Hello,
On 5/4/10 10:03 AM, Pablo Ros wrote:
Hello,
We have a LDAP database with many users information and this is the
one we use to implement most of our services; on the contrary we have
SER working with a SQL data base. Our intention was to make also the
authentication against LDAP. After some research, we've seen there's
no specific module for SER to work with LDAP and we have considered
some alternatives among them there was the "module" from ETH world
<http://www.ethworld.ethz.ch/technologies/sipeth/ser_modules/ldap>.
However, we didn't manage to make it work (if it's an advisable choice
we'd appreciate some clues).
but you have ldap support in ser:
http://sip-router.org/docbook/sip-router/branch/master/modules_s/ldap/ldap.…
Afaik, you can use it instead of db driver.
With version 3.0 you have one more option that came from kamailio (openser):
http://sip-router.org/docbook/sip-router/branch/master/modules_k/ldap/ldap.…
This one you can use to query LDAP and get password in config file from
where you can do authentication via auth module (from modules_k).
Cheers,
Daniel
So, we decided to make the authentication through the RADIUS server.
Nevertheless, we are having some problems with the way data is sent.
When doing the user authentication there's no problem as it is sent in
plain text and we modified to do it against the email attribute as
it's this what we want. It makes it perfectly. But it turns out that
when we try to make the password authentication, as the data sent from
SER comes in a hash (user:realm:password) as long as we know, we don't
really know how to make it compare with the password field in LDAP
(under MD5 algorithm as well).
When we make a test over Radius by sending plain text it works
perfectly so it shouldn't be a problem by searching the attributes
over LDAP.
We have tried to follow instructions to set the digest section
properly but there's something we definitely miss.
Attached there's a log from the radius when trying to log with SER and
the Register section from SER.
log:
03
User-Name = "my.user(a)i2cat.net <mailto:my.user@i2cat.net>"
Digest-Attributes = 0x0a0b7061626c6f2e726f73
Digest-Attributes = 0x010b69326361742e6e6574
Digest-Attributes =
0x022a34626466643065343837303734363630626261366134363437663730313034343639663532306532
Digest-Attributes = 0x040f7369703a69326361742e6e6574
Digest-Attributes = 0x030a5245474953544552
Digest-Response = "6c95bcba1fca30e976fa9295025b1bf4"
Service-Type = Sip-Session
Sip-Uri-User = "my.user"
NAS-Port = 5060
NAS-IP-Address = 127.0.0.1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_digest: Adding Auth-Type = DIGEST
++[digest] returns ok
rlm_realm: Looking up realm "i2cat.net <http://i2cat.net>" for
User-Name = "my.user(a)i2cat.net <mailto:my.user@i2cat.net>"
rlm_realm: No such realm "i2cat.net <http://i2cat.net>"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for my.user(a)i2cat.net
<mailto:my.user@i2cat.net>
WARNING: Deprecated conditional expansion ":-". See "man unlang" for
details
expand: (mail=%{Stripped-User-Name:-%{User-Name}}) ->
(mail=my.user(a)i2cat.net <mailto:my.user@i2cat.net>)
expand: ou=activat,ou=personal,dc=i2cat,dc=net ->
ou=activat,ou=personal,dc=i2cat,dc=net
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.i2cat.net:389
<http://ldap.i2cat.net:389>, authentication 0
rlm_ldap: bind as cn=anonim,dc=i2cat,dc=net/i2mngr to
ldap.i2cat.net:389 <http://ldap.i2cat.net:389>
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=activat,ou=personal,dc=i2cat,dc=net,
with filter (mail=pablo.ros(a)i2cat.net <mailto:pablo.ros@i2cat.net>)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute userPassword as RADIUS attribute Digest-HA1
== "{md5}nCK4tZ5NNP48oT0wlXX+Jw=="
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure
that the user is configured correctly?
rlm_ldap: user pablo.ros(a)i2cat.net <mailto:pablo.ros@i2cat.net>
authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
+- entering group authenticate
rlm_digest: Digest-HA1 has invalid length, authentication failed.
++[digest] returns invalid
auth: Failed to validate the user.
Login incorrect: [my.user(a)i2cat.net/ <http://my.user@i2cat.net/><via
Auth-Type = DIGEST>] (from client localhost port 5060)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> my.user(a)i2cat.net <mailto:my.user@i2cat.net>
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
SER register -> User Authentication part
#------------------------------------------------------------------------
# Comprovacio de credencials per als usuaris.
#------------------------------------------------------------------------
if (!is_user_in("From", "noauth"))
{
xlog("L_NOTICE", "SER-INFO: challenging user...\n");
# IMPORTANTE: radius_www_authorize solo toma un parámetro!
if(!radius_www_authorize(""))
{
# L'usuari NO esta registrat correctament o les
# credencials no son valides!
www_challenge("i2cat.net
<http://i2cat.net>","0");
xlog("L_ALERT","SER-ALERT r[4]-Bad Auth from
<%fu>:(%is) [403 Forbiden]\n");
sl_send_reply("403", "Forbiden!, Bad
Credentials");
break; #tallem la comunicacio
};
#--------------------------------------------------------------------
# check_to
#--------------------------------------------------------------------
if(!check_to())
{
xlog("L_ALERT","SER-ALERT: check_to(): REG
Spoofed attempt <%fu>:(%is)\n");
sl_send_reply("403", "Use To=id la proxima
vegada :@");
consume_credentials(); # fem que caduqui la sessio
break;
};
}
--
Pablo Ros
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
*
http://www.asipto.com/
*
http://twitter.com/miconda
*
http://www.linkedin.com/in/danielconstantinmierla