /* uncomment the following lines if you want to
> enable presence */
> ##if (is_method("SUBSCRIBE") && $rd ==
> "your.server.ip.address") {
> if (is_method("SUBSCRIBE") && $rd ==
> "155.205.69.126") {
> # in-dialog subscribe requests
> route(2);
> exit;
> }
> if ( is_method("ACK") ) {
> if ( t_check_trans() ) {
> # non loose-route, but stateful
> ACK; must be an ACK after
> # a 487 or e.g. 404 from
> upstream server
> t_relay();
> exit;
> } else {
> # ACK without matching
> transaction ->
> # ignore and discard
> exit;
> }
> }
> sl_send_reply("404","Not here");
> }
> exit;
> }
>
> #initial requests
>
> # CANCEL processing
> if (is_method("CANCEL"))
> {
> if (t_check_trans())
> t_relay();
> exit;
> }
>
> t_check_trans();
>
> # authenticate if from local subscriber (uncomment to enable
> auth)
> # authenticate all initial non-REGISTER request that pretend to
> be
> # generated by local subscriber (domain from FROM URI is local)
> ##if (!(method=="REGISTER") && from_uri==myself) /*no
> multidomain version*/
> ##if (!(method=="REGISTER") && is_from_local()) /*multidomain
> version*/
> ##{
> ## if (!proxy_authorize("", "subscriber")) {
> ## proxy_challenge("", "0");
> ## exit;
> ## }
> ## if (!check_from()) {
> ## sl_send_reply("403","Forbidden auth ID");
> ## exit;
> ## }
> ##
> ## consume_credentials();
> ## # caller authenticated
> ##}
>
>
> if (!(method=="REGISTER") && from_uri==myself) { /*no
> multidomain version*/
> # are any credentials available in the request ?
> if (!is_present_hf("Proxy-Authorization")) {
> proxy_challenge("", "0");
> exit;
> }
>
> # run the ldap_query() and load the passwd into
> $avp(s:password)
> # TODO
> $var(username)=$fU;
>
> ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
> 6)(ntguserstatus=Active))");
> ldap_result("userPassword/$avp(s:password)");
>
> # username to authenticate
> #$var(username) = $fU;
>
> # do the authentication
> if(!pv_proxy_authorize("")){
> proxy_challenge("", "0");
> exit;
> }
> }
>
> if ( is_method("REGISTER") ) {
> # are any credentials available in the request ?
> if (!is_present_hf("Authorization")) {
> www_challenge("", "0");
> exit;
> }
>
> $var(username)=$tU;
>
>
> ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$tU)(departmentNumber=6
> 6)(ntguserstatus=Active))");
> ldap_result("userPassword/$avp(s:password)");
>
> # do the authentication
> if(!pv_www_authorize("")){
> www_challenge("", "0");
> exit;
> }
>
>
> if (!save("location"))
> sl_reply_error();
>
> }
>
>
> # preloaded route checking
> if (loose_route()) {
> xlog("L_ERR",
> "Attempt to route with preloaded Route's
> [$fu/$tu/$ru/$ci]");
> if (!is_method("ACK"))
> sl_send_reply("403","Preload Route denied");
> exit;
> }
>
> # record routing
> if (!is_method("REGISTER|MESSAGE"))
> record_route();
>
> # account only INVITEs
> if (is_method("INVITE")) {
> setflag(1); # do accounting
> }
> if (!uri==myself)
> ## replace with following line if multi-domain support is used
> ##if (!is_uri_host_local())
> {
> append_hf("P-hint: outbound\r\n");
> # if you have some interdomain connections via TLS
> ##if($rd=="tls_domain1.net") {
> ## t_relay("tls:domain1.net");
> ## exit;
> ##} else if($rd=="tls_domain2.net") {
> ## t_relay("tls:domain2.net");
> ## exit;
> ##}
> route(1);
> }
>
> # requests for my domain
>
> ## uncomment this if you want to enable presence server
> ## and comment the next 'if' block
> ## NOTE: uncomment also the definition of route[2] from below
> if( is_method("PUBLISH|SUBSCRIBE"))
> route(2);
>
> ##if (is_method("PUBLISH"))
> ##{
> ## sl_send_reply("503", "Service Unavailable");
> ## exit;
> ##}
>
>
> if (is_method("REGISTER"))
> {
> # authenticate the REGISTER requests (uncomment to
> enable auth)
> if (!www_authorize("155.205.69.126", "subscriber"))
> {
> www_challenge("155.205.69.126", "0");
> exit;
> }
> ##
> ##if (!check_to())
> ##{
> ## sl_send_reply("403","Forbidden auth ID");
> ## exit;
> ##}
>
> ## make pua_usrloc send PUBLISH for phones which do not
> support presence
> ## filter after User-Agent header
> #if(!search("^User-Agent:"))
> # pua_set_publish();
>
> # save("location");
> # exit;
>
> if(is_method("REGISTER") &&
> from_uri=~"@galah.cprod.corp.ntgov")
> pua_set_publish();
>
>
> if (!save("location"))
> sl_reply_error();
>
> exit;
> }
>
> if ($rU==NULL) {
> # request with no Username in RURI
> sl_send_reply("484","Address Incomplete");
> exit;
> }
>
> # apply DB based aliases (uncomment to enable)
> ##alias_db_lookup("dbaliases");
>
> if (!lookup("location")) {
> switch ($retcode) {
> case -1:
> case -3:
> t_newtran();
> t_reply("404", "Not Found");
> exit;
> case -2:
> sl_send_reply("405", "Method Not
> Allowed");
> exit;
> }
> }
>
> # when routing via usrloc, log the missed calls also
> setflag(2);
>
> route(1);
> }
> ...
>
>
> If you see anything else wrong, please let me know and thanks for all of
> your help so far.
>
> I've been using X-Lite to test, if anyone know of any issues.
>
> Regards,
>
> Alan Rubin
>
>
>
More information about the Users
mailing list