Requirement
Authenticating SIP Clients through a SIP proxy via RADIUS with an LDAP Backend using digest mode.
The path is SIP client X -> Ser SIP Proxy -> FreeRadius -> Fedora Directory Server
Issue
Cannot authenticate a SIP client using Freeradius digest mode and LDAP.
After reading through a number of the newslists of all of the projects being used, There is contradictory information about whether this is possible.
One solution described in the FreeRadius mailing list says that the it should be possible by setting up radiusd.conf correctly to return the password field from the LDAP server and then having the digest module decode it.
Another thread in freeradius says that it isn't possible to store the passwords the LDAP server encrypted. That the LDAP server needs to return cleartext passwords over a TLS connection.
Several threads in the SER say that it is possible, but the examples given don't include LDAP in the equation so it is hard to tell.
I have read the Radius Howto on the SER page and the LDAP howto in the freeradius documentation and neither of them authoritatively answer the question.
Environment OS: Fedora 4 Radius Server : FreeRadius 1.0.4 Radius Client : radiusclient-ng 5.2 SIP Proxy : SER 0.9.4 Directory Server: Fedora Directory Server 1.0.1 Directory Server schema: inetOrgPerson Directory Server password encoding: SHA SIP Client : Client X
Network setup ServerA hosts SER, FreeRadius ServerB hosts Directory Server
Both servers are on the same subnet.
thanks, jon
--
"Whereever you go, there you are"
With LDAP you bind with a username/pw to authenticate or pull out the userPassword attribute and check against it. You need either clear-text pw or MD5 hash in order to do the digest auth method. If you have SHA1 or some other hash in your LDAP, you have no chance. Only chance is to migrate (or synchronize) user passwords over time by storing a new attribute (ex. userPasswordMD5) whenever you have the clear-text pw available (in your LDAP front-end app). I assume freeRADIUS can retrieve a password from sql or ldap in either cleartext or md5 and do digest on them. If not, you need to do some coding. g-)
----- Original Message ----- From: "Jon Steer" jsteer@bitscout.com To: serusers@lists.iptel.org Sent: Wednesday, February 15, 2006 5:56 PM Subject: [Serusers] SER authentication through FreeRadius with an LDAPbackend
Requirement
Authenticating SIP Clients through a SIP proxy via RADIUS with an LDAP Backend using digest mode.
The path is SIP client X -> Ser SIP Proxy -> FreeRadius -> Fedora Directory Server
Issue
Cannot authenticate a SIP client using Freeradius digest mode and LDAP.
After reading through a number of the newslists of all of the projects being used, There is contradictory information about whether this is possible.
One solution described in the FreeRadius mailing list says that the it should be possible by setting up radiusd.conf correctly to return the password field from the LDAP server and then having the digest module decode it.
Another thread in freeradius says that it isn't possible to store the passwords the LDAP server encrypted. That the LDAP server needs to return cleartext passwords over a TLS connection.
Several threads in the SER say that it is possible, but the examples given don't include LDAP in the equation so it is hard to tell.
I have read the Radius Howto on the SER page and the LDAP howto in the freeradius documentation and neither of them authoritatively answer the question.
Environment OS: Fedora 4 Radius Server : FreeRadius 1.0.4 Radius Client : radiusclient-ng 5.2 SIP Proxy : SER 0.9.4 Directory Server: Fedora Directory Server 1.0.1 Directory Server schema: inetOrgPerson Directory Server password encoding: SHA SIP Client : Client X
Network setup ServerA hosts SER, FreeRadius ServerB hosts Directory Server
Both servers are on the same subnet.
thanks, jon
--
"Whereever you go, there you are"
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-
Greger V. Teigre -
Jon Steer