OpenSIPS (Open SIP Server) › OpenSIPS - Users

LDAP authentication issue

Classic

List

Threaded

2 messages Options

Indiver

LDAP authentication issue

Hello Guys,

I'm trying to integrate ldap with opensips. For this purpose I configured LDAP server and added 10 users there.
My ldap.cfg file is

[sipaccounts]
ldap_version = 2
ldap_server_url = "ldap://192.168.1.106:389"
ldap_bind_dn = "cn=Manager,dc=example,dc=net"
ldap_bind_password = "password"
ldap_network_timeout = 500
ldap_client_bind_timeout = 500

I added the following pieces in the cfg file:

modparam("ldap", "config_file", "/usr/local/etc/opensips/ldap.cfg")
modparam("auth", "username_spec", "$avp(s:username)")
modparam("auth", "password_spec", "$avp(s:password)")
modparam("auth", "calculate_ha1", 1)

In route Block the following:

if (!(method=="REGISTER") && from_uri==myself) /*no multidomainversion*/
{
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
$avp(s:password)
$var(username)=$rU;

if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(&(uid=$fU))"))
{
switch ($retcode)
{
case -1:
# no LDAP entry found
sl_send_reply("404", "example: User NotFound");
exit;
case -2:
# internal error
sl_send_reply("500", "example : Internalserver error");
exit;
default:
exit;
}

}

xlog("L_INFO", "example : ldap_search: found [$retcode]entries for (uid=$fU)");

ldap_result("userPassword/$avp(s:password)");

# username to authenticate
#$avp(i:2) = $fU;

# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}

# caller authenticated
}

if (is_method("REGISTER"))
{

if (!is_present_hf("Authorization")) {
www_challenge("", "0");
exit;
}
$var(username)=$fU;
if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(&(uid=$fU))"))
{
switch ($retcode)
{
case -1:
# no LDAP entry found
sl_send_reply("404", "example: User NotFound");
exit;
case -2:
# internal error
sl_send_reply("500", "example : Internalserver error");
exit;
default:
exit;
}
}
xlog("L_INFO", "example : ldap_search: found [$retcode]entries for (uid=$fU)");

if (!ldap_result("userPassword/$avp(s:password)"))
{
switch ($retcode)
{
case -1:
# no SIPIdentityServiceLevel found
sl_send_reply("403", "example :Forbidden");
exit;
case -2:
# internal error
sl_send_reply("500", example :Internal server error");
exit;
default:
exit;
}
}
xlog("L_INFO", "example : ldap_result: password est =$avp(s:password)");
# do the authentication
if(!pv_www_authorize("")){
www_challenge("", "0");
exit;
}
if (!save("location"))
sl_reply_error();

exit;
}

if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}

if (!lookup("location")) {
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not Allowed");
exit;
}
}

# when routing via usrloc, log the missed calls also
setflag(2);

route(1);
}

Now when i'm trying to register with the user John(LDAP user) with LDAP password and server ip of opensips(192.168.1.107) . No records found from LDAP message is occuring. Is any thing wrong in my cfg file or in testing scenario?

Thanks,
Mathews

Leon Li

Re: LDAP authentication issue

Hi Mathews,

I've tried LDAP module long time ago and found the way this module works
is to grab the clear text password from LDAP server and then compared
with the one sent by the endpoints. However, my Sysadmin pointed out
that most ldap server will not release the password but rather receive
the credential and bind dynamically. So when you request to grab the
password, the server may drop the request.

I am not sure if this is still the case but others can confirm please.

Regards,
Leon

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Indiver
Sent: Friday, 19 November 2010 6:09 PM
To: [hidden email]
Subject: [OpenSIPS-Users] LDAP authentication issue

Hello Guys,

I'm trying to integrate ldap with opensips. For this purpose I
configured
LDAP server and added 10 users there.
My ldap.cfg file is

[sipaccounts]
ldap_version = 2
ldap_server_url = "ldap://192.168.1.106:389"
ldap_bind_dn = "cn=Manager,dc=example,dc=net"
ldap_bind_password = "password"
ldap_network_timeout = 500
ldap_client_bind_timeout = 500

I added the following pieces in the cfg file:

modparam("ldap", "config_file", "/usr/local/etc/opensips/ldap.cfg")
modparam("auth", "username_spec", "$avp(s:username)")
modparam("auth", "password_spec", "$avp(s:password)")
modparam("auth", "calculate_ha1", 1)

In route Block the following:

if (!(method=="REGISTER") && from_uri==myself) /*no multidomainversion*/
{
if (!is_present_hf("Proxy-Authorization")) {
proxy_challenge("", "0");
exit;
}
$avp(s:password)
$var(username)=$rU;

if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(&
(uid=$fU))"))
{
switch ($retcode)
{
case -1:
# no LDAP entry found
sl_send_reply("404", "example: User
NotFound");
exit;
case -2:
# internal error
sl_send_reply("500", "example :
Internalserver error");
exit;
default:
exit;
}

}

xlog("L_INFO", "example : ldap_search: found
[$retcode]entries for (uid=$fU)");

ldap_result("userPassword/$avp(s:password)");

# username to authenticate
#$avp(i:2) = $fU;

# do the authentication
if(!pv_proxy_authorize("")){
proxy_challenge("", "0");
exit;
}

# caller authenticated
}

if (is_method("REGISTER"))
{

if (!is_present_hf("Authorization")) {
www_challenge("", "0");
exit;
}
$var(username)=$fU;

if(!ldap_search("ldap://sipaccounts/cn=Manager,dc=example,dc=net??sub?(&
(uid=$fU))"))
{
switch ($retcode)
{
case -1:
# no LDAP entry found
sl_send_reply("404", "example: User
NotFound");
exit;
case -2:
# internal error
sl_send_reply("500", "example :
Internalserver error");
exit;
default:
exit;
}
}
xlog("L_INFO", "example : ldap_search: found
[$retcode]entries for (uid=$fU)");

if (!ldap_result("userPassword/$avp(s:password)"))
{
switch ($retcode)
{
case -1:
# no SIPIdentityServiceLevel
found
sl_send_reply("403", "example
:Forbidden");
exit;
case -2:
# internal error
sl_send_reply("500", example
:Internal server error");
exit;
default:
exit;
}
}
xlog("L_INFO", "example : ldap_result: password est
=$avp(s:password)");
# do the authentication
if(!pv_www_authorize("")){
www_challenge("", "0");
exit;
}
if (!save("location"))
sl_reply_error();

exit;
}

if ($rU==NULL) {
# request with no Username in RURI
sl_send_reply("484","Address Incomplete");
exit;
}

if (!lookup("location")) {
switch ($retcode) {
case -1:
case -3:
t_newtran();
t_reply("404", "Not Found");
exit;
case -2:
sl_send_reply("405", "Method Not
Allowed");
exit;
}
}

# when routing via usrloc, log the missed calls also
setflag(2);

route(1);
}

Now when i'm trying to register with the user John(LDAP user) with LDAP
password and server ip of opensips(192.168.1.107) . No records found
from
LDAP message is occuring. Is any thing wrong in my cfg file or in
testing
scenario?

Thanks,
Mathews

--
View this message in context:
http://opensips-open-sip-server.1449251.n2.nabble.com/LDAP-authenticatio
n-issue-tp5754372p5754372.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users