Hi,
I'm using SER 0.9.6 as my SIP proxy, and free RADIUS 1.1.0 for accounting, authorization and authentication. Users are in open LDAP 2.3.20. For connecting to RADIUS I'm using auth_radius module which uses radusclient-ng.
Everything works fine when digest is used for authentication and authorization but when I try to use LDAP for authentication and authorization i get this from RADIUS:
rlm_ldap: - authorize rlm_ldap: performing user authorization for 201@192.168.19.2 radius_xlat: '(uid=201@192.168.19.2)' radius_xlat: 'ou=People,dc=sips,dc=tel,dc=fer,dc=hr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.19.2:389, authentication 0 rlm_ldap: bind as cn=root,dc=sips,dc=tel,dc=fer,dc=hr/topsct to 192.168.19.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=sips,dc=tel,dc=fer,dc=hr, with filter (uid=201@192.168.19.2) rlm_ldap: checking if remote access for 201@192.168.19.2 is allowed by employeeType rlm_ldap: Added password 201 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value 201 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 201@192.168.19.2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user.
I think this is the problem: Attribute "User-Password" is required for authentication.
In users file I have added:a DFAULT Auth-Type:=LDAP to force using LDAP for authentication and authorization.
When i try to connect remotly using radius client from command line, authorization and authentication works fine. When I capture packets when using SER i can't see User-Password attribute.
Is there any way to solve this problem. May be to say in RADIUS that some of digest attributes is actually User-Password attribute, or some other module which enables using of RADIUS and LDAP.
Thanks in advance.
Best regards,
-- Ivan Turcin Student at University of Zagreb, Faculty of Electricalengeniring and Computing, Branch of Telecomunications and Informatics Unska 3 HR-10000 Zagreb
Hi,
Did you add password_attribute in your raddb.conf? Put there the name of attribute that stores user password.
Apart from this here is my working configuration (it worked long ago). Hope it helps.
FILE raddb/raddb.conf ---------- modules section: ... ldap { filter = "(someAttrib=%{User-Name})" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = someOtherAttrib groupmembership_filter = "(objectClass=*)" groupmembership_attribute = someYetAnotherAttrib } .. authenticate section: Auth-Type LDAP { ok } ...
FILE raddb/users ------ # Default for INVITEs, REGISTERs and so on DEFAULT Service-Type == "Sip-Session" Auth-Type := Digest
# Group membership checking - we always accept, ldap will check groups anyway DEFAULT Service-Type == "Group-Check", Sip-Group == "divert_busy" Auth-Type := Accept
DEFAULT Service-Type == "Group-Check", Sip-Group == "divert_unav" Auth-Type := Accept
DEFAULT Service-Type == "Group-Check", Sip-Group == "divert_timeout" Auth-Type := Accept
DEFAULT Service-Type == "Group-Check", Sip-Group == "allow_outbound" Auth-Type := Accept
# User presence - we always accept, ldap will check anyway DEFAULT Service-Type == "Call-Check" Auth-Type := Accept
# Deny all the rest DEFAULT Auth-Type := Reject
Ivan Turcin wrote:
Hi,
I'm using SER 0.9.6 as my SIP proxy, and free RADIUS 1.1.0 for accounting, authorization and authentication. Users are in open LDAP 2.3.20. For connecting to RADIUS I'm using auth_radius module which uses radusclient-ng.
Everything works fine when digest is used for authentication and authorization but when I try to use LDAP for authentication and authorization i get this from RADIUS:
rlm_ldap: - authorize rlm_ldap: performing user authorization for 201@192.168.19.2 radius_xlat: '(uid=201@192.168.19.2)' radius_xlat: 'ou=People,dc=sips,dc=tel,dc=fer,dc=hr' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.19.2:389, authentication 0 rlm_ldap: bind as cn=root,dc=sips,dc=tel,dc=fer,dc=hr/topsct to 192.168.19.2:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=People,dc=sips,dc=tel,dc=fer,dc=hr, with filter (uid=201@192.168.19.2) rlm_ldap: checking if remote access for 201@192.168.19.2 is allowed by employeeType rlm_ldap: Added password 201 in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding userPassword as User-Password, value 201 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user 201@192.168.19.2 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Ldap auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: Attribute "User-Password" is required for authentication. modcall[authenticate]: module "ldap" returns invalid for request 0 modcall: leaving group LDAP (returns invalid) for request 0 auth: Failed to validate the user.
I think this is the problem: Attribute "User-Password" is required for authentication.
In users file I have added:a DFAULT Auth-Type:=LDAP to force using LDAP for authentication and authorization.
When i try to connect remotly using radius client from command line, authorization and authentication works fine. When I capture packets when using SER i can't see User-Password attribute.
Is there any way to solve this problem. May be to say in RADIUS that some of digest attributes is actually User-Password attribute, or some other module which enables using of RADIUS and LDAP.
Thanks in advance.
Best regards,
-- Ivan Turcin Student at University of Zagreb, Faculty of Electricalengeniring and Computing, Branch of Telecomunications and Informatics Unska 3 HR-10000 Zagreb
Serusers mailing list serusers@lists.iptel.org
-
Arek Bekiersz -
Ivan Turcin