Authentication SER + RADIUS + LDAP - sr-users

4 May 2010


      Hello,
We have a LDAP database with many users information and this is the one we
use to implement most of our services; on the contrary we have SER working
with a SQL data base. Our intention was to make also the authentication
against LDAP. After some research, we've seen there's no specific module for
SER to work with LDAP and we have considered some alternatives among them
there was the "module" from ETH
worldhttp://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap.
However, we didn't manage to make it work (if it's an advisable choice we'd
appreciate some clues).
So, we decided to make the authentication through the RADIUS server.
Nevertheless, we are having some problems with the way data is sent.
When doing the user authentication there's no problem as it is sent in plain
text and we modified to do it against the email attribute as it's this what
we want. It makes it perfectly. But it turns out that when we try to make
the password authentication, as the data sent from SER comes in a hash
(user:realm:password) as long as we know, we don't really know how to make
it compare with the password field in LDAP (under MD5 algorithm as well).
When we make a test over Radius by sending plain text it works perfectly so
it shouldn't be a problem by searching the attributes over LDAP.
We have tried to follow instructions to set the digest section properly but
there's something we definitely miss.
Attached there's a log from the radius when trying to log with SER and the
Register section from SER.
log:
03
    User-Name = "my.user@i2cat.net"
    Digest-Attributes = 0x0a0b7061626c6f2e726f73
    Digest-Attributes = 0x010b69326361742e6e6574
    Digest-Attributes =
0x022a34626466643065343837303734363630626261366134363437663730313034343639663532306532
    Digest-Attributes = 0x040f7369703a69326361742e6e6574
    Digest-Attributes = 0x030a5245474953544552
    Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4"
    Service-Type = Sip-Session
    Sip-Uri-User = "my.user"
    NAS-Port = 5060
    NAS-IP-Address = 127.0.0.1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_digest: Adding Auth-Type = DIGEST
++[digest] returns ok
    rlm_realm: Looking up realm "i2cat.net" for User-Name = "
my.user@i2cat.net"
    rlm_realm: No such realm "i2cat.net"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my.user@i2cat.net
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
    expand: (mail=%{Stripped-User-Name:-%{User-Name}}) -> (mail=
my.user@i2cat.net)
    expand: ou=activat,ou=personal,dc=i2cat,dc=net ->
ou=activat,ou=personal,dc=i2cat,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.i2cat.net:389, authentication 0
rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to ldap.i2cat.net:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net, with
filter (mail=pablo.ros@i2cat.net)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1 ==
"{md5}nCK4tZ5NNP48oT0wlXX+Jw=="
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
rlm_ldap: user pablo.ros@i2cat.net authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
+- entering group authenticate
rlm_digest: Digest-HA1 has invalid length, authentication failed.
++[digest] returns invalid
auth: Failed to validate the user.
Login incorrect: [my.user@i2cat.net/<via Auth-Type = DIGEST>] (from client
localhost port 5060)
  Found Post-Auth-Type Reject
+- entering group REJECT
    expand: %{User-Name} -> my.user@i2cat.net
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
SER register -> User Authentication part
#------------------------------------------------------------------------
        # Comprovacio de credencials per als usuaris.
#------------------------------------------------------------------------
        if (!is_user_in("From", "noauth"))
        {
                xlog("L_NOTICE", "SER-INFO: challenging user...\n");
                # IMPORTANTE: radius_www_authorize solo toma un parámetro!
                if(!radius_www_authorize(""))
                {
                        # L'usuari NO esta registrat correctament o les
                        # credencials no son valides!
www_challenge("i2cat.net","0");
                        xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from
<%fu>:(%is) [403 Forbiden]\n");
                        sl_send_reply("403", "Forbiden!, Bad Credentials");
                        break; #tallem la comunicacio
                };
#--------------------------------------------------------------------
                # check_to
#--------------------------------------------------------------------
                if(!check_to())
                {
                        xlog("L_ALERT","SER-ALERT: check_to(): REG Spoofed
attempt <%fu>:(%is)\n");
                        sl_send_reply("403", "Use To=id la proxima vegada
:@");
                        consume_credentials(); # fem que caduqui la sessio
                        break;
                };
        }
-- 
Pablo Ros