Re: [SR-Users] sr-users Digest, Vol 60, Issue 6
by Rothe, Marcus, D22-WHV
"sr-users-request(a)lists.sip-router.org"
<sr-users-request(a)lists.sip-router.org> schrieb:
Send sr-users mailing list submissions to
sr-users(a)lists.sip-router.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
or, via email, send a message with subject or body 'help' to
sr-users-request(a)lists.sip-router.org
You can reach the person managing the list at
sr-users-owner(a)lists.sip-router.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of sr-users digest..."
Today's Topics:
1. Authentication SER + RADIUS + LDAP (Pablo Ros)
2. Kamailio SCTP support (Francisco Jos? M?ndez Cirera)
3. Re: NAT Traversal IPTel example (Daniel-Constantin Mierla)
4. Re: Kamailio SCTP support (Daniel-Constantin Mierla)
----------------------------------------------------------------------
Message: 1
Date: Tue, 4 May 2010 10:03:26 +0200
From: Pablo Ros <prf1987(a)gmail.com>
Subject: [SR-Users] Authentication SER + RADIUS + LDAP
To: sr-users(a)lists.sip-router.org
Message-ID:
<m2i46878ffc1005040103m27d01ccfo9c84d8bba7dc7896(a)mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Hello,
We have a LDAP database with many users information and this is the one we
use to implement most of our services; on the contrary we have SER working
with a SQL data base. Our intention was to make also the authentication
against LDAP. After some research, we've seen there's no specific module
for
SER to work with LDAP and we have considered some alternatives among them
there was the "module" from ETH
world<http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap>.
However, we didn't manage to make it work (if it's an advisable choice
we'd
appreciate some clues).
So, we decided to make the authentication through the RADIUS server.
Nevertheless, we are having some problems with the way data is sent.
When doing the user authentication there's no problem as it is sent in
plain
text and we modified to do it against the email attribute as it's this
what
we want. It makes it perfectly. But it turns out that when we try to make
the password authentication, as the data sent from SER comes in a hash
(user:realm:password) as long as we know, we don't really know how to make
it compare with the password field in LDAP (under MD5 algorithm as well).
When we make a test over Radius by sending plain text it works perfectly
so
it shouldn't be a problem by searching the attributes over LDAP.
We have tried to follow instructions to set the digest section properly
but
there's something we definitely miss.
Attached there's a log from the radius when trying to log with SER and the
Register section from SER.
log:
03
User-Name = "my.user(a)i2cat.net"
Digest-Attributes = 0x0a0b7061626c6f2e726f73
Digest-Attributes = 0x010b69326361742e6e6574
Digest-Attributes =
0x022a34626466643065343837303734363630626261366134363437663730313034343639
663532306532
Digest-Attributes = 0x040f7369703a69326361742e6e6574
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4"
Service-Type = Sip-Session
Sip-Uri-User = "my.user"
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_digest: Adding Auth-Type = DIGEST
++[digest] returns ok
rlm_realm: Looking up realm "i2cat.net" for User-Name = "
my.user(a)i2cat.net"
rlm_realm: No such realm "i2cat.net"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my.user(a)i2cat.net
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail=
my.user(a)i2cat.net)
expand: ou=activat,ou=personal,dc=i2cat,dc=net ->
ou=activat,ou=personal,dc=i2cat,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.i2cat.net:389, authentication 0
rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to ldap.i2cat.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net,
with
filter (mail=pablo.ros(a)i2cat.net)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 ==
"{md5}nCK4tZ5NNP48oT0wlXX+Jw=="
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the
user is configured correctly?
rlm_ldap: user pablo.ros(a)i2cat.net authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
+- entering group authenticate
rlm_digest: Digest-HA1 has invalid length, authentication failed.
++[digest] returns invalid
auth: Failed to validate the user.
Login incorrect: [my.user(a)i2cat.net/<via Auth-Type = DIGEST>] (from client
localhost port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> my.user(a)i2cat.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
SER register -> User Authentication part
#------------------------------------------------------------------------
# Comprovacio de credencials per als usuaris.
#------------------------------------------------------------------------
if (!is_user_in("From", "noauth"))
{
xlog("L_NOTICE", "SER-INFO: challenging user...\n");
# IMPORTANTE: radius_www_authorize solo toma un par?metro!
if(!radius_www_authorize(""))
{
# L'usuari NO esta registrat correctament o les
# credencials no son valides!
www_challenge("i2cat.net","0");
xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from
<%fu>:(%is) [403 Forbiden]\n");
sl_send_reply("403", "Forbiden!, Bad
Credentials");
break; #tallem la comunicacio
};
#--------------------------------------------------------------------
# check_to
#--------------------------------------------------------------------
if(!check_to())
{
xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed
attempt <%fu>:(%is)\n");
sl_send_reply("403", "Use To=id la proxima vegada
:@");
consume_credentials(); # fem que caduqui la sessio
break;
};
}
--
Pablo Ros