[OpenSIPS-Users] LDAP Authentication
Alan Rubin
Alan.Rubin at nt.gov.au
Fri Jun 26 04:22:44 CEST 2009
Bogdan,
Apparently the email administrator had a regex on the SMTP gateway to
reject messages with pass (and) word (combined) because of previous
users succumbing to phishing exercises. It may work now, but I will
continue to check the archives. Oh well.
Regarding:
"Now, going to the actual issue, the problem is related to password -
about how the client and server (ldap) are keeping the password - do
they both keep it same format (like plain text) ?
Regards,
Bogdan"
I think I've figured out the issue, although I don't believe there is a
solution. Hopefully you can verify, either way.
The bind user in the ldap.cfg file does not have the privilege to
retrieve the pass word field from our LDAP directory. The only way our
LDAP setup is supposed to work is by binding using the
user-to-be-authenticated directly with the LDAP directory server. It is
my understanding, and this is where you can verify or correct me, that
opensips and the LDAP module can not change the bind user dynamically.
Regards,
Alan Rubin
-----Original Message-----
From: users-bounces at lists.opensips.org
[mailto:users-bounces at lists.opensips.org] On Behalf Of Alan Rubin
Sent: Wednesday, 24 June 2009 8:10 AM
To: Bogdan-Andrei Iancu
Cc: users at lists.opensips.org
Subject: [OpenSIPS-Users] LDAP Authentication
Bogdan,
The LDAP messages from the mailing list are still not reaching my
mailbox, which is unusual. I am checking the mail services on my end.
Still managed to pick up your last message from the Archive. After
making the changes suggested for my config file, I'm still failing with
a "401 - Unauthorized". Here are the relevant logs:
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
[5000000] usecs
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:check_nonce: comparing
[4a41558400000004dcd97551d7189591cf32402f006987b9] and
[4a41558400000004dcd97551d7189591cf32402f006987b9]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:build_auth_hf: nonce index= 5
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
realm="155.205.69.126",
nonce="4a4155840000000573fd091deb999f17423ea6b4be4cb6e2" '
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: flags=ffffffffffffffff
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:destroy_avp_list: destroying list (nil)
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:receive_msg: cleaning up
dcshub1:/usr/local/opensips/etc/opensips #
dcshub1:/usr/local/opensips/etc/opensips #
dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26
/var/log/localmessages | less
dcshub1:/usr/local/opensips/etc/opensips #
dcshub1:/usr/local/opensips/etc/opensips # grep 07:51:26
/var/log/localmessages
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_msg: SIP Request:
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_msg: method: <REGISTER>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_msg: uri: <sip:155.205.69.126>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_msg: version: <SIP/2.0>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: flags=2
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_via_param: found param type 232, <branch> =
<z9hG4bK-d8754z-02350078246c1c6a-1---d8754z->; state=6
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_via_param: found param type 235, <rport> = <n/a>;
state=17
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_via: end of header reached, state=5
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: via found, flags=2
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: this is the first via
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:receive_msg: After parse_msg...
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:receive_msg: preparing to run routing scripts...
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: flags=100
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:maxfwd:is_maxfwd_present: value = 70
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: flags=8
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_to: end of header reached, state=10
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_to: display={"alan"}, ruri={sip:oh5 at 155.205.69.126}
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:get_hdr_field: <To> [32]; uri=[sip:oh5 at 155.205.69.126]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:get_hdr_field: to body ["alan"<sip:oh5 at 155.205.69.126> ]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:uri:has_totag: no totag
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: flags=78
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:get_hdr_field: cseq <CSeq>: <2> <REGISTER>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:tm:t_lookup_request: start searching: hash=48267, isACK=0
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:tm:matching_3261: RFC3261 transaction matching failed
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:tm:t_lookup_request: no transaction found
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: flags=ffffffffffffffff
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:get_hdr_field: content_length=0
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:get_hdr_field: found end of header
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
[sipaccounts], base [o=ntg], scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
[5000000] usecs
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:auth:check_nonce: comparing
[4a41558300000003489e75bbcc433a8035de29ba6fd0c3e6] and
[4a41558300000003489e75bbcc433a8035de29ba6fd0c3e6]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 4
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:auth:build_auth_hf: nonce index= 4
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
realm="155.205.69.126",
nonce="4a41558400000004dcd97551d7189591cf32402f006987b9" '
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:parse_headers: flags=ffffffffffffffff
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:destroy_avp_list: destroying list (nil)
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30646]:
DBG:core:receive_msg: cleaning up
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_msg: SIP Request:
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_msg: method: <REGISTER>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_msg: uri: <sip:155.205.69.126>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_msg: version: <SIP/2.0>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: flags=2
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_via_param: found param type 232, <branch> =
<z9hG4bK-d8754z-e755c268ad186c3e-1---d8754z->; state=6
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_via_param: found param type 235, <rport> = <n/a>;
state=17
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_via: end of header reached, state=5
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: via found, flags=2
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: this is the first via
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:receive_msg: After parse_msg...
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:receive_msg: preparing to run routing scripts...
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: flags=100
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:maxfwd:is_maxfwd_present: value = 70
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: flags=8
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_to: end of header reached, state=10
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_to: display={"alan"}, ruri={sip:oh5 at 155.205.69.126}
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:get_hdr_field: <To> [32]; uri=[sip:oh5 at 155.205.69.126]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:get_hdr_field: to body ["alan"<sip:oh5 at 155.205.69.126> ]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:uri:has_totag: no totag
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: flags=78
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:get_hdr_field: cseq <CSeq>: <3> <REGISTER>
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:tm:t_lookup_request: start searching: hash=48268, isACK=0
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:tm:matching_3261: RFC3261 transaction matching failed
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:tm:t_lookup_request: no transaction found
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: flags=ffffffffffffffff
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:get_hdr_field: content_length=0
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:get_hdr_field: found end of header
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:ldap:ldap_url_search: LDAP URL parsed into session_name
[sipaccounts], base [o=ntg], scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:ldap:lds_search: [sipaccounts]: performing LDAP search: dn [o=ntg],
scope [2], filter
[(&(cn=oh5)(departmentNumber=66)(ntguserstatus=Active))], client_timeout
[5000000] usecs
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:ldap:ldap_params_search: [sipaccounts]: [1] LDAP entries found
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:check_nonce: comparing
[4a41558400000004dcd97551d7189591cf32402f006987b9] and
[4a41558400000004dcd97551d7189591cf32402f006987b9]
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:reserve_nonce_index: second= 9, sec_monit= -1, index= 5
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:build_auth_hf: nonce index= 5
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:auth:build_auth_hf: 'WWW-Authenticate: Digest
realm="155.205.69.126",
nonce="4a4155840000000573fd091deb999f17423ea6b4be4cb6e2" '
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:parse_headers: flags=ffffffffffffffff
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:check_via_address: params 155.205.26.124, 155.205.26.124, 0
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:destroy_avp_list: destroying list (nil)
Jun 24 07:51:26 dcshub1 /usr/local/opensips/sbin/opensips[30653]:
DBG:core:receive_msg: cleaning up
...
Here's my main route section from the opensips.cfg file:
# main request routing logic
route{
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops");
exit;
}
if (has_totag()) {
# sequential request withing a dialog should
# take the path determined by record-routing
if (loose_route()) {
if (is_method("BYE")) {
setflag(1); # do accounting ...
setflag(3); # ... even if the
transaction fails
} else if (is_method("INVITE")) {
# even if in most of the cases is
useless, do RR for
# re-INVITEs alos, as some buggy clients
do change route set
# during the dialog.
record_route();
}
# route it out to whatever destination was set
by loose_route()
# in $du (destination URI).
route(1);
} else {
/* uncomment the following lines if you want to
enable presence */
##if (is_method("SUBSCRIBE") && $rd ==
"your.server.ip.address") {
if (is_method("SUBSCRIBE") && $rd ==
"155.205.69.126") {
# in-dialog subscribe requests
route(2);
exit;
}
if ( is_method("ACK") ) {
if ( t_check_trans() ) {
# non loose-route, but stateful
ACK; must be an ACK after
# a 487 or e.g. 404 from
upstream server
t_relay();
exit;
} else {
# ACK without matching
transaction ->
# ignore and discard
exit;
}
}
sl_send_reply("404","Not here");
}
exit;
}
#initial requests
# CANCEL processing
if (is_method("CANCEL"))
{
if (t_check_trans())
t_relay();
exit;
}
t_check_trans();
# authenticate if from local subscriber (uncomment to enable
auth)
# authenticate all initial non-REGISTER request that pretend to
be
# generated by local subscriber (domain from FROM URI is local)
##if (!(method=="REGISTER") && from_uri==myself) /*no
multidomain version*/
##if (!(method=="REGISTER") && is_from_local()) /*multidomain
version*/
##{
## if (!proxy_authorize("", "subscriber")) {
## proxy_challenge("", "0");
## exit;
## }
## if (!check_from()) {
## sl_send_reply("403","Forbidden auth ID");
## exit;
## }
##
## consume_credentials();
## # caller authenticated
##}
if (!(method=="REGISTER") && from_uri==myself) { /*no
multidomain version*/
# are any credentials available in the request ?
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
# run the ldap_query() and load the passwd into
$avp(s:password)
# TODO
$var(username)=$fU;
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$fU)(departmentNumber=6
6)(ntguserstatus=Active))");
ldap_result("userPassword/$avp(s:password)");
# username to authenticate
#$var(username) = $fU;
# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}
}
if ( is_method("REGISTER") ) {
# are any credentials available in the request ?
if (!is_present_hf("Authorization")) {
www_challenge("", "0");
exit;
}
$var(username)=$tU;
ldap_search("ldap://sipaccounts/o=ntg??sub?(&(cn=$tU)(departmentNumber=6
6)(ntguserstatus=Active))");
ldap_result("userPassword/$avp(s:password)");
# do the authentication
if(!pv_www_authorize("")){
www_challenge("", "0");
exit;
}
if (!save("location"))
sl_reply_error();
}
# preloaded route checking
if (loose_route()) {
xlog("L_ERR",
"Attempt to route with preloaded Route's
[$fu/$tu/$ru/$ci]");
if (!is_method("ACK"))
sl_send_reply("403","Preload Route denied");
exit;
}
# record routing
if (!is_method("REGISTER|MESSAGE"))
record_route();
# account only INVITEs
if (is_method("INVITE")) {
setflag(1); # do accounting
}
if (!uri==myself)
## replace with following line if multi-domain support is used
##if (!is_uri_host_local())
{
append_hf("P-hint: outbound\r\n");
# if you have some interdomain connections via TLS
##if($rd=="tls_domain1.net") {
## t_relay("tls:domain1.net");
## exit;
##} else if($rd=="tls_domain2.net") {
## t_relay("tls:domain2.net");
## exit;
##}
route(1);
}
# requests for my domain
## uncomment this if you want to enable presence server
## and comment the next 'if' block
## NOTE: uncomment also the definition of route[2] from below
if( is_method("PUBLISH|SUBSCRIBE"))
route(2);
##if (is_method("PUBLISH"))
##{
## sl_send_reply("503", "Service Unavailable");
## exit;
##}
if (is_method("REGISTER"))
{
# authenticate the REGISTER requests (uncomment to
enable auth)
if (!www_authorize("155.205.69.126", "subscriber"))
{
www_challenge("155.205.69.126", "0");
exit;
}
##
##if (!check_to())
##{
## sl_send_reply("403","Forbidden auth ID");
## exit;
##}
## make pua_usrloc send PUBLISH for phones which do not
support presence
## filter after User-Agent header
#if(!search("^User-Agent:"))
# pua_set_publish();
# save("location");
# exit;
if(is_method("REGISTER") &&
from_uri=~"@galah.cprod.corp.ntgov")
pua_set_publish();
if (!save("location"))
sl_reply_error();
exit;
}
if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}
# apply DB based aliases (uncomment to enable)
##alias_db_lookup("dbaliases");
if (!lookup("location")) {
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not
Allowed");
exit;
}
}
# when routing via usrloc, log the missed calls also
setflag(2);
route(1);
}
...
If you see anything else wrong, please let me know and thanks for all of
your help so far.
I've been using X-Lite to test, if anyone know of any issues.
Regards,
Alan Rubin
_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list