[OpenSIPS-Users] LDAP authentication issue

Leon Li Leon.Li at aarnet.edu.au
Mon Nov 22 00:19:48 CET 2010


Hi Mathews,

I've tried LDAP module long time ago and found the way this module works
is to grab the clear text password from LDAP server and then compared
with the one sent by the endpoints. However, my Sysadmin pointed out
that most ldap server will not release the password but rather receive
the credential and bind dynamically. So when you request to grab the
password, the server may drop the request.

I am not sure if this is still the case but others can confirm please. 

Regards,
Leon


-----Original Message-----
From: users-bounces at lists.opensips.org
[mailto:users-bounces at lists.opensips.org] On Behalf Of Indiver
Sent: Friday, 19 November 2010 6:09 PM
To: users at lists.opensips.org
Subject: [OpenSIPS-Users] LDAP authentication issue


Hello Guys,

I'm trying to integrate ldap with opensips. For this purpose I
configured
LDAP server and added 10 users there.
My ldap.cfg  file is

[sipaccounts]
ldap_version = 2
ldap_server_url = "ldap://192.168.1.106:389"
ldap_bind_dn = "cn=Manager,dc=example,dc=net"
ldap_bind_password = "password"
ldap_network_timeout = 500
ldap_client_bind_timeout = 500

I added the following pieces in the cfg file:

modparam("ldap", "config_file", "/usr/local/etc/opensips/ldap.cfg")
modparam("auth", "username_spec", "$avp(s:username)")
modparam("auth", "password_spec", "$avp(s:password)")
modparam("auth", "calculate_ha1", 1)

In route Block the following:

if (!(method=="REGISTER") && from_uri==myself) /*no multidomainversion*/
        {
                if (!is_present_hf("Proxy-Authorization")) {
                proxy_challenge("", "0");
                exit;
                }
		$avp(s:password)
               $var(username)=$rU;
                
if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(&
(uid=$fU))"))
                {
                        switch ($retcode)
                        {
                                case -1:
                                # no LDAP entry found
                                sl_send_reply("404", "example: User
NotFound");
                                exit;
                                case -2:
                                # internal error
                                sl_send_reply("500", "example :
Internalserver error");
                                exit;
                                default:
                                exit;
                        }

                }

                xlog("L_INFO", "example : ldap_search: found
[$retcode]entries for (uid=$fU)");

                ldap_result("userPassword/$avp(s:password)");

                    # username to authenticate
                #$avp(i:2) = $fU;

                # do the authentication
                if(!pv_proxy_authorize("")){
                proxy_challenge("", "0");
                exit;
                }

                # caller authenticated
        }



if (is_method("REGISTER"))
	{

               if (!is_present_hf("Authorization")) {
                        www_challenge("", "0");
                exit;
                }
                $var(username)=$fU;
               
if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(&
(uid=$fU))"))
                {
                        switch ($retcode)
                        {
                                case -1:
                                # no LDAP entry found
                                sl_send_reply("404", "example: User
NotFound");
                                exit;
                                case -2:
                                # internal error
                                sl_send_reply("500", "example :
Internalserver error");
                                exit;
                                default:
                                exit;
                        }
                }
                xlog("L_INFO", "example : ldap_search: found
[$retcode]entries for (uid=$fU)");

                if (!ldap_result("userPassword/$avp(s:password)"))
                {
                 switch ($retcode)
                        {
                                case -1:
                                        # no SIPIdentityServiceLevel
found
                                        sl_send_reply("403", "example
:Forbidden");
                                        exit;
                                case -2:
                                        # internal error
                                        sl_send_reply("500", example
:Internal server error");
                                exit;
                                default:
                                        exit;
                        }
                }
                xlog("L_INFO", "example : ldap_result: password est
=$avp(s:password)");
                # do the authentication
                if(!pv_www_authorize("")){
                        www_challenge("", "0");
                        exit;
                }
		if (!save("location"))
			sl_reply_error();

		exit;
	}

	if ($rU==NULL) {
		# request with no Username in RURI
		sl_send_reply("484","Address Incomplete");
		exit;
	}

	if (!lookup("location")) {
		switch ($retcode) {
			case -1:
			case -3:
				t_newtran();
				t_reply("404", "Not Found");
				exit;
			case -2:
				sl_send_reply("405", "Method Not
Allowed");
				exit;
		}
	}

	# when routing via usrloc, log the missed calls also
	setflag(2);

	route(1);
}

Now when i'm trying to register with the user John(LDAP user) with LDAP
password and server ip of opensips(192.168.1.107) . No records found
from
LDAP message is occuring. Is any thing wrong in my cfg file or in
testing
scenario?  

Thanks,
Mathews


-- 
View this message in context:
http://opensips-open-sip-server.1449251.n2.nabble.com/LDAP-authenticatio
n-issue-tp5754372p5754372.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.

_______________________________________________
Users mailing list
Users at lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



More information about the Users mailing list