11 Apr
2006
11 Apr
'06
5:09 p.m.
Hi,
I'm using SER 0.9.6 as my SIP proxy, and free RADIUS 1.1.0 for accounting,
authorization and authentication. Users are in open LDAP 2.3.20. For
connecting to RADIUS I'm using auth_radius module which uses radusclient-ng.
Everything works fine when digest is used for authentication and
authorization but when I try to use LDAP for authentication and
authorization i get this from RADIUS:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 201(a)192.168.19.2
radius_xlat: '(uid=201(a)192.168.19.2)'
radius_xlat: 'ou=People,dc=sips,dc=tel,dc=fer,dc=hr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.19.2:389, authentication 0
rlm_ldap: bind as cn=root,dc=sips,dc=tel,dc=fer,dc=hr/topsct to
192.168.19.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=sips,dc=tel,dc=fer,dc=hr, with
filter (uid=201(a)192.168.19.2)
rlm_ldap: checking if remote access for 201(a)192.168.19.2 is allowed by
employeeType
rlm_ldap: Added password 201 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value 201 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 201(a)192.168.19.2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: leaving group LDAP (returns invalid) for request 0
auth: Failed to validate the user.
I think this is the problem:
Attribute "User-Password" is required for authentication.
In users file I have added:a
DFAULT Auth-Type:=LDAP
to force using LDAP for authentication and authorization.
When i try to connect remotly using radius client from command
line, authorization and authentication works fine. When I capture packets
when using SER i can't see User-Password attribute.
Is there any way to solve this problem. May be to say in RADIUS that some of
digest attributes is actually User-Password attribute, or some other module
which enables using of RADIUS and LDAP.
Thanks in advance.
Best regards,
--
Ivan Turcin
Student at University of Zagreb, Faculty of Electricalengeniring and
Computing, Branch of Telecomunications and Informatics
Unska 3
HR-10000 Zagreb
11 Apr
11 Apr
5:27 p.m.
Hi,
Did you add password_attribute in your raddb.conf? Put there the name of
attribute that stores user password.
Apart from this here is my working configuration (it worked long ago).
Hope it helps.
FILE raddb/raddb.conf
----------
modules section:
...
ldap {
filter = "(someAttrib=%{User-Name})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = someOtherAttrib
groupmembership_filter = "(objectClass=*)"
groupmembership_attribute = someYetAnotherAttrib
}
..
authenticate section:
Auth-Type LDAP {
ok
}
...
FILE raddb/users
------
# Default for INVITEs, REGISTERs and so on
DEFAULT Service-Type == "Sip-Session"
Auth-Type := Digest
# Group membership checking - we always accept, ldap will check groups
anyway
DEFAULT Service-Type == "Group-Check", Sip-Group == "divert_busy"
Auth-Type := Accept
DEFAULT Service-Type == "Group-Check", Sip-Group == "divert_unav"
Auth-Type := Accept
DEFAULT Service-Type == "Group-Check", Sip-Group == "divert_timeout"
Auth-Type := Accept
DEFAULT Service-Type == "Group-Check", Sip-Group == "allow_outbound"
Auth-Type := Accept
# User presence - we always accept, ldap will check anyway
DEFAULT Service-Type == "Call-Check"
Auth-Type := Accept
# Deny all the rest
DEFAULT Auth-Type := Reject
Ivan Turcin wrote:
Hi,
I'm using SER 0.9.6 as my SIP proxy, and free RADIUS 1.1.0 for accounting,
authorization and authentication. Users are in open LDAP 2.3.20. For
connecting to RADIUS I'm using auth_radius module which uses radusclient-ng.
Everything works fine when digest is used for authentication and
authorization but when I try to use LDAP for authentication and
authorization i get this from RADIUS:
rlm_ldap: - authorize
rlm_ldap: performing user authorization for 201(a)192.168.19.2
radius_xlat: '(uid=201(a)192.168.19.2)'
radius_xlat: 'ou=People,dc=sips,dc=tel,dc=fer,dc=hr'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.19.2:389, authentication 0
rlm_ldap: bind as cn=root,dc=sips,dc=tel,dc=fer,dc=hr/topsct to
192.168.19.2:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=sips,dc=tel,dc=fer,dc=hr, with
filter (uid=201(a)192.168.19.2)
rlm_ldap: checking if remote access for 201(a)192.168.19.2 is allowed by
employeeType
rlm_ldap: Added password 201 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password, value 201 & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user 201(a)192.168.19.2 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: Attribute "User-Password" is required for authentication.
modcall[authenticate]: module "ldap" returns invalid for request 0
modcall: leaving group LDAP (returns invalid) for request 0
auth: Failed to validate the user.
I think this is the problem:
Attribute "User-Password" is required for authentication.
In users file I have added:a
DFAULT Auth-Type:=LDAP
to force using LDAP for authentication and authorization.
When i try to connect remotly using radius client from command
line, authorization and authentication works fine. When I capture packets
when using SER i can't see User-Password attribute.
Is there any way to solve this problem. May be to say in RADIUS that some of
digest attributes is actually User-Password attribute, or some other module
which enables using of RADIUS and LDAP.
Thanks in advance.
Best regards,
--
Ivan Turcin
Student at University of Zagreb, Faculty of Electricalengeniring and
Computing, Branch of Telecomunications and Informatics
Unska 3
HR-10000 Zagreb
------------------------------------------------------------------------
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
6810
days inactive
6810
days old
1 comments
2 participants
participants (2)
-
Arek Bekiersz -
Ivan Turcin