LDAP authentication issue

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP authentication issue

Leon Li

Hi,

 

I am facing some problems when try to authenticate via a current LDAP server, and 401 is always the error. My config is as below:

 

                if(is_present_hf("Authorization"))

                {

                        # ldap search

                        if (!ldap_search("ldap://sipaccounts/ou=People,dc=aarnet,dc=edu,dc=au?uid,userPassword?one?(&(uid=$fU)(objectclass=posixAccount))"))

                        {

                                switch ($retcode)

                                {

                                        case -1:

                                           # no LDAP entry found

                                           xlog("L_INFO", "Ldap user not found\n");

                                           sl_send_reply("404", "User Not Found");

                                           exit;

                                        case -2:

                                           # internal error

                                           xlog("L_INFO", "Internal Server Error during Authentication\n");

                                           sl_send_reply("500", "Internal server error");

                                           exit;

                                        default:

                                           exit;

                                }

                        }

                        if (ldap_search("ldap://sipaccounts/ou=People,dc=aarnet,dc=edu,dc=au?uid,userPassword?one?(&(uid=$fU)(objectclass=posixAccount))"))

                        {

                                xlog("L_INFO", "Returned Code=$retcode\n");

                        }

                        xlog("L_INFO", "Ldap user=$fU found\n");

                        ldap_result("uid/$avp(s:username)");

                        xlog("L_INFO", "Ldap user=$avp(s:username)\n");

                        ldap_result("userPassword/$avp(s:password)");

                        xlog("L_INFO", "Ldap password=$avp(s:password)\n");

                        if(!pv_www_authorize(""))

                        {

                                xlog("L_INFO", "Returned Code=$retcode\n");

                                xlog("L_INFO", "Register authentication failed - M=$rm RURI=$ru D=$td F=$fu Fuser=$fU RUser=$rU T=$tu IP=$si ID=$ci\n");

                                www_challenge(""/*realm*/,"0"/*qop*/);

                                exit;

                        }

                        save("location");

                        sl_send_reply("200", "ok");

                        exit;

                } else {

                        xlog("L_INFO", "Challenging - M=$rm RURI=$ru D=$td F=$fu Fuser=$fU RUser=$rU T=$tu IP=$si ID=$ci\n");

                        www_challenge("","0");

                        exit;

                        }

 

The problem is

1.       if using anonymous binding, ldap_search returns uid fine, but it will never return password. (This is set by the admin to not expose password) The ldap_result for $avp(s:password) is always null.

2.       If I bind with my DN first in ldap.cfg. $avp(s:password) will returned SHA code (assumedly my password), but still failed.

 

Anyone had the same situation before?

 

Thanks

Leon

 

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication issue

Gavin Henry
Why do you need to get the password? How does the LDAP module do it's
authentication checks?

Usually an LDAP client will just bind with the username and password
supplied by client and if successful you've passed the test. There are
other ways, but I need to check what the LDAP module docs.

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication issue

Leon Li
Hi Henry,

Correct me if I understand is wrong. As in LDAP module, ldap_search will
search the given LDAP URL and store results. Then
ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and
compare with the one send by SIP request. So I think at least
ldap_result should return a hashed password?

Thanks
Leon  

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Gavin Henry
Sent: Wednesday, 3 June 2009 1:07 AM
To: [hidden email]
Subject: Re: [OpenSIPS-Users] LDAP authentication issue

Why do you need to get the password? How does the LDAP module do it's
authentication checks?

Usually an LDAP client will just bind with the username and password
supplied by client and if successful you've passed the test. There are
other ways, but I need to check what the LDAP module docs.

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication issue

Tristan-3
Morning Leon,

Effectively the ldap_result writes the values requested by an
ldap_search  in the avp specified.
The value returned as a result depends on what you stored in your directory.
If it's a hash, then you get an hash. If it's a text value, then you get
that text value....


Simple exemple:
------------------------------------------------------------------------------------------------------------------------------------
modparam("auth", "username_spec", "$var(username)")
modparam("auth", "password_spec", "$avp(s:password)")

$var(username)=$fU;
ldap_search("ldap://sipaccounts/ou=people,dc=company,dc=fr??sub?cn=$fU");
ldap_result("sip_password/$avp(s:password)");

if (! pv_proxy_authorize("")) {
    proxy_challenge("", "1");
}
------------------------------------------------------------------------------------------------------------------------------------

@Henry: The ldap module only binds with the username/password specified
in config file, not with a dynamic one.

Regards,

Gled

Leon Li a écrit :

> Hi Henry,
>
> Correct me if I understand is wrong. As in LDAP module, ldap_search will
> search the given LDAP URL and store results. Then
> ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and
> compare with the one send by SIP request. So I think at least
> ldap_result should return a hashed password?
>
> Thanks
> Leon  
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Gavin Henry
> Sent: Wednesday, 3 June 2009 1:07 AM
> To: [hidden email]
> Subject: Re: [OpenSIPS-Users] LDAP authentication issue
>
> Why do you need to get the password? How does the LDAP module do it's
> authentication checks?
>
> Usually an LDAP client will just bind with the username and password
> supplied by client and if successful you've passed the test. There are
> other ways, but I need to check what the LDAP module docs.
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>  

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication issue

Gavin Henry
In reply to this post by Leon Li
Correct, if you are allowed to get it. Then you have to create your
own sha hash with the correct salt to compare it. I submitted a
feature request to add ldap_sasl_bind to the LDAP module so you can:

1. Search for an entry as normal (already possible)
2. Retrieve the user dn of that entry (already possible)
3. Use the new bind function to bind with the user DN from 2. And the
password from the registration. If you get a successful bind, you're
done.

This is much better and how things like pam_ldap can work.

On 03/06/2009, Leon Li <[hidden email]> wrote:

> Hi Henry,
>
> Correct me if I understand is wrong. As in LDAP module, ldap_search will
> search the given LDAP URL and store results. Then
> ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and
> compare with the one send by SIP request. So I think at least
> ldap_result should return a hashed password?
>
> Thanks
> Leon
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Gavin Henry
> Sent: Wednesday, 3 June 2009 1:07 AM
> To: [hidden email]
> Subject: Re: [OpenSIPS-Users] LDAP authentication issue
>
> Why do you need to get the password? How does the LDAP module do it's
> authentication checks?
>
> Usually an LDAP client will just bind with the username and password
> supplied by client and if successful you've passed the test. There are
> other ways, but I need to check what the LDAP module docs.
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

--
Sent from my mobile device

http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication issue

Gavin Henry
Yes, I see that. That's just for the initial search and is how
pam_ldap can work too. It is so you can use a user (not the rootdn of
course) that has perms to perform these searches.

On 03/06/2009, Gavin Henry <[hidden email]> wrote:

> Correct, if you are allowed to get it. Then you have to create your
> own sha hash with the correct salt to compare it. I submitted a
> feature request to add ldap_sasl_bind to the LDAP module so you can:
>
> 1. Search for an entry as normal (already possible)
> 2. Retrieve the user dn of that entry (already possible)
> 3. Use the new bind function to bind with the user DN from 2. And the
> password from the registration. If you get a successful bind, you're
> done.
>
> This is much better and how things like pam_ldap can work.
>
> On 03/06/2009, Leon Li <[hidden email]> wrote:
>> Hi Henry,
>>
>> Correct me if I understand is wrong. As in LDAP module, ldap_search will
>> search the given LDAP URL and store results. Then
>> ldap_result("ldap_attr/avp_spec") will write LDAP values into AVPs and
>> compare with the one send by SIP request. So I think at least
>> ldap_result should return a hashed password?
>>
>> Thanks
>> Leon
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Gavin Henry
>> Sent: Wednesday, 3 June 2009 1:07 AM
>> To: [hidden email]
>> Subject: Re: [OpenSIPS-Users] LDAP authentication issue
>>
>> Why do you need to get the password? How does the LDAP module do it's
>> authentication checks?
>>
>> Usually an LDAP client will just bind with the username and password
>> supplied by client and if successful you've passed the test. There are
>> other ways, but I need to check what the LDAP module docs.
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
> --
> Sent from my mobile device
>
> http://www.suretecsystems.com/services/openldap/
> http://www.suretectelecom.com
>

--
Sent from my mobile device

http://www.suretecsystems.com/services/openldap/
http://www.suretectelecom.com

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users